Edit tour

Windows Analysis Report
Calyciform.exe

Overview

General Information

Sample name:	Calyciform.exe
Analysis ID:	1554165
MD5:	0b813c3349387a69277d7f8a0d20fe3d
SHA1:	d0c4aa5fffba33d1f7c9c184cd3acb90f6a75650
SHA256:	d2473f318c1386699bdd8442cfe5455d44e18ec23d4b2482ffc82c7c227ab9ad
Infos:

Detection

GuLoader

Score:	68
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected GuLoader

Switches to a custom stack to bypass stack traces

Tries to detect Any.run

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Contains capabilities to detect virtual machines

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to dynamically determine API calls

Contains functionality to shutdown / reboot the system

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Drops certificate files (DER)

Found dropped PE file which has not been started or loaded

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

Sample execution stops while process was sleeping (likely an evasion)

Stores files to the Windows start menu directory

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64native

Calyciform.exe (PID: 1676 cmdline: "C:\Users\user\Desktop\Calyciform.exe" MD5: 0B813C3349387A69277D7F8A0D20FE3D)

Calyciform.exe (PID: 6632 cmdline: "C:\Users\user\Desktop\Calyciform.exe" MD5: 0B813C3349387A69277D7F8A0D20FE3D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.130225753929.0000000002FAF000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
00000002.00000002.134606321221.000000000174F000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: Calyciform.exe	ReversingLabs: Detection: 45%
Source: Calyciform.exe	Virustotal: Detection: 37%			Perma Link

Source: Calyciform.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: Calyciform.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: mshtml.pdb source: Calyciform.exe, 00000002.00000001.129567935037.0000000000649000.00000020.00000001.01000000.00000005.sdmp
Source:	Binary string: mshtml.pdbUGP source: Calyciform.exe, 00000002.00000001.129567935037.0000000000649000.00000020.00000001.01000000.00000005.sdmp

Source: C:\Users\user\Desktop\Calyciform.exe	Code function: 0_2_00405745 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	0_2_00405745
Source: C:\Users\user\Desktop\Calyciform.exe	Code function: 0_2_00406280 FindFirstFileA,FindClose,	0_2_00406280
Source: C:\Users\user\Desktop\Calyciform.exe	Code function: 0_2_004026FE FindFirstFileA,	0_2_004026FE

Source: global traffic

TCP traffic: 192.168.11.20:49771 -> 45.137.22.248:80

Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.248
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.248
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.248
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.248
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.248
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.248
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.248
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.248
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.248
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.248
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.248
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.248
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.248
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.248
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.248
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.248
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.248
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.248
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.248
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.248
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.248
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.248
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.248
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.248
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.248
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.248
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.248
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.248
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.248
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.248
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.248
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.248
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.248
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.248
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.248
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.248
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.248
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.248
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.248
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.248
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.248
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.248
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.248
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.248
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.248
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.248
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.248
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.248
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.248
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.248

Source: Calyciform.exe, 00000002.00000002.134609519488.00000000028C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.137.22.248/nSTbXfnKEyKbZuJcrDaW99.bin
Source: Calyciform.exe, 00000002.00000002.134609519488.00000000028C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.137.22.248/nSTbXfnKEyKbZuJcrDaW99.bin#?_v
Source: Calyciform.exe, 00000002.00000002.134609519488.00000000028C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.137.22.248/nSTbXfnKEyKbZuJcrDaW99.bin/?Kv
Source: Calyciform.exe, 00000002.00000002.134609519488.00000000028C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.137.22.248/nSTbXfnKEyKbZuJcrDaW99.bin7?Sv
Source: Calyciform.exe, 00000002.00000002.134609519488.0000000002897000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.137.22.248/nSTbXfnKEyKbZuJcrDaW99.binJ
Source: Calyciform.exe, 00000002.00000002.134609519488.00000000028C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.137.22.248/nSTbXfnKEyKbZuJcrDaW99.binK?
Source: Calyciform.exe, 00000002.00000002.134609519488.00000000028C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.137.22.248/nSTbXfnKEyKbZuJcrDaW99.binM
Source: Calyciform.exe, 00000002.00000002.134609519488.00000000028C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.137.22.248/nSTbXfnKEyKbZuJcrDaW99.binS?
Source: Calyciform.exe, 00000002.00000002.134609519488.0000000002897000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.137.22.248/nSTbXfnKEyKbZuJcrDaW99.bin_
Source: Calyciform.exe, 00000002.00000002.134609519488.00000000028C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.137.22.248/nSTbXfnKEyKbZuJcrDaW99.bin_?
Source: Calyciform.exe, 00000002.00000002.134609519488.00000000028C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.137.22.248/nSTbXfnKEyKbZuJcrDaW99.binedvmbusRFCOMM
Source: Calyciform.exe, 00000002.00000002.134609519488.00000000028C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.137.22.248/nSTbXfnKEyKbZuJcrDaW99.binh
Source: Calyciform.exe, 00000002.00000002.134609519488.0000000002897000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://45.137.22.248/nSTbXfnKEyKbZuJcrDaW99.binl
Source: Calyciform.exe, 00000002.00000001.129567935037.0000000000649000.00000020.00000001.01000000.00000005.sdmp	String found in binary or memory: http://inference.location.live.com11111111-1111-1111-1111-111111111111https://partnernext-inference.
Source: Calyciform.exe	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: Calyciform.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: Calyciform.exe	String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: Calyciform.exe	String found in binary or memory: http://s.symcd.com06
Source: Calyciform.exe	String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: Calyciform.exe	String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: Calyciform.exe	String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: Calyciform.exe, 00000002.00000001.129567935037.0000000000649000.00000020.00000001.01000000.00000005.sdmp	String found in binary or memory: http://www.gopher.ftp://ftp.
Source: Calyciform.exe, 00000002.00000001.129567935037.0000000000626000.00000020.00000001.01000000.00000005.sdmp	String found in binary or memory: http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd-//W3O//DTD
Source: Calyciform.exe, 00000002.00000001.129567935037.00000000005F2000.00000020.00000001.01000000.00000005.sdmp	String found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtd
Source: Calyciform.exe, 00000002.00000001.129567935037.00000000005F2000.00000020.00000001.01000000.00000005.sdmp	String found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtd
Source: Calyciform.exe	String found in binary or memory: https://d.symcb.com/cps0%
Source: Calyciform.exe	String found in binary or memory: https://d.symcb.com/rpa0
Source: Calyciform.exe	String found in binary or memory: https://d.symcb.com/rpa0.
Source: Calyciform.exe, 00000002.00000001.129567935037.0000000000649000.00000020.00000001.01000000.00000005.sdmp	String found in binary or memory: https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214

Source: C:\Users\user\Desktop\Calyciform.exe

Code function: 0_2_004051E2 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_004051E2

Source: C:\Users\user\Desktop\Calyciform.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Puerperant\vmmouse.cat

Jump to dropped file

Source: C:\Users\user\Desktop\Calyciform.exe

Code function: 0_2_004031E9 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_004031E9

Source: C:\Users\user\Desktop\Calyciform.exe	Code function: 0_2_00404A21		0_2_00404A21
Source: C:\Users\user\Desktop\Calyciform.exe	Code function: 0_2_6D6A1A9C		0_2_6D6A1A9C

Source: Calyciform.exe

Static PE information: invalid certificate

Source: Calyciform.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal68.troj.evad.winEXE@3/8@0/1

Source: C:\Users\user\Desktop\Calyciform.exe

0_2_004031E9

Source: C:\Users\user\Desktop\Calyciform.exe

Code function: 0_2_004044AE GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

0_2_004044AE

Source: C:\Users\user\Desktop\Calyciform.exe

Code function: 0_2_004020D1 CoCreateInstance,MultiByteToWideChar,

0_2_004020D1

Source: C:\Users\user\Desktop\Calyciform.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Puerperant

Jump to behavior

Source: C:\Users\user\Desktop\Calyciform.exe

File created: C:\Users\user\AppData\Local\Temp\nse9AF4.tmp

Jump to behavior

Source: Calyciform.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Calyciform.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Calyciform.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Calyciform.exe	ReversingLabs: Detection: 45%
Source: Calyciform.exe	Virustotal: Detection: 37%

Source: C:\Users\user\Desktop\Calyciform.exe

File read: C:\Users\user\Desktop\Calyciform.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Calyciform.exe "C:\Users\user\Desktop\Calyciform.exe"
Source: C:\Users\user\Desktop\Calyciform.exe	Process created: C:\Users\user\Desktop\Calyciform.exe "C:\Users\user\Desktop\Calyciform.exe"
Source: C:\Users\user\Desktop\Calyciform.exe	Process created: C:\Users\user\Desktop\Calyciform.exe "C:\Users\user\Desktop\Calyciform.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Calyciform.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Calyciform.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Calyciform.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Calyciform.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Calyciform.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Calyciform.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Calyciform.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Calyciform.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Calyciform.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Calyciform.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\Calyciform.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Calyciform.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Calyciform.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Calyciform.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\Calyciform.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\Calyciform.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\Calyciform.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\Calyciform.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\Calyciform.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\Calyciform.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Calyciform.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Calyciform.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Calyciform.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Calyciform.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Calyciform.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Calyciform.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Calyciform.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\Calyciform.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Calyciform.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Calyciform.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Calyciform.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Calyciform.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Calyciform.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Calyciform.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\Calyciform.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Calyciform.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Calyciform.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Calyciform.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Calyciform.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Calyciform.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Calyciform.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Calyciform.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Calyciform.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Calyciform.exe	Section loaded: srvcli.dll	Jump to behavior

Source: C:\Users\user\Desktop\Calyciform.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: Calyciform.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: mshtml.pdb source: Calyciform.exe, 00000002.00000001.129567935037.0000000000649000.00000020.00000001.01000000.00000005.sdmp
Source:	Binary string: mshtml.pdbUGP source: Calyciform.exe, 00000002.00000001.129567935037.0000000000649000.00000020.00000001.01000000.00000005.sdmp

Data Obfuscation

Yara detected GuLoader

Source: Yara match	File source: 00000000.00000002.130225753929.0000000002FAF000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.134606321221.000000000174F000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\Calyciform.exe

Code function: 0_2_6D6A1A9C GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA,

0_2_6D6A1A9C

Source: C:\Users\user\Desktop\Calyciform.exe

Code function: 0_2_6D6A2F20 push eax; ret

0_2_6D6A2F4E

Source: C:\Users\user\Desktop\Calyciform.exe

File created: C:\Users\user\AppData\Local\Temp\nsf9BE0.tmp\System.dll

Jump to dropped file

Source: C:\Users\user\Desktop\Calyciform.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Puerperant	Jump to behavior
Source: C:\Users\user\Desktop\Calyciform.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Puerperant\Scrivano.Sek	Jump to behavior
Source: C:\Users\user\Desktop\Calyciform.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Puerperant\Bluetooth Suite help_HUN.chm	Jump to behavior
Source: C:\Users\user\Desktop\Calyciform.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Puerperant\Grundkoncept.Feh	Jump to behavior
Source: C:\Users\user\Desktop\Calyciform.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Puerperant\anycollseq.c	Jump to behavior
Source: C:\Users\user\Desktop\Calyciform.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Puerperant\list-drag-handle-symbolic.svg	Jump to behavior
Source: C:\Users\user\Desktop\Calyciform.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Puerperant\user-idle.png	Jump to behavior
Source: C:\Users\user\Desktop\Calyciform.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Puerperant\vmmouse.cat	Jump to behavior

Source: C:\Users\user\Desktop\Calyciform.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Calyciform.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Calyciform.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\Calyciform.exe	API/Special instruction interceptor: Address: 37DE4BA
Source: C:\Users\user\Desktop\Calyciform.exe	API/Special instruction interceptor: Address: 1F7E4BA

Tries to detect Any.run

Source: C:\Users\user\Desktop\Calyciform.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\Desktop\Calyciform.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior
Source: C:\Users\user\Desktop\Calyciform.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\Desktop\Calyciform.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: Calyciform.exe, 00000000.00000002.130224651433.0000000000A38000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE0

Source: C:\Users\user\Desktop\Calyciform.exe

File opened / queried: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Puerperant\vmmouse.cat

Jump to behavior

Source: C:\Users\user\Desktop\Calyciform.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsf9BE0.tmp\System.dll

Jump to dropped file

Source: C:\Users\user\Desktop\Calyciform.exe TID: 5572	Thread sleep count: 106 > 30			Jump to behavior
Source: C:\Users\user\Desktop\Calyciform.exe TID: 5572	Thread sleep time: -106000s >= -30000s			Jump to behavior

Source: C:\Users\user\Desktop\Calyciform.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\Calyciform.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\Calyciform.exe	Code function: 0_2_00405745 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	0_2_00405745
Source: C:\Users\user\Desktop\Calyciform.exe	Code function: 0_2_00406280 FindFirstFileA,FindClose,	0_2_00406280
Source: C:\Users\user\Desktop\Calyciform.exe	Code function: 0_2_004026FE FindFirstFileA,	0_2_004026FE

Source: Calyciform.exe, 00000000.00000002.130229388804.0000000003E19000.00000004.00000800.00020000.00000000.sdmp, Calyciform.exe, 00000002.00000002.134610018366.00000000042C9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Guest Shutdown Service
Source: Calyciform.exe, 00000002.00000002.134609519488.0000000002897000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWx
Source: Calyciform.exe, 00000000.00000002.130229388804.0000000003E19000.00000004.00000800.00020000.00000000.sdmp, Calyciform.exe, 00000002.00000002.134610018366.00000000042C9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Remote Desktop Virtualization Service
Source: Calyciform.exe, 00000002.00000002.134610018366.00000000042C9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicshutdown
Source: Calyciform.exe, 00000000.00000002.130224651433.0000000000A38000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmmouse.cat
Source: vmmouse.cat.0.dr	Binary or memory string: VMware, Inc.
Source: Calyciform.exe, 00000000.00000002.130229388804.0000000003E19000.00000004.00000800.00020000.00000000.sdmp, Calyciform.exe, 00000002.00000002.134610018366.00000000042C9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Volume Shadow Copy Requestor
Source: vmmouse.cat.0.dr	Binary or memory string: vmmouse.inf0E
Source: Calyciform.exe, 00000000.00000002.130229388804.0000000003E19000.00000004.00000800.00020000.00000000.sdmp, Calyciform.exe, 00000002.00000002.134610018366.00000000042C9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V PowerShell Direct Service
Source: Calyciform.exe, 00000000.00000002.130224651433.0000000000A38000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \Scrivano.SekBluetooth Suite help_HUN.chmGrundkoncept.Fehanycollseq.clist-drag-handle-symbolic.svguser-idle.pngvmmouse.cat%Omkomne52%\TheologicallySoftware\Energizingfireetageshusets
Source: Calyciform.exe, 00000000.00000002.130229388804.0000000003E19000.00000004.00000800.00020000.00000000.sdmp, Calyciform.exe, 00000002.00000002.134610018366.00000000042C9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Time Synchronization Service
Source: Calyciform.exe, 00000002.00000002.134610018366.00000000042C9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicvss
Source: Calyciform.exe, 00000002.00000002.134609519488.00000000028D4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Calyciform.exe, 00000000.00000002.130224651433.0000000000A38000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Puerperant\vmmouse.catK$9
Source: Calyciform.exe, 00000000.00000002.130229388804.0000000003E19000.00000004.00000800.00020000.00000000.sdmp, Calyciform.exe, 00000002.00000002.134610018366.00000000042C9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Data Exchange Service
Source: Calyciform.exe, 00000000.00000002.130224651433.0000000000A38000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe0
Source: vmmouse.cat.0.dr	Binary or memory string: vmmouse.sys0M
Source: Calyciform.exe, 00000000.00000002.130229388804.0000000003E19000.00000004.00000800.00020000.00000000.sdmp, Calyciform.exe, 00000002.00000002.134610018366.00000000042C9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Heartbeat Service
Source: Calyciform.exe, 00000000.00000002.130229388804.0000000003E19000.00000004.00000800.00020000.00000000.sdmp, Calyciform.exe, 00000002.00000002.134610018366.00000000042C9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Guest Service Interface
Source: Calyciform.exe, 00000002.00000002.134610018366.00000000042C9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicheartbeat
Source: Calyciform.exe, 00000002.00000002.134609519488.00000000028D4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWc

Source: C:\Users\user\Desktop\Calyciform.exe	API call chain: ExitProcess graph end node			graph_0-4450
Source: C:\Users\user\Desktop\Calyciform.exe	API call chain: ExitProcess graph end node			graph_0-4616

Source: C:\Users\user\Desktop\Calyciform.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\Calyciform.exe

Code function: 0_2_0040643A LdrInitializeThunk,

0_2_0040643A

Source: C:\Users\user\Desktop\Calyciform.exe

Code function: 0_2_6D6A1A9C GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA,

0_2_6D6A1A9C

Source: C:\Users\user\Desktop\Calyciform.exe

Process created: C:\Users\user\Desktop\Calyciform.exe "C:\Users\user\Desktop\Calyciform.exe"

Jump to behavior

Source: C:\Users\user\Desktop\Calyciform.exe

0_2_004031E9

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 Registry Run Keys / Startup Folder	1 Access Token Manipulation	1 Masquerading	OS Credential Dumping	311 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	11 Process Injection	12 Virtualization/Sandbox Evasion	LSASS Memory	12 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Clipboard Data	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Registry Run Keys / Startup Folder	1 Access Token Manipulation	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 DLL Side-Loading	11 Process Injection	NTDS	14 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Calyciform.exe	46%	ReversingLabs	Win32.Trojan.Generic
Calyciform.exe	37%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\nsf9BE0.tmp\System.dll	0%	ReversingLabs

Source	Detection	Scanner	Label
http://nsis.sf.net/NSIS_Error	0%	Avira URL Cloud	safe
http://45.137.22.248/nSTbXfnKEyKbZuJcrDaW99.binS?	0%	Avira URL Cloud	safe
http://45.137.22.248/nSTbXfnKEyKbZuJcrDaW99.binl	0%	Avira URL Cloud	safe
http://45.137.22.248/nSTbXfnKEyKbZuJcrDaW99.binJ	0%	Avira URL Cloud	safe
http://45.137.22.248/nSTbXfnKEyKbZuJcrDaW99.binM	0%	Avira URL Cloud	safe
http://45.137.22.248/nSTbXfnKEyKbZuJcrDaW99.binh	0%	Avira URL Cloud	safe
http://45.137.22.248/nSTbXfnKEyKbZuJcrDaW99.bin_?	0%	Avira URL Cloud	safe
http://45.137.22.248/nSTbXfnKEyKbZuJcrDaW99.bin/?Kv	0%	Avira URL Cloud	safe
http://inference.location.live.com11111111-1111-1111-1111-111111111111https://partnernext-inference.	0%	Avira URL Cloud	safe
http://45.137.22.248/nSTbXfnKEyKbZuJcrDaW99.bin#?_v	0%	Avira URL Cloud	safe
http://45.137.22.248/nSTbXfnKEyKbZuJcrDaW99.binedvmbusRFCOMM	0%	Avira URL Cloud	safe
http://nsis.sf.net/NSIS_ErrorError	0%	Avira URL Cloud	safe
http://45.137.22.248/nSTbXfnKEyKbZuJcrDaW99.bin_	0%	Avira URL Cloud	safe
http://45.137.22.248/nSTbXfnKEyKbZuJcrDaW99.bin	0%	Avira URL Cloud	safe
http://www.gopher.ftp://ftp.	0%	Avira URL Cloud	safe
http://45.137.22.248/nSTbXfnKEyKbZuJcrDaW99.bin7?Sv	0%	Avira URL Cloud	safe
http://45.137.22.248/nSTbXfnKEyKbZuJcrDaW99.binK?	0%	Avira URL Cloud	safe

Name	Source	Malicious	Antivirus Detection	Reputation
http://45.137.22.248/nSTbXfnKEyKbZuJcrDaW99.binJ	Calyciform.exe, 00000002.00000002.134609519488.0000000002897000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://45.137.22.248/nSTbXfnKEyKbZuJcrDaW99.binl	Calyciform.exe, 00000002.00000002.134609519488.0000000002897000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtd	Calyciform.exe, 00000002.00000001.129567935037.00000000005F2000.00000020.00000001.01000000.00000005.sdmp	false		high
http://45.137.22.248/nSTbXfnKEyKbZuJcrDaW99.binM	Calyciform.exe, 00000002.00000002.134609519488.00000000028C1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://45.137.22.248/nSTbXfnKEyKbZuJcrDaW99.binS?	Calyciform.exe, 00000002.00000002.134609519488.00000000028C1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://nsis.sf.net/NSIS_Error	Calyciform.exe	false	Avira URL Cloud: safe	unknown
http://45.137.22.248/nSTbXfnKEyKbZuJcrDaW99.bin_?	Calyciform.exe, 00000002.00000002.134609519488.00000000028C1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://45.137.22.248/nSTbXfnKEyKbZuJcrDaW99.binh	Calyciform.exe, 00000002.00000002.134609519488.00000000028C1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214	Calyciform.exe, 00000002.00000001.129567935037.0000000000649000.00000020.00000001.01000000.00000005.sdmp	false		high
http://45.137.22.248/nSTbXfnKEyKbZuJcrDaW99.bin/?Kv	Calyciform.exe, 00000002.00000002.134609519488.00000000028C1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://inference.location.live.com11111111-1111-1111-1111-111111111111https://partnernext-inference.	Calyciform.exe, 00000002.00000001.129567935037.0000000000649000.00000020.00000001.01000000.00000005.sdmp	false	Avira URL Cloud: safe	unknown
http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtd	Calyciform.exe, 00000002.00000001.129567935037.00000000005F2000.00000020.00000001.01000000.00000005.sdmp	false		high
http://45.137.22.248/nSTbXfnKEyKbZuJcrDaW99.bin#?_v	Calyciform.exe, 00000002.00000002.134609519488.00000000028C1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://45.137.22.248/nSTbXfnKEyKbZuJcrDaW99.binedvmbusRFCOMM	Calyciform.exe, 00000002.00000002.134609519488.00000000028C1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://nsis.sf.net/NSIS_ErrorError	Calyciform.exe	false	Avira URL Cloud: safe	unknown
http://45.137.22.248/nSTbXfnKEyKbZuJcrDaW99.bin_	Calyciform.exe, 00000002.00000002.134609519488.0000000002897000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd-//W3O//DTD	Calyciform.exe, 00000002.00000001.129567935037.0000000000626000.00000020.00000001.01000000.00000005.sdmp	false		high
http://45.137.22.248/nSTbXfnKEyKbZuJcrDaW99.bin	Calyciform.exe, 00000002.00000002.134609519488.00000000028C1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.gopher.ftp://ftp.	Calyciform.exe, 00000002.00000001.129567935037.0000000000649000.00000020.00000001.01000000.00000005.sdmp	false	Avira URL Cloud: safe	unknown
http://45.137.22.248/nSTbXfnKEyKbZuJcrDaW99.bin7?Sv	Calyciform.exe, 00000002.00000002.134609519488.00000000028C1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://45.137.22.248/nSTbXfnKEyKbZuJcrDaW99.binK?	Calyciform.exe, 00000002.00000002.134609519488.00000000028C1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
45.137.22.248	unknown	Netherlands		51447	ROOTLAYERNETNL	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1554165
Start date and time:	2024-11-12 07:44:17 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 12m 58s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, Chrome 128, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
Run name:	Suspected Instruction Hammering
Number of analysed new started processes analysed:	3
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Calyciform.exe
Detection:	MAL
Classification:	mal68.troj.evad.winEXE@3/8@0/1
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 82% Number of executed functions: 43 Number of non-executed functions: 30
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms

Warnings

Exclude process from analysis (whitelisted): dllhost.exe

Simulations

Behavior and APIs

Time	Type	Description
01:49:15	API Interceptor	77x Sleep call for process: Calyciform.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
45.137.22.248	I5pvP0CU6M.exe	Get hash	malicious	RedLine	Browse	45.137.22.248:55615/
	New_Order_-_PSFK23TT002.exe	Get hash	malicious	GuLoader	Browse	45.137.22.248/eQobTNPQQm56.bin
	BOQ.00987578.exe	Get hash	malicious	Remcos, GuLoader	Browse	45.137.22.248/ZIWRb187.bin

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ROOTLAYERNETNL	I5pvP0CU6M.exe	Get hash	malicious	RedLine	Browse	45.137.22.248
	gLsenXDHxP.exe	Get hash	malicious	RedLine	Browse	185.222.58.240
	DEVIS + FACTURE.exe	Get hash	malicious	Remcos, GuLoader	Browse	45.137.22.126
	PZNfhfaj9O.exe	Get hash	malicious	RedLine	Browse	185.222.58.80
	ZxS8mP8uE6.exe	Get hash	malicious	RedLine	Browse	45.137.22.123
	nu28HwzQwC.exe	Get hash	malicious	RedLine	Browse	185.222.58.52
	DKO6uy1Tia.exe	Get hash	malicious	RedLine	Browse	45.137.22.70
	3BOCQ22aUs.ps1	Get hash	malicious	Unknown	Browse	45.137.20.45
	Order Proposal.exe	Get hash	malicious	RedLine	Browse	45.137.22.121
	l2rMtmFkD6.exe	Get hash	malicious	RedLine	Browse	185.222.58.233

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\nsf9BE0.tmp\System.dll	ZOj46Y8Mb1.exe	Get hash	malicious	Unknown	Browse
	TouchEn_nxKey_32bit.exe	Get hash	malicious	Unknown	Browse
	Qz.exe	Get hash	malicious	Unknown	Browse
	Qz.exe	Get hash	malicious	Unknown	Browse
	scan_doc20240628154931011588.com.exe	Get hash	malicious	GuLoader	Browse
	scan_doc20240628154931011588.com.exe	Get hash	malicious	GuLoader	Browse
	Order 0002939399440.bat.exe	Get hash	malicious	GuLoader	Browse
	Order 0002939399440.bat.exe	Get hash	malicious	GuLoader	Browse
	New Order 000299944885.bat.exe	Get hash	malicious	GuLoader	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\nsf9BE0.tmp\System.dll

Download File

Process:	C:\Users\user\Desktop\Calyciform.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	11776
Entropy (8bit):	5.832316471889005
Encrypted:	false
SSDEEP:	192:4PtkiQJr7jHYT87RfwXQ6YSYtOuVDi7IsFW14Ll8CO:H78TQIgGCDp14LGC
MD5:	B0C77267F13B2F87C084FD86EF51CCFC
SHA1:	F7543F9E9B4F04386DFBF33C38CBED1BF205AFB3
SHA-256:	A0CAC4CF4852895619BC7743EBEB89F9E4927CCDB9E66B1BCD92A4136D0F9C77
SHA-512:	F2B57A2EEA00F52A3C7080F4B5F2BB85A7A9B9F16D12DA8F8FF673824556C62A0F742B72BE0FD82A2612A4B6DBD7E0FDC27065212DA703C2F7E28D199696F66E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: ZOj46Y8Mb1.exe, Detection: malicious, Browse Filename: TouchEn_nxKey_32bit.exe, Detection: malicious, Browse Filename: Qz.exe, Detection: malicious, Browse Filename: Qz.exe, Detection: malicious, Browse Filename: scan_doc20240628154931011588.com.exe, Detection: malicious, Browse Filename: scan_doc20240628154931011588.com.exe, Detection: malicious, Browse Filename: Order 0002939399440.bat.exe, Detection: malicious, Browse Filename: Order 0002939399440.bat.exe, Detection: malicious, Browse Filename: New Order 000299944885.bat.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......ir.-.D.-.D.-.D...J..D.-.E.>.D......D.y0t.).D.N1n.,.D..3@.,.D.Rich-.D.........PE..L.....oZ...........!..... ...........(.......0...............................`............@..........................2.......0..P............................P.......................................................0..X............................text...O........ .................. ..`.rdata..c....0.......$..............@..@.data...h....@.......(..............@....reloc..\|....P.....................@..B................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Puerperant\Bluetooth Suite help_HUN.chm

Download File

Process:	C:\Users\user\Desktop\Calyciform.exe
File Type:	MS Windows HtmlHelp Data
Category:	dropped
Size (bytes):	64610
Entropy (8bit):	7.729778927024819
Encrypted:	false
SSDEEP:	1536:2eV+HBqsKGpvyYsR86GHN2G2LA/He8GayXqH1w6oq3Yo:jgHVIr86uNh22He8GRXS1w6oaYo
MD5:	3051A739BB5569A4740B65AA4FA59F9E
SHA1:	4F89DEE584612E3CDBBB9D766CBDDECA65708058
SHA-256:	098FCE4F92A83A100B0B9B65D2D44D17D2C81AC688BFC5F650E2FDFC61C73D8C
SHA-512:	7C7D5218D0CACF01DEFAC68C9E66177305533AB269C0AA7A78B561FF1CD81B40F0A2AD91018F6E0B7EAFFA7F289CED53EE34A14A8842EC79CB3D9C6501013BB1
Malicious:	false
Reputation:	low
Preview:	ITSF....`........\.........\|.{.......".....\|.{......."..`...............x.......T.......................b...............ITSP....T...........................................j..].!......."..T...............PMGL................./..../#IDXHDR......./#ITBITS..../#STRINGS...z.Q./#SYSTEM....T./#TOPICS.....@./#URLSTR...E.5./#URLTBL...U.p./#WINDOWS.....L./$FIftiMain......../$OBJINST...y.../$WWAssociativeLinks/..../$WWAssociativeLinks/Property...u../$WWKeywordLinks/..../$WWKeywordLinks/BTree...K.L./$WWKeywordLinks/Data....4./$WWKeywordLinks/Map...K../$WWKeywordLinks/Property...U ./Advanced_Phone_Operations.htm..s...!/Advanced_Phone_Operations_files/...7/Advanced_Phone_Operations_files/colorschememapping.xml...j.:-/Advanced_Phone_Operations_files/filelist.xml...g.c//Advanced_Phone_Operations_files/themedata.thmx...J. ./Audio_Services.htm......../Audio_Services_files/...,/Audio_Services_files/colorschememapping.xml.....:"/Audio_Services_files/filelist.xml...$.X$/Audio_Services_files/themedata.thmx

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Puerperant\Grundkoncept.Feh

Download File

Process:	C:\Users\user\Desktop\Calyciform.exe
File Type:	ASCII text, with very long lines (17548), with no line terminators
Category:	dropped
Size (bytes):	17548
Entropy (8bit):	2.7230154883953777
Encrypted:	false
SSDEEP:	192:TJmMN0EdObgQeHFYcLgoEWqaTw82h7V0GFykrWb+Oks/x:FHN1OFgFRgoEzaehC6ykrqf/x
MD5:	036A72115A57C72A5AD5C9CF97109E55
SHA1:	BB35C9BD70872C0EB0019BEE8F4239FBEB68E4F7
SHA-256:	4050850254D585D19A617B4B988739238045E86385B32CDED6455CFF5EDFD734
SHA-512:	2B6DB62B5850B5888B221B9FA0BCDAE5E68E7677B33A41B1FC662C78926697D5F4F8240299C67368A5A8AA5C993F3D4DFC254BBF62A86A64D3740A5BE566C7A1
Malicious:	false
Reputation:	low
Preview:	00002200000091DAB4319FD3D54DE0A5A50DBFFE921A9CF68A1A9BB78B5FA8ABC653FAF6C64FA2A7D64FEAAFD64FEAB3C616FAAFCA5FAABFD653FAF6C64BF6BF8F5FEAE7DE4FF6BF8F5FEAB68F51A8AAC63791DAB4319FD3D54DE0A5B016A8EB931EB6DE8A13B5FCCE16EAB38F5FEBAAD246EBAFD14DF6BF8F5FEAE7D54FEAAFCA5FB3BFD607EEAFCF0FF4EDD73791DAB4319FD3D54DE0A5B51AAED98F13BFCF8916B4EB830DF2F6C60DEFB3C616FAA7C653FAF6C64FF6F6C64FF3F6C80DE9D791DAB4319FD3D54DE0A5B41ABBFBA016B6FACE16A8AACA5FB3BF944EF6BF8F5FEBAAD246EBAFD14DF6B58F5FEAB3C616FAAFCF16F4EDD537AFEC830DE9ADDC4599FE8A138DF6881BB5E8B60DB5FCB157B3EDD75FF6F6C64FF6F6C64FF6BF8F5FEAB3C616FAAFCF370000000000F5000000CF00B1B1B10000000000000C00F6003C3C3C000036360081810000282800006B6B000000BFBFBF000000003C3C3C00B20000F1F1F100E5E50000000000F1F1000000E600007272002D0026000000000029007600AC005E00008E0000BF0000F30000000088880000001800000080002B2B00004F4F4F4F4F4F4F4F4F000000C1C10000001818180000660000979700F8F800008A003636360000DBDBDBDB0000000F000000A4A4000000000000EE00BBBBBBBBBB0000004C4C4C4C0026001F1F000000

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Puerperant\Scrivano.Sek

Download File

Process:	C:\Users\user\Desktop\Calyciform.exe
File Type:	data
Category:	dropped
Size (bytes):	149620
Entropy (8bit):	7.813525702369115
Encrypted:	false
SSDEEP:	3072:YFJwcsY59U+kwk0Mrme1qHMSeX7+rPRi0ejfoeU44Oq3KDt/WJGBN9HUS:YFJwxY5rkw5otADerG9ejf044j2BDUS
MD5:	D8EF7410766DF405AFB2A2FE100D48C5
SHA1:	85F5A6A476370227F1CCEDF345B4ACA6C844592F
SHA-256:	9BAA5CEDC1143C1ABEC661F760C793C32448D682BACC9239FEC7BC85B51DB0BF
SHA-512:	F2CF4A0262DE9EE593119B72D5C17E9E1DFA538DE2A5CAFFC67155A7CC9ABD2ECDF7B3A74C7C10A5A7ABFAB65CB4228CF2D1BD5FFDC8DE7DE6E09B9FBBD2BF98
Malicious:	false
Reputation:	low
Preview:	.........f!..!r..f.......q..f....ow..f.........K...f.....t. ..._..1...Q.............. ....k...f...<WXf.......A......f............f......v<.........=.&.f........ .....f......?JWf........\.6.!.!.f...........f........f..1.f..Xp ........f.........f...f!....]..\|.............^.......H..Qf..........p....................R7.f.....pDv..,...2........f...f..........f...............B.........J..u....,.148f...f.......f......J..u.f.............f..............":.0...:....vNbs...Tbi.....8L.+..P~FkT]/.w.J_\;...JE.N...F.".7.X.f.#...".K-ZN...r.TWrw.(.kn.Q[w'<..s2.>hD..'<...................?......&0.Pt&f....~.,..&.)J.......]..L^.Nk..8H....\...P}w.aF..T]aL.ka..#.....P.@I...v=......!.PmD.."34...."e..y.'.......L^..4H.+h=......Pn..Or....`.../..^..........YzF..f...QH...a....kw'...v.?......Dz....'...{.I"...\|.4..4.Td...cN\|.o.:Fh.R.......e~......1O78Su...QK.r./B...7:;V.TWA..vNO..].TOh.Ts.5.9\]TU....Ne...<TemO.\F...m...d.c...^+...'/..B..-..$Al./J....l..0.'>..J..<

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Puerperant\anycollseq.c

Download File

Process:	C:\Users\user\Desktop\Calyciform.exe
File Type:	C source, ASCII text
Category:	dropped
Size (bytes):	1478
Entropy (8bit):	4.983443441486854
Encrypted:	false
SSDEEP:	24:RSTUJDC+pa/IBgQZpHNNOJ3n4oKYOTRv2C3pHv/G0pXXykdy4mJaN+:RSTUJD2/0FLE3nlKp3lpHf7my+
MD5:	833073D62A8DC48D769CF78DE7F5F459
SHA1:	4FC185A31C5137FB86AE334BCB6891A8BB205BD8
SHA-256:	B2830A264282BA361DB7DE8F8DA797F8D5EAF38B47006F9F85B3BA887A043FD0
SHA-512:	3664B5B5001F18CF1DA9EAF5F7D6222B16ABF92C2F6539DC3E149F961C487D72FCBB6A1391E962AA3A2D7EAA74167B81534CF90A97895F339C3A04970AAE4A89
Malicious:	false
Preview:	/.* 2017-04-16.. The author disclaims copyright to this source code. In place of. a legal notice, here is a blessing:.. May you do good and not evil.. May you find forgiveness for yourself and forgive others.. May you share freely, never taking more than you give...***********************************************************************.. This file implements a run-time loadable extension to SQLite that. registers a sqlite3_collation_needed() callback to register a fake. collating function for any unknown collating sequence. The fake. collating function works like BINARY... This extension can be used to load schemas that contain one or more.** unknown collating sequences../.#include "sqlite3ext.h".SQLITE_EXTENSION_INIT1.#include <string.h>..static int anyCollFunc(. void NotUsed,. int nKey1, const void pKey1,. int nKey2, const void pKey2.){. int rc, n;. n = nKey1<nKey2 ? nKey1 : nKey2;. rc = memcmp(pKey1, pKey2, n);. if( rc==0 ) rc

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Puerperant\list-drag-handle-symbolic.svg

Download File

Process:	C:\Users\user\Desktop\Calyciform.exe
File Type:	SVG Scalable Vector Graphics image
Category:	dropped
Size (bytes):	624
Entropy (8bit):	3.5629799376743088
Encrypted:	false
SSDEEP:	12:t4CDqKIUMUMfUMUMK5UM4IIUMUMfUMUMK5UM4JIUMUMfUMUMK5UM4IIUMUMfUMUo:t4CVI55f55U5rI55f55U5sI55f55U5rs
MD5:	1BA333F3E126D8A83CA3C6FCFB71FBC8
SHA1:	D54F87C1937D6A08455C903B4E60F6B390A9C583
SHA-256:	7DEC55F99B6FA48395B801EDE687C47330E79C4045F48B7AF673FB259F29FF32
SHA-512:	AA2E2E617E28925B3C69C25E9CD87073D7346544CFDA1B106D4A2198818F82895355B4F8FA6EF98242730565153C1EF3BDBDAF63864A3F186171AB81E3DE342A
Malicious:	false
Preview:	<svg xmlns="http://www.w3.org/2000/svg" width="16" height="16"><path d="M4.494 0a1.5 1.5 0 00-1.5 1.5 1.5 1.5 0 001.5 1.5 1.5 1.5 0 001.5-1.5 1.5 1.5 0 00-1.5-1.5zm6 0a1.5 1.5 0 00-1.5 1.5 1.5 1.5 0 001.5 1.5 1.5 1.5 0 001.5-1.5 1.5 1.5 0 00-1.5-1.5zm-6 6a1.5 1.5 0 00-1.5 1.5 1.5 1.5 0 001.5 1.5 1.5 1.5 0 001.5-1.5 1.5 1.5 0 00-1.5-1.5zm6 0a1.5 1.5 0 00-1.5 1.5 1.5 1.5 0 001.5 1.5 1.5 1.5 0 001.5-1.5 1.5 1.5 0 00-1.5-1.5zm-6 6a1.5 1.5 0 00-1.5 1.5 1.5 1.5 0 001.5 1.5 1.5 1.5 0 001.5-1.5 1.5 1.5 0 00-1.5-1.5zm6 0a1.5 1.5 0 00-1.5 1.5 1.5 1.5 0 001.5 1.5 1.5 1.5 0 001.5-1.5 1.5 1.5 0 00-1.5-1.5z" fill="#2e3436"/></svg>

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Puerperant\user-idle.png

Download File

Process:	C:\Users\user\Desktop\Calyciform.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	592
Entropy (8bit):	7.514679114244337
Encrypted:	false
SSDEEP:	12:6v/7p+kQhKPewCkTzCyIgCldhcj5MebL0n0UW31PcF0hJu:ObZnCOzCyIgYda9X/l80hg
MD5:	901308031B5624C2779848AF45F0FE38
SHA1:	726AA6FD0430499D0051A39FF7722C89DCB4E001
SHA-256:	4E7F9241A3D4F1E41855B264424B6CB72E0B2C8B3ED4C4384D55136556858446
SHA-512:	026436FB0F5645A602140514505D687B0ACE7460A0C65A8F925072D99BD124C8D4AE7FB5C3852DD64B6B1C67BA974D6FB12BE064993721143EC8B76CD3A740B9
Malicious:	false
Preview:	.PNG........IHDR................a....IDATx..Q...M.=w....m....i...........m.6.s{gwj....9.K./a....}..Pw.t....fz~.t..xr.r.. .L....US@f.w...p.Z.W.2g.E......N. H.6n..H..H.....x....w.%..Zgv.P.v..ju.....G..u..0....,B..D...\.5..o.... .'.@......A.....b&D.}...%...8.?X-...k.$j..M...F.v.P.....L....4~oc...<...-o^l...C&...R....K.i.>....R..*`..$D...Q.....l.Ib2../x..`#[...{.S.f...=......$.J.....{.j?..sf..... ..u.r...\|...d}...%xk......Y..}...FO.Yi.y..~..G.<M...4...u.\....[..;0.....>.E.6/K....hg".1........`W.v..x...>.:........(...O.}`........`.a..a.........GFH..\|......IEND.B`.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Puerperant\vmmouse.cat

Download File

Process:	C:\Users\user\Desktop\Calyciform.exe
File Type:	data
Category:	dropped
Size (bytes):	10347
Entropy (8bit):	7.079665238975951
Encrypted:	false
SSDEEP:	192:uaPD2IJC+EjmwBYyKaWFWQF8DU+YVqnajTgd:FLoPCFR6D+Vl3gd
MD5:	8945C78F744916BC7EB6A7A57051327E
SHA1:	2BA36E895E143C92DB593220C9EAFE36D1084F64
SHA-256:	01619BAF4E68B2BB949557F7EC871E7E6A1AD3DEDE6230FB83372FF0AE0A68CE
SHA-512:	443F392FE06DE1A0990D7D987871B5DF1FBFD0CA7DB7560D69AAB6EEFF3B0240BC1B4FAA78E45C3BAD0D1DF329AC91E1715ECABCF9B9575A26F24A4DC4B7E6E7
Malicious:	false
Preview:	0.(g...H........(X0.(T...1.0...`.H.e......0..B..+.....7.....30../0...+.....7......B>[..XI.)..0.....200624070838Z0...+.....7.....0..B0....R6.D.1.3.1.6.8.2.C.1.B.4.8.B.C.1.C.3.D.C.C.4.C.3.7.2.9.1.3.6.C.5.2.E.E.4.8.C.B.F...1..A0:..+.....7...1,0...F.i.l.e........v.m.m.o.u.s.e...i.n.f...0E..+.....7...17050...+.....7.......0!0...+........m...........r.6...0X..+.....7...1J0H...O.S.A.t.t.r.......22.:.6...0.,.2.:.6...2.,.2.:.6...3.,.2.:.1.0...0...0b..+.....7...1T0R.L.{.D.E.3.5.1.A.4.2.-.8.E.5.9.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0....RA.C.8.1.A.F.F.0.B.A.C.E.5.2.E.C.7.8.8.2.8.9.C.6.A.8.F.8.F.3.4.7.4.F.D.9.0.9.B.5...1..I0:..+.....7...1,0*...F.i.l.e........v.m.m.o.u.s.e...s.y.s...0M..+.....7...1?0=0...+.....7...0...........0!0...+.............R.x.....GO...0X..+.....7...1J0H...O.S.A.t.t.r.......22.:.6...0.,.2.:.6...2.,.2.:.6...3.,.2.:.1.0...0...0b..+.....7...1T0R.L.{.C.6.8.9.A.A.B.8.-.8.E.7.8.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}........0...0J..+.....7....<0:.&.Q.u.

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.13957822235099
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Calyciform.exe
File size:	428'464 bytes
MD5:	0b813c3349387a69277d7f8a0d20fe3d
SHA1:	d0c4aa5fffba33d1f7c9c184cd3acb90f6a75650
SHA256:	d2473f318c1386699bdd8442cfe5455d44e18ec23d4b2482ffc82c7c227ab9ad
SHA512:	d3b46abc8583f2a12c4e202392e97679147c5d1a691e1525bcf771f89902902740e503f5856574c5e7b8ad1303036485193f48f989201cf25a1ca08c79dc8c34
SSDEEP:	12288:F4FAe+jtbt1JcAfGWpfnuayZzCeFPEG6w//j:YAe+jtbt1JcAlnnGC+R/j
TLSH:	0C94F1413690B06FD82605329197BE269B536CF46F604BF77B977B1FA831281E63C22D
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........@............/...........s.../...............+.......Rich............................PE..L.....oZ.................b....9....

File Icon


Icon Hash:	253c2c2d0d212199

Static PE Info

General

Entrypoint:	0x4031e9
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x5A6FED1A [Tue Jan 30 03:57:14 2018 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	3abe302b6d9a1256e6a915429af4ffd2

Authenticode Signature

Signature Valid:	false
Signature Issuer:	E=Logikprogrammeringsaspektet@Trvarefabrikken.Res, OU="Addiment Achillea ", O=Parat, L=Waldachtal, S=Baden-W\xfcrttemberg, C=DE
Signature Validation Error:	A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
Error Number:	-2146762487
Not Before, Not After	21/02/2023 07:54:51 20/02/2026 07:54:51
Subject Chain	E=Logikprogrammeringsaspektet@Trvarefabrikken.Res, OU="Addiment Achillea ", O=Parat, L=Waldachtal, S=Baden-W\xfcrttemberg, C=DE
Version:	3
Thumbprint MD5:	ED46C5437A947D935DDFD89103D75D07
Thumbprint SHA-1:	659D97B2F5DBD1E76E13986AE80CE1A563D8D20F
Thumbprint SHA-256:	6FCDFF81CCD8D73E3117F22F8AD8CF0DF5BC8EC5EDE926706565EA2ABF5EEB19
Serial:	565869FF3236E7A0D7D3D761C2B8177DF293331A

Entrypoint Preview

Instruction
sub esp, 00000184h
push ebx
push esi
push edi
xor ebx, ebx
push 00008001h
mov dword ptr [esp+18h], ebx
mov dword ptr [esp+10h], 0040A198h
mov dword ptr [esp+20h], ebx
mov byte ptr [esp+14h], 00000020h
call dword ptr [004080A0h]
call dword ptr [0040809Ch]
and eax, BFFFFFFFh
cmp ax, 00000006h
mov dword ptr [007A2F4Ch], eax
je 00007F984500B533h
push ebx
call 00007F984500E60Ah
cmp eax, ebx
je 00007F984500B529h
push 00000C00h
call eax
mov esi, 00408298h
push esi
call 00007F984500E586h
push esi
call dword ptr [00408098h]
lea esi, dword ptr [esi+eax+01h]
cmp byte ptr [esi], bl
jne 00007F984500B50Dh
push 0000000Ah
call 00007F984500E5DEh
push 00000008h
call 00007F984500E5D7h
push 00000006h
mov dword ptr [007A2F44h], eax
call 00007F984500E5CBh
cmp eax, ebx
je 00007F984500B531h
push 0000001Eh
call eax
test eax, eax
je 00007F984500B529h
or byte ptr [007A2F4Fh], 00000040h
push ebp
call dword ptr [00408044h]
push ebx
call dword ptr [00408288h]
mov dword ptr [007A3018h], eax
push ebx
lea eax, dword ptr [esp+38h]
push 00000160h
push eax
push ebx
push 0079E500h
call dword ptr [00408178h]
push 0040A188h

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8428	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x3ba000	0x28ba0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x66718	0x2298	.data
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x298	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x6068	0x6200	d8abde42f5dea44b041d044ac6658045	False	0.6719547193877551	data	6.450720011496026	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x1248	0x1400	34765c826af6bd742ec098b21c19a239	False	0.4287109375	data	5.0453837222906515	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x399058	0x400	f95027c0eac5eb0bf708aa96757ff20d	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x3a4000	0x16000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x3ba000	0x28ba0	0x28c00	27041a317e8d97b32ebc682da7a7dddd	False	0.48665763995398775	data	5.215384005059982	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_BITMAP	0x3ba400	0x368	Device independent bitmap graphic, 96 x 16 x 4, image size 768	English	United States	0.23623853211009174
RT_ICON	0x3ba768	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 65536	English	United States	0.46483496983319533
RT_ICON	0x3caf90	0x94a8	Device independent bitmap graphic, 96 x 192 x 32, image size 36864	English	United States	0.49466575572840027
RT_ICON	0x3d4438	0x5488	Device independent bitmap graphic, 72 x 144 x 32, image size 20736	English	United States	0.5185767097966728
RT_ICON	0x3d98c0	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16384	English	United States	0.5306447803495512
RT_ICON	0x3ddae8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216	English	United States	0.5595435684647303
RT_ICON	0x3e0090	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096	English	United States	0.6123358348968105
RT_ICON	0x3e1138	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2304	English	United States	0.6635245901639344
RT_ICON	0x3e1ac0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024	English	United States	0.7322695035460993
RT_DIALOG	0x3e1f28	0x144	data	English	United States	0.5216049382716049
RT_DIALOG	0x3e2070	0x13c	data	English	United States	0.5506329113924051
RT_DIALOG	0x3e21b0	0x100	data	English	United States	0.5234375
RT_DIALOG	0x3e22b0	0x11c	data	English	United States	0.6056338028169014
RT_DIALOG	0x3e23d0	0xc4	data	English	United States	0.5918367346938775
RT_DIALOG	0x3e2498	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0x3e24f8	0x76	data	English	United States	0.7542372881355932
RT_VERSION	0x3e2570	0x2ec	data	English	United States	0.49064171122994654
RT_MANIFEST	0x3e2860	0x33e	XML 1.0 document, ASCII text, with very long lines (830), with no line terminators	English	United States	0.5542168674698795

Imports

DLL	Import
KERNEL32.dll	GetTempPathA, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, SetEnvironmentVariableA, Sleep, GetTickCount, GetCommandLineA, lstrlenA, GetVersion, SetErrorMode, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GetWindowsDirectoryA, SetCurrentDirectoryA, GetLastError, CreateDirectoryA, CreateProcessA, RemoveDirectoryA, CreateFileA, GetTempFileNameA, ReadFile, WriteFile, lstrcpyA, MoveFileExA, lstrcatA, GetSystemDirectoryA, GetProcAddress, GetExitCodeProcess, WaitForSingleObject, CompareFileTime, SetFileAttributesA, GetFileAttributesA, GetShortPathNameA, MoveFileA, GetFullPathNameA, SetFileTime, SearchPathA, CloseHandle, lstrcmpiA, CreateThread, GlobalLock, lstrcmpA, FindFirstFileA, FindNextFileA, DeleteFileA, SetFilePointer, GetPrivateProfileStringA, FindClose, MultiByteToWideChar, FreeLibrary, MulDiv, WritePrivateProfileStringA, LoadLibraryExA, GetModuleHandleA, GlobalAlloc, GlobalFree, ExpandEnvironmentStringsA
USER32.dll	ScreenToClient, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, PostQuitMessage, GetWindowRect, EnableMenuItem, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, ReleaseDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndDialog, RegisterClassA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, ExitWindowsEx, GetDC, CreateDialogParamA, SetTimer, GetDlgItem, SetWindowLongA, SetForegroundWindow, LoadImageA, IsWindow, SendMessageTimeoutA, FindWindowExA, OpenClipboard, TrackPopupMenu, AppendMenuA, EndPaint, DestroyWindow, wsprintfA, ShowWindow, SetWindowTextA
GDI32.dll	SelectObject, SetBkMode, CreateFontIndirectA, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
SHELL32.dll	SHGetSpecialFolderLocation, ShellExecuteExA, SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, SHFileOperationA
ADVAPI32.dll	AdjustTokenPrivileges, RegCreateKeyExA, RegOpenKeyExA, SetFileSecurityA, OpenProcessToken, LookupPrivilegeValueA, RegEnumValueA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegSetValueExA, RegQueryValueExA, RegEnumKeyA
COMCTL32.dll	ImageList_Create, ImageList_AddMasked, ImageList_Destroy
ole32.dll	OleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 12, 2024 07:46:31.813884974 CET	49771	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:46:32.825601101 CET	49771	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:46:34.840802908 CET	49771	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:46:36.841752052 CET	49772	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:46:37.855684996 CET	49772	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:46:39.870889902 CET	49772	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:46:41.871551037 CET	49773	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:46:42.886004925 CET	49773	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:46:44.901088953 CET	49773	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:46:46.903424978 CET	49774	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:46:47.915951014 CET	49774	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:46:49.931159019 CET	49774	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:46:51.931796074 CET	49775	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:46:52.946177959 CET	49775	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:46:54.961329937 CET	49775	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:46:56.962045908 CET	49776	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:46:57.976381063 CET	49776	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:46:59.991518974 CET	49776	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:47:01.993138075 CET	49777	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:47:03.006520987 CET	49777	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:47:05.021667957 CET	49777	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:47:07.022161961 CET	49778	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:47:08.036545038 CET	49778	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:47:10.036361933 CET	49778	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:47:12.052727938 CET	49779	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:47:13.066706896 CET	49779	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:47:15.081945896 CET	49779	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:47:17.083412886 CET	49780	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:47:18.097228050 CET	49780	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:47:20.112085104 CET	49780	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:47:22.112588882 CET	49781	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:47:23.127031088 CET	49781	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:47:25.142388105 CET	49781	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:47:27.142704010 CET	49782	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:47:28.157274961 CET	49782	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:47:30.172401905 CET	49782	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:47:32.173990011 CET	49783	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:47:33.187381983 CET	49783	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:47:35.202568054 CET	49783	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:47:37.203046083 CET	49784	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:47:38.217606068 CET	49784	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:47:40.232743025 CET	49784	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:47:42.233136892 CET	49785	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:47:43.247757912 CET	49785	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:47:45.262877941 CET	49785	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:47:47.264314890 CET	49786	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:47:48.277853966 CET	49786	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:47:50.293070078 CET	49786	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:47:52.293634892 CET	49787	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:47:53.308001995 CET	49787	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:47:55.323138952 CET	49787	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:47:57.323601007 CET	49788	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:47:58.338033915 CET	49788	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:48:00.353275061 CET	49788	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:48:02.354697943 CET	49789	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:48:03.368213892 CET	49789	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:48:05.383574963 CET	49789	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:48:07.383991957 CET	49790	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:48:08.403860092 CET	49790	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:48:10.418471098 CET	49790	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:48:12.416068077 CET	49791	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:48:13.428548098 CET	49791	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:48:15.443753004 CET	49791	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:48:17.445575953 CET	49792	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:48:18.458686113 CET	49792	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:48:20.458298922 CET	49792	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:48:22.474482059 CET	49793	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:48:23.488806963 CET	49793	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:48:25.504061937 CET	49793	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:48:27.504486084 CET	49794	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:48:28.519069910 CET	49794	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:48:30.534225941 CET	49794	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:48:32.535689116 CET	49795	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:48:33.549237967 CET	49795	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:48:35.564373016 CET	49795	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:48:37.564846039 CET	49796	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:48:38.579277992 CET	49796	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:48:40.594527960 CET	49796	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:48:42.595015049 CET	49797	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:48:43.609409094 CET	49797	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:48:45.624686003 CET	49797	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:48:47.626418114 CET	49798	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:48:48.639559984 CET	49798	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:48:50.654794931 CET	49798	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:48:52.655217886 CET	49799	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:48:53.669747114 CET	49799	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:48:55.684981108 CET	49799	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:48:57.685513973 CET	49800	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:48:58.699908972 CET	49800	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:49:00.715109110 CET	49800	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:49:02.717036963 CET	49801	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:49:03.730062008 CET	49801	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:49:05.745191097 CET	49801	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:49:07.745795012 CET	49802	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:49:08.760166883 CET	49802	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:49:10.775471926 CET	49802	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:49:12.775911093 CET	49803	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:49:13.790355921 CET	49803	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:49:15.805610895 CET	49803	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:49:17.760344982 CET	49804	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:49:18.773627996 CET	49804	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:49:20.788916111 CET	49804	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:49:22.711931944 CET	49805	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:49:23.725682974 CET	49805	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:49:25.740845919 CET	49805	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:49:27.631923914 CET	49806	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:49:28.646513939 CET	49806	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:49:30.661662102 CET	49806	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:49:32.523431063 CET	49807	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:49:33.536063910 CET	49807	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:49:35.551233053 CET	49807	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:49:37.395610094 CET	49808	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:49:38.409970045 CET	49808	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:49:40.425184011 CET	49808	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:49:42.238349915 CET	49809	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:49:43.252640963 CET	49809	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:49:45.267813921 CET	49809	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:49:47.050571918 CET	49810	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:49:48.064050913 CET	49810	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:49:50.079262018 CET	49810	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:49:51.829849005 CET	49811	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:49:52.844289064 CET	49811	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:49:54.859471083 CET	49811	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:49:56.594556093 CET	49812	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:49:57.608891010 CET	49812	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:49:59.624139071 CET	49812	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:50:01.328999996 CET	49813	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:50:02.342195034 CET	49813	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:50:04.357429981 CET	49813	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:50:06.045536041 CET	49814	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:50:07.060017109 CET	49814	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:50:09.075078964 CET	49814	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:50:10.732023001 CET	49815	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:50:11.746419907 CET	49815	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:50:13.761620045 CET	49815	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:50:15.404117107 CET	49816	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:50:16.417306900 CET	49816	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:50:18.432429075 CET	49816	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:50:20.042335987 CET	49817	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:50:21.056941986 CET	49817	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:50:23.072073936 CET	49817	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:50:24.666501045 CET	49818	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:50:25.680828094 CET	49818	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:50:27.696014881 CET	49818	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:50:29.276241064 CET	49819	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:50:30.289223909 CET	49819	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:50:32.304375887 CET	49819	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:50:33.867738008 CET	49820	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:50:34.882189035 CET	49820	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:50:36.897226095 CET	49820	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:50:38.429079056 CET	49821	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:50:39.443531036 CET	49821	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:50:41.458759069 CET	49821	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:50:42.975991011 CET	49822	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:50:43.989343882 CET	49822	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:50:46.004614115 CET	49822	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:50:47.505135059 CET	49823	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:50:48.519680977 CET	49823	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:50:50.534825087 CET	49823	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:50:52.020091057 CET	49824	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:50:53.034288883 CET	49824	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:50:55.049427986 CET	49824	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:50:56.520312071 CET	49825	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:50:57.533292055 CET	49825	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:50:59.548443079 CET	49825	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:51:01.002593040 CET	49826	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:51:02.016733885 CET	49826	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:51:04.031877995 CET	49826	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:51:05.470443010 CET	49827	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:51:06.484462023 CET	49827	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:51:08.499631882 CET	49827	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:51:09.923949003 CET	49828	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:51:10.936580896 CET	49828	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:51:12.936178923 CET	49828	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:51:14.358625889 CET	49829	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:51:15.373136997 CET	49829	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:51:17.388298988 CET	49829	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:51:18.779735088 CET	49830	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:51:19.794085979 CET	49830	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:51:21.809180021 CET	49830	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:51:23.186446905 CET	49831	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:51:24.199369907 CET	49831	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:51:26.214534044 CET	49831	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:51:27.574533939 CET	49832	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:51:28.588974953 CET	49832	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:51:30.604151011 CET	49832	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:51:31.964572906 CET	49833	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:51:32.978627920 CET	49833	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:51:34.993856907 CET	49833	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:51:36.339900017 CET	49834	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:51:37.352801085 CET	49834	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:51:39.367860079 CET	49834	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:51:40.696667910 CET	49835	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:51:41.711119890 CET	49835	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:51:43.726279020 CET	49835	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:51:45.039436102 CET	49836	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:51:46.053900003 CET	49836	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:51:48.069133997 CET	49836	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:51:49.383955002 CET	49837	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:51:50.396701097 CET	49837	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:51:52.411854982 CET	49837	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:51:53.709378004 CET	49838	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:51:54.723903894 CET	49838	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:51:56.739130974 CET	49838	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:51:58.021920919 CET	49839	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:51:59.035470963 CET	49839	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:52:01.050661087 CET	49839	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:52:02.334306002 CET	49840	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:52:03.346963882 CET	49840	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:52:05.362121105 CET	49840	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:52:06.646524906 CET	49841	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:52:07.658581018 CET	49841	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:52:09.673831940 CET	49841	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:52:10.940017939 CET	49842	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:52:11.954483032 CET	49842	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:52:13.969707966 CET	49842	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:52:15.221719027 CET	49843	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:52:16.234884977 CET	49843	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:52:18.250047922 CET	49843	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:52:19.485116959 CET	49844	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:52:20.499525070 CET	49844	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:52:22.514688015 CET	49844	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:52:23.749953985 CET	49845	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:52:24.764235020 CET	49845	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:52:26.779424906 CET	49845	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:52:27.999754906 CET	49846	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:52:29.013286114 CET	49846	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:52:31.028503895 CET	49846	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:52:32.247812986 CET	49847	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:52:33.262316942 CET	49847	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:52:35.277527094 CET	49847	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:52:36.481446981 CET	49848	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:52:37.495835066 CET	49848	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:52:39.510921001 CET	49848	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:52:40.715790033 CET	49849	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:52:41.729195118 CET	49849	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:52:43.744431019 CET	49849	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:52:44.948153973 CET	49850	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:52:45.962697983 CET	49850	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:52:47.977920055 CET	49850	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:52:49.165956020 CET	49851	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:52:50.180588961 CET	49851	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:52:52.195705891 CET	49851	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:52:53.385152102 CET	49852	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:52:54.398382902 CET	49852	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:52:56.413538933 CET	49852	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:52:57.586050987 CET	49853	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:52:58.600548029 CET	49853	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:53:00.615925074 CET	49853	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:53:01.788361073 CET	49854	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:53:02.802771091 CET	49854	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:53:04.817948103 CET	49854	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:53:05.975848913 CET	49855	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:53:06.989294052 CET	49855	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:53:08.988886118 CET	49855	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:53:10.161475897 CET	49856	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:53:11.175926924 CET	49856	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:53:13.191108942 CET	49856	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:53:14.348170042 CET	49857	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:53:15.362596989 CET	49857	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:53:17.377780914 CET	49857	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:53:18.519992113 CET	49858	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:53:19.533493996 CET	49858	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:53:21.548666000 CET	49858	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:53:22.690397024 CET	49859	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:53:23.704449892 CET	49859	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:53:25.719672918 CET	49859	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:53:26.860938072 CET	49860	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:53:27.875457048 CET	49860	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:53:29.890554905 CET	49860	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:53:31.017956018 CET	49861	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:53:32.030814886 CET	49861	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:53:34.045912981 CET	49861	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:53:35.171555042 CET	49862	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:53:36.186096907 CET	49862	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:53:38.201267958 CET	49862	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:53:39.327049017 CET	49863	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:53:40.341432095 CET	49863	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:53:42.356635094 CET	49863	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:53:43.483894110 CET	49864	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:53:44.496742964 CET	49864	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:53:46.512027025 CET	49864	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:53:47.622112036 CET	49865	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:53:48.636523008 CET	49865	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:53:50.651702881 CET	49865	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:53:51.762130022 CET	49866	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:53:52.776166916 CET	49866	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:53:54.775780916 CET	49866	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:53:55.902782917 CET	49867	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:53:56.915921926 CET	49867	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:53:58.931099892 CET	49867	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:54:00.041445017 CET	49868	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:54:01.055666924 CET	49868	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:54:03.070822954 CET	49868	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:54:04.165292025 CET	49869	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:54:05.179734945 CET	49869	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:54:07.194916010 CET	49869	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:54:08.290481091 CET	49870	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:54:09.303853035 CET	49870	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:54:11.319004059 CET	49870	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:54:12.414053917 CET	49871	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:54:13.427906990 CET	49871	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:54:15.443169117 CET	49871	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:54:16.537637949 CET	49872	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:54:17.552087069 CET	49872	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:54:19.567183971 CET	49872	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:54:20.647027969 CET	49873	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:54:21.660491943 CET	49873	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:54:23.675729990 CET	49873	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:54:24.754468918 CET	49874	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:54:25.769006968 CET	49874	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:54:27.784204006 CET	49874	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:54:28.862899065 CET	49875	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:54:29.877490044 CET	49875	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:54:31.892751932 CET	49875	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:54:32.972428083 CET	49876	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:54:33.985996962 CET	49876	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:54:36.001092911 CET	49876	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:54:37.079864979 CET	49877	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:54:38.094419003 CET	49877	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:54:40.109582901 CET	49877	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:54:41.188379049 CET	49878	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:54:42.202927113 CET	49878	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:54:44.218085051 CET	49878	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:54:45.282188892 CET	49879	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:54:46.295767069 CET	49879	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:54:48.310964108 CET	49879	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:54:49.374147892 CET	49880	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:54:50.388585091 CET	49880	80	192.168.11.20	45.137.22.248
Nov 12, 2024 07:54:52.403764963 CET	49880	80	192.168.11.20	45.137.22.248

Target ID:	0
Start time:	01:46:22
Start date:	12/11/2024
Path:	C:\Users\user\Desktop\Calyciform.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Calyciform.exe"
Imagebase:	0x400000
File size:	428'464 bytes
MD5 hash:	0B813C3349387A69277D7F8A0D20FE3D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.130225753929.0000000002FAF000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	01:46:26
Start date:	12/11/2024
Path:	C:\Users\user\Desktop\Calyciform.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Calyciform.exe"
Imagebase:	0x400000
File size:	428'464 bytes
MD5 hash:	0B813C3349387A69277D7F8A0D20FE3D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000002.00000002.134606321221.000000000174F000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	20.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	20.2%
Total number of Nodes:	1510
Total number of Limit Nodes:	50

Executed Functions

Function 004031E9 Relevance: 91.4, APIs: 32, Strings: 20, Instructions: 366
stringcomfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE ref: 0040320E
GetVersion.KERNEL32 ref: 00403214
lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 00403247
#17.COMCTL32(?,00000006,00000008,0000000A), ref: 00403283
OleInitialize.OLE32(00000000), ref: 0040328A
SHGetFileInfoA.SHELL32(0079E500,00000000,?,00000160,00000000,?,00000006,00000008,0000000A), ref: 004032A6
GetCommandLineA.KERNEL32(Burseraceae Setup,NSIS Error,?,00000006,00000008,0000000A), ref: 004032BB
CharNextA.USER32(00000000,"C:\Users\user\Desktop\Calyciform.exe",00000020,"C:\Users\user\Desktop\Calyciform.exe",00000000,?,00000006,00000008,0000000A), ref: 004032F7
GetTempPathA.KERNELBASE(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00000020,?,00000006,00000008,0000000A), ref: 004033F4
GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB,?,00000006,00000008,0000000A), ref: 00403405
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp,?,00000006,00000008,0000000A), ref: 00403411
GetTempPathA.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp,?,00000006,00000008,0000000A), ref: 00403425
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low,?,00000006,00000008,0000000A), ref: 0040342D
SetEnvironmentVariableA.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low,?,00000006,00000008,0000000A), ref: 0040343E
SetEnvironmentVariableA.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\,?,00000006,00000008,0000000A), ref: 00403446
DeleteFileA.KERNELBASE(1033,?,00000006,00000008,0000000A), ref: 0040345A

Part of subcall function 00406315: GetModuleHandleA.KERNEL32(?,?,?,0040325C,0000000A), ref: 00406327
Part of subcall function 00406315: GetProcAddress.KERNEL32(00000000,?), ref: 00406342

Part of subcall function 004037AB: lstrlenA.KERNEL32(Call,?,?,?,Call,00000000,C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Puerperant,1033,0079F540,80000001,Control Panel\Desktop\ResourceLocale,00000000,0079F540,00000000,00000002,759B3410), ref: 0040389B
Part of subcall function 004037AB: lstrcmpiA.KERNEL32(?,.exe), ref: 004038AE
Part of subcall function 004037AB: GetFileAttributesA.KERNEL32(Call), ref: 004038B9
Part of subcall function 004037AB: LoadImageA.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Puerperant), ref: 00403902
Part of subcall function 004037AB: RegisterClassA.USER32(007A26E0), ref: 0040393F

Part of subcall function 004036D1: CloseHandle.KERNEL32(000002C8,00403508,?,?,00000006,00000008,0000000A), ref: 004036DC

OleUninitialize.OLE32(?,?,00000006,00000008,0000000A), ref: 00403508
ExitProcess.KERNEL32 ref: 00403529
GetCurrentProcess.KERNEL32(00000028,?,00000006,00000008,0000000A), ref: 00403646
OpenProcessToken.ADVAPI32(00000000), ref: 0040364D
LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403665
AdjustTokenPrivileges.ADVAPI32(?,?,?,?,00000000,?,00000000,00000000,00000000), ref: 00403684
ExitWindowsEx.USER32(00000002,80040002), ref: 004036A8
ExitProcess.KERNEL32 ref: 004036CB

Part of subcall function 00405699: MessageBoxIndirectA.USER32(0040A218), ref: 004056F4

Strings

Error launching installer, xrefs: 004034C0
.tmp, xrefs: 00403550
Low, xrefs: 00403427
\Temp, xrefs: 0040340B
NSIS Error, xrefs: 004032AC
C:\Users\user\Desktop, xrefs: 0040355B, 00403560, 0040358C
", xrefs: 0040331C
C:\Users\user\AppData\Local\Temp\, xrefs: 004033E9, 004033EE, 00403404, 00403410, 0040341F, 0040342C, 00403438, 00403440, 00403539, 0040354A, 00403555, 00403561, 0040356E, 0040357D, 0040362C
TEMP, xrefs: 00403439
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Puerperant, xrefs: 004033D9, 004034DA, 00403584, 0040358D
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Puerperant, xrefs: 004034E5
C:\Users\user\Desktop\Calyciform.exe, xrefs: 004035E6
UXTHEME, xrefs: 0040323B, 00403240, 00403246
user32::CallWindowProcW(ir1 ,i 0,i 0, i 0, i 0), xrefs: 0040359B
~nsu, xrefs: 00403534
Burseraceae Setup, xrefs: 004032B1
1033, xrefs: 00403455
TMP, xrefs: 00403441
"C:\Users\user\Desktop\Calyciform.exe", xrefs: 004032C1, 004032C7, 0040347E
SeShutdownPrivilege, xrefs: 0040365F

Memory Dump Source

Source File: 00000000.00000002.130223558263.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.130223504527.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223615136.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007B8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130224420782.00000000007BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Calyciform.jbxd

Similarity

API ID: Process$ExitFile$EnvironmentHandlePathTempTokenVariableWindowslstrcatlstrlen$AddressAdjustAttributesCharClassCloseCommandCurrentDeleteDirectoryErrorImageIndirectInfoInitializeLineLoadLookupMessageModeModuleNextOpenPrivilegePrivilegesProcRegisterUninitializeValueVersionlstrcmpi
String ID: "$"C:\Users\user\Desktop\Calyciform.exe"$.tmp$1033$Burseraceae Setup$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Puerperant$C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Puerperant$C:\Users\user\Desktop$C:\Users\user\Desktop\Calyciform.exe$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$user32::CallWindowProcW(ir1 ,i 0,i 0, i 0, i 0)$~nsu
API String ID: 3776617018-1313069087
Opcode ID: 29ce849f0f4732ea37b80819e9f88e43c01e51bf7f43e0917613217fdba7c993
Instruction ID: 7bf8744e0b649f959f8498b36092dc0538a6711c388ee02d62fe24b7258f1436
Opcode Fuzzy Hash: 29ce849f0f4732ea37b80819e9f88e43c01e51bf7f43e0917613217fdba7c993
Instruction Fuzzy Hash: 42C1E670104741AAD7216F759D89A2F3EACAF86706F04447FF582B51E2DB7C8A058B2F

Function 00404A21 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481
windowmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404A39
GetDlgItem.USER32(?,00000408), ref: 00404A44
GlobalAlloc.KERNEL32(00000040,00000001), ref: 00404A8E
LoadBitmapA.USER32(0000006E), ref: 00404AA1
SetWindowLongA.USER32(?,000000FC,00405018), ref: 00404ABA
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404ACE
ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404AE0
SendMessageA.USER32(?,00001109,00000002), ref: 00404AF6
SendMessageA.USER32(?,0000111C,00000000,00000000), ref: 00404B02
SendMessageA.USER32(?,0000111B,00000010,00000000), ref: 00404B14
DeleteObject.GDI32(00000000), ref: 00404B17
SendMessageA.USER32(?,00000143,00000000,00000000), ref: 00404B42
SendMessageA.USER32(?,00000151,00000000,00000000), ref: 00404B4E
SendMessageA.USER32(?,00001100,00000000,?), ref: 00404BE3
SendMessageA.USER32(?,0000110A,00000003,00000000), ref: 00404C0E
SendMessageA.USER32(?,00001100,00000000,?), ref: 00404C22
GetWindowLongA.USER32(?,000000F0), ref: 00404C51
SetWindowLongA.USER32(?,000000F0,00000000), ref: 00404C5F
ShowWindow.USER32(?,00000005), ref: 00404C70
SendMessageA.USER32(?,00000419,00000000,?), ref: 00404D6D
SendMessageA.USER32(?,00000147,00000000,00000000), ref: 00404DD2
SendMessageA.USER32(?,00000150,00000000,00000000), ref: 00404DE7
SendMessageA.USER32(?,00000420,00000000,00000020), ref: 00404E0B
SendMessageA.USER32(?,00000200,00000000,00000000), ref: 00404E2B
ImageList_Destroy.COMCTL32(?), ref: 00404E40
GlobalFree.KERNEL32(?), ref: 00404E50
SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 00404EC9
SendMessageA.USER32(?,00001102,?,?), ref: 00404F72
SendMessageA.USER32(?,0000110D,00000000,00000008), ref: 00404F81
InvalidateRect.USER32(?,00000000,00000001), ref: 00404FA1
ShowWindow.USER32(?,00000000), ref: 00404FEF
GetDlgItem.USER32(?,000003FE), ref: 00404FFA
ShowWindow.USER32(00000000), ref: 00405001

Strings

N, xrefs: 00404CAB
, xrefs: 00404FD9
M, xrefs: 00404BCA

Memory Dump Source

Source File: 00000000.00000002.130223558263.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.130223504527.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223615136.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007B8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130224420782.00000000007BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Calyciform.jbxd

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 1638840714-813528018
Opcode ID: 172e59c7ba931a394c3fba9a3879f403beeb7489b9f7cd5918fdae017d576325
Instruction ID: 95fc731ee8c2f60e707b2e347886eca1b13b95ad12058a055eb87ebce7bf2e6a
Opcode Fuzzy Hash: 172e59c7ba931a394c3fba9a3879f403beeb7489b9f7cd5918fdae017d576325
Instruction Fuzzy Hash: 720270B0900209EFEB149F58DD85AAE7BB5FB84315F10813AF610BA2E1D7789D52CF58

Function 6D6A1A9C Relevance: 20.1, APIs: 13, Instructions: 571stringlibrarymemoryCOMMON

Download Yara Rule

APIs

Part of subcall function 6D6A1215: GlobalAlloc.KERNELBASE(00000040,6D6A1233,?,6D6A12CF,-6D6A404B,6D6A11AB,-000000A0), ref: 6D6A121D

GlobalAlloc.KERNELBASE(00000040,000014A4), ref: 6D6A1BA6
lstrcpyA.KERNEL32(00000008,?), ref: 6D6A1BEE
lstrcpyA.KERNEL32(00000408,?), ref: 6D6A1BF8
GlobalFree.KERNEL32(00000000), ref: 6D6A1C0B
GlobalFree.KERNEL32(?), ref: 6D6A1CEB
GlobalFree.KERNEL32(?), ref: 6D6A1CF0
GlobalFree.KERNEL32(?), ref: 6D6A1CF5
GlobalFree.KERNEL32(00000000), ref: 6D6A1EDC
lstrcpyA.KERNEL32(?,?), ref: 6D6A2065
GetModuleHandleA.KERNEL32(00000008), ref: 6D6A20D8
LoadLibraryA.KERNEL32(00000008), ref: 6D6A20E9
GetProcAddress.KERNEL32(?,?), ref: 6D6A2142
lstrlenA.KERNEL32(00000408), ref: 6D6A215C

Memory Dump Source

Source File: 00000000.00000002.130238628964.000000006D6A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6D6A0000, based on PE: true

Associated: 00000000.00000002.130238558041.000000006D6A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.130238696820.000000006D6A3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.130238759011.000000006D6A5000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d6a0000_Calyciform.jbxd

Similarity

API ID: Global$Free$lstrcpy$Alloc$AddressHandleLibraryLoadModuleProclstrlen
String ID:
API String ID: 245916457-0
Opcode ID: f9d3db591a4a56c82ed4ed0722d9afad7e2e42839c77d404d7b7377cf874189e
Instruction ID: 22c6c09e95797c679ba64c26f605c050ff2fbcea28c8fde924bb367a58004e1d
Opcode Fuzzy Hash: f9d3db591a4a56c82ed4ed0722d9afad7e2e42839c77d404d7b7377cf874189e
Instruction Fuzzy Hash: 33229D71D5820ADEDB11CFA9C8807EDBBF4BB0D344F19852AD2E6E2280D7789D41CB50

Function 00405745 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 159
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileA.KERNELBASE(?,?,759B3410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 0040576E
lstrcatA.KERNEL32(007A0548,\*.*,007A0548,?,?,759B3410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004057B6
lstrcatA.KERNEL32(?,0040A014,?,007A0548,?,?,759B3410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004057D7
lstrlenA.KERNEL32(?,?,0040A014,?,007A0548,?,?,759B3410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004057DD
FindFirstFileA.KERNEL32(007A0548,?,?,?,0040A014,?,007A0548,?,?,759B3410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004057EE
FindNextFileA.KERNEL32(00000000,00000010,000000F2,?,?,?,00000000,?,?,0000003F), ref: 0040589B
FindClose.KERNEL32(00000000), ref: 004058AC

Strings

"C:\Users\user\Desktop\Calyciform.exe", xrefs: 00405745
C:\Users\user\AppData\Local\Temp\, xrefs: 00405752
\*.*, xrefs: 004057B0

Memory Dump Source

Source File: 00000000.00000002.130223558263.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.130223504527.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223615136.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007B8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130224420782.00000000007BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Calyciform.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: "C:\Users\user\Desktop\Calyciform.exe"$C:\Users\user\AppData\Local\Temp\$\*.*
API String ID: 2035342205-3983645626
Opcode ID: 7c997698bd92b054754dbd9e87a557b423d2768d503f37e0b7d96f013d030dcb
Instruction ID: 8fe5727fece67214ca9e537269006626f4bb6c92c430407bbf8d6e8d58a7b1f2
Opcode Fuzzy Hash: 7c997698bd92b054754dbd9e87a557b423d2768d503f37e0b7d96f013d030dcb
Instruction Fuzzy Hash: 6A51C131800A09AADF217B218C85BBF7A78DF42714F14817FF855B51D2D73C8952DE69

Function 00406280 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNELBASE(759B3410,007A0D90,C:\Users\user\AppData\Local\Temp\nsf9BE0.tmp,00405A46,C:\Users\user\AppData\Local\Temp\nsf9BE0.tmp,C:\Users\user\AppData\Local\Temp\nsf9BE0.tmp,00000000,C:\Users\user\AppData\Local\Temp\nsf9BE0.tmp,C:\Users\user\AppData\Local\Temp\nsf9BE0.tmp,759B3410,?,C:\Users\user\AppData\Local\Temp\,00405765,?,759B3410,C:\Users\user\AppData\Local\Temp\), ref: 0040628B
FindClose.KERNEL32(00000000), ref: 00406297

Strings

C:\Users\user\AppData\Local\Temp\nsf9BE0.tmp, xrefs: 00406280

Memory Dump Source

Source File: 00000000.00000002.130223558263.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.130223504527.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223615136.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007B8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130224420782.00000000007BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Calyciform.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: C:\Users\user\AppData\Local\Temp\nsf9BE0.tmp
API String ID: 2295610775-3793470382
Opcode ID: c24f07e19fd736ab640c4fa4be5052e5aaef0f0ac654c0d60e62e1f7b242b1f9
Instruction ID: 649fadc54739959b3e8e38c8a8f4dd54304d89d7bf2914afa8982a1acff588dd
Opcode Fuzzy Hash: c24f07e19fd736ab640c4fa4be5052e5aaef0f0ac654c0d60e62e1f7b242b1f9
Instruction Fuzzy Hash: E0D012729051205FCA006778AE0C84B7A589F46370B114B7AB4AAF15E0CA788C7286D8

Function 00403B48 Relevance: 48.3, APIs: 32, Instructions: 346
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403B84
ShowWindow.USER32(?), ref: 00403BA1
DestroyWindow.USER32 ref: 00403BB5
SetWindowLongA.USER32(?,00000000,00000000), ref: 00403BD1
GetDlgItem.USER32(?,?), ref: 00403BF2
SendMessageA.USER32(00000000,000000F3,00000000,00000000), ref: 00403C06
IsWindowEnabled.USER32(00000000), ref: 00403C0D
GetDlgItem.USER32(?,00000001), ref: 00403CBB
GetDlgItem.USER32(?,00000002), ref: 00403CC5
SetClassLongA.USER32(?,000000F2,?), ref: 00403CDF
SendMessageA.USER32(0000040F,00000000,00000001,?), ref: 00403D30
GetDlgItem.USER32(?,00000003), ref: 00403DD6
ShowWindow.USER32(00000000,?), ref: 00403DF7
KiUserCallbackDispatcher.NTDLL(?,?), ref: 00403E09
EnableWindow.USER32(?,?), ref: 00403E24
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403E3A
EnableMenuItem.USER32(00000000), ref: 00403E41
SendMessageA.USER32(?,000000F4,00000000,00000001), ref: 00403E59
SendMessageA.USER32(?,00000401,00000002,00000000), ref: 00403E6C
lstrlenA.KERNEL32(0079F540,?,0079F540,00000000), ref: 00403E96
SetWindowTextA.USER32(?,0079F540), ref: 00403EA5
ShowWindow.USER32(?,0000000A), ref: 00403FD9

Memory Dump Source

Source File: 00000000.00000002.130223558263.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.130223504527.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223615136.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007B8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130224420782.00000000007BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Calyciform.jbxd

Similarity

API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
String ID:
API String ID: 3282139019-0
Opcode ID: 15b6375a1e693d3e2cd3c5fe237b60442a4c361cd33fb8cff5c4eaa7748e9161
Instruction ID: be3397b8ddd8732ae82b8f0fff634cab03aa6bc43632f84706db7e79d14484ee
Opcode Fuzzy Hash: 15b6375a1e693d3e2cd3c5fe237b60442a4c361cd33fb8cff5c4eaa7748e9161
Instruction Fuzzy Hash: CEC1C271504600AFEB216F65ED85E2B3ABCEB85706F00453EF641B11F2CB3D9A429B6D

Function 004037AB Relevance: 47.5, APIs: 13, Strings: 14, Instructions: 215
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00406315: GetModuleHandleA.KERNEL32(?,?,?,0040325C,0000000A), ref: 00406327
Part of subcall function 00406315: GetProcAddress.KERNEL32(00000000,?), ref: 00406342

lstrcatA.KERNEL32(1033,0079F540,80000001,Control Panel\Desktop\ResourceLocale,00000000,0079F540,00000000,00000002,759B3410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Calyciform.exe",00000000), ref: 00403826
lstrlenA.KERNEL32(Call,?,?,?,Call,00000000,C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Puerperant,1033,0079F540,80000001,Control Panel\Desktop\ResourceLocale,00000000,0079F540,00000000,00000002,759B3410), ref: 0040389B
lstrcmpiA.KERNEL32(?,.exe), ref: 004038AE
GetFileAttributesA.KERNEL32(Call), ref: 004038B9
LoadImageA.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Puerperant), ref: 00403902

Part of subcall function 00405EDB: wsprintfA.USER32 ref: 00405EE8

RegisterClassA.USER32(007A26E0), ref: 0040393F
SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 00403957
CreateWindowExA.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 0040398C
ShowWindow.USER32(00000005,00000000), ref: 004039C2
GetClassInfoA.USER32(00000000,RichEdit20A,007A26E0), ref: 004039EE
GetClassInfoA.USER32(00000000,RichEdit,007A26E0), ref: 004039FB
RegisterClassA.USER32(007A26E0), ref: 00403A04
DialogBoxParamA.USER32(?,00000000,00403B48,00000000), ref: 00403A23

Strings

RichEd20, xrefs: 004039C8
Control Panel\Desktop\ResourceLocale, xrefs: 004037DF
.exe, xrefs: 004038A8
RichEdit20A, xrefs: 004039E6, 004039EC
C:\Users\user\AppData\Local\Temp\, xrefs: 004037B0
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Puerperant, xrefs: 00403835, 0040383D, 004038D5, 004038DB, 004038EB
.DEFAULT\Control Panel\International, xrefs: 00403811
RichEd32, xrefs: 004039D6
1033, xrefs: 004037CB, 00403821
Call, xrefs: 00403869, 00403871, 0040387E, 004038C8, 004038CE
RichEdit, xrefs: 004039F5
"C:\Users\user\Desktop\Calyciform.exe", xrefs: 004037AF
&z, xrefs: 00403911
_Nb, xrefs: 0040391E, 00403986

Memory Dump Source

Source File: 00000000.00000002.130223558263.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.130223504527.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223615136.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007B8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130224420782.00000000007BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Calyciform.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: "C:\Users\user\Desktop\Calyciform.exe"$.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Puerperant$Call$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb$&z
API String ID: 1975747703-213470910
Opcode ID: 1cb86479f1a3a0086ce9388ac0fb28c5fcde83020396cc1e7e21ed7e12b3b041
Instruction ID: e7770fced47558190ba49eb26abf7833ec0de161341021374fa99cdfb8efac44
Opcode Fuzzy Hash: 1cb86479f1a3a0086ce9388ac0fb28c5fcde83020396cc1e7e21ed7e12b3b041
Instruction Fuzzy Hash: 6D61B471240600BED610AF659D46F3B3AACDB85749F00857FF981B62E2DB7D9D028B2D

Function 00402D63 Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 182
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00402D74
GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\Calyciform.exe,00000400), ref: 00402D90

Part of subcall function 00405B16: GetFileAttributesA.KERNELBASE(00000003,00402DA3,C:\Users\user\Desktop\Calyciform.exe,80000000,00000003), ref: 00405B1A
Part of subcall function 00405B16: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405B3C

GetFileSize.KERNEL32(00000000,00000000,007AB000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Calyciform.exe,C:\Users\user\Desktop\Calyciform.exe,80000000,00000003), ref: 00402DDC

Strings

Error launching installer, xrefs: 00402DB3
C:\Users\user\Desktop\Calyciform.exe, xrefs: 00402D7A, 00402D89, 00402D9D, 00402DBD
Null, xrefs: 00402E5A
"C:\Users\user\Desktop\Calyciform.exe", xrefs: 00402D63
C:\Users\user\Desktop, xrefs: 00402DBE, 00402DC3, 00402DC9
soft, xrefs: 00402E51
Inst, xrefs: 00402E48
C:\Users\user\AppData\Local\Temp\, xrefs: 00402D6A
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error, xrefs: 00402F3B

Memory Dump Source

Source File: 00000000.00000002.130223558263.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.130223504527.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223615136.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007B8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130224420782.00000000007BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Calyciform.jbxd

Similarity

API ID: File$AttributesCountCreateModuleNameSizeTick
String ID: "C:\Users\user\Desktop\Calyciform.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\Calyciform.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$soft
API String ID: 4283519449-3135735621
Opcode ID: 8e9a191421aba4a3439459f77b6fce6800917911843336c3de020814a67cc7e1
Instruction ID: e7e10bf14dd6c84c423c7e0fea7576ec82b222124ef8da9379000f3ec2b80706
Opcode Fuzzy Hash: 8e9a191421aba4a3439459f77b6fce6800917911843336c3de020814a67cc7e1
Instruction Fuzzy Hash: 7151D371940215AFDB119F64DE89A5F7BB8EB04368F10413BF904B62D1D7BC8E818B9D

Function 00405F9F Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 199
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryA.KERNEL32(Call,00000400), ref: 004060CA
GetWindowsDirectoryA.KERNEL32(Call,00000400,?,0079ED20,00000000,004050DC,0079ED20,00000000), ref: 004060DD
SHGetSpecialFolderLocation.SHELL32(004050DC,759B23A0,?,0079ED20,00000000,004050DC,0079ED20,00000000), ref: 00406119
SHGetPathFromIDListA.SHELL32(759B23A0,Call), ref: 00406127
CoTaskMemFree.OLE32(759B23A0), ref: 00406133
lstrcatA.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 00406157
lstrlenA.KERNEL32(Call,?,0079ED20,00000000,004050DC,0079ED20,00000000,00000000,00790EF8,759B23A0), ref: 004061A9

Strings

\Microsoft\Internet Explorer\Quick Launch, xrefs: 00406151
user32::CallWindowProcW(ir1 ,i 0,i 0, i 0, i 0), xrefs: 00406181
Call, xrefs: 00405FC9, 00406096, 00406097, 00406098, 004060B4, 004060C9, 004060DC, 004060F8, 00406123, 00406156, 0040615C, 00406174, 00406187, 004061A2, 004061A8, 004061B0, 004061DA
Software\Microsoft\Windows\CurrentVersion, xrefs: 00406099

Memory Dump Source

Source File: 00000000.00000002.130223558263.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.130223504527.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223615136.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007B8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130224420782.00000000007BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Calyciform.jbxd

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskWindowslstrcatlstrlen
String ID: Call$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch$user32::CallWindowProcW(ir1 ,i 0,i 0, i 0, i 0)
API String ID: 717251189-3408574989
Opcode ID: 11b5917a9e638ace321be4f5325a6bdc22aaa804cea597cb4274c203d9df8917
Instruction ID: 0b63f41bbf951af37742be8a6cb34bbd05ef536143463fead8fbb104fcb9049a
Opcode Fuzzy Hash: 11b5917a9e638ace321be4f5325a6bdc22aaa804cea597cb4274c203d9df8917
Instruction Fuzzy Hash: C861E371904105AEEF119F24CC84BBE7BB59B46314F16813FE903BA2D2D67D49A2CB4A

Function 00401759 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 147
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcatA.KERNEL32(00000000,00000000,Call,C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Puerperant,00000000,00000000,00000031), ref: 00401798
CompareFileTime.KERNEL32(-00000014,?,Call,Call,00000000,00000000,Call,C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Puerperant,00000000,00000000,00000031), ref: 004017C2

Part of subcall function 00405F7D: lstrcpynA.KERNEL32(?,?,00000400,004032BB,Burseraceae Setup,NSIS Error,?,00000006,00000008,0000000A), ref: 00405F8A

Part of subcall function 004050A4: lstrlenA.KERNEL32(0079ED20,00000000,00790EF8,759B23A0,?,?,?,?,?,?,?,?,?,004030D4,00000000,?), ref: 004050DD
Part of subcall function 004050A4: lstrlenA.KERNEL32(004030D4,0079ED20,00000000,00790EF8,759B23A0,?,?,?,?,?,?,?,?,?,004030D4,00000000), ref: 004050ED
Part of subcall function 004050A4: lstrcatA.KERNEL32(0079ED20,004030D4,004030D4,0079ED20,00000000,00790EF8,759B23A0), ref: 00405100
Part of subcall function 004050A4: SetWindowTextA.USER32(0079ED20,0079ED20), ref: 00405112
Part of subcall function 004050A4: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405138
Part of subcall function 004050A4: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00405152
Part of subcall function 004050A4: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405160

Strings

user32::CallWindowProcW(ir1 ,i 0,i 0, i 0, i 0), xrefs: 0040180D, 00401819, 00401831
Call, xrefs: 00401775, 0040177E, 0040179D, 004017AE, 004017E4, 004017FA, 00401818, 00401858, 004018D9, 004018E2, 004018EC, 004018F7
C:\Users\user\AppData\Local\Temp\nsf9BE0.tmp, xrefs: 004017A3, 00401812, 00401830
C:\Users\user\AppData\Local\Temp\nsf9BE0.tmp\System.dll, xrefs: 00401826, 00401842
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Puerperant, xrefs: 00401786

Memory Dump Source

Source File: 00000000.00000002.130223558263.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.130223504527.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223615136.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007B8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130224420782.00000000007BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Calyciform.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: C:\Users\user\AppData\Local\Temp\nsf9BE0.tmp$C:\Users\user\AppData\Local\Temp\nsf9BE0.tmp\System.dll$C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Puerperant$Call$user32::CallWindowProcW(ir1 ,i 0,i 0, i 0, i 0)
API String ID: 1941528284-2300961305
Opcode ID: 695578334c0ee4be37e012e58be7f92549580ca5109cbc41cb3716ec475ee65c
Instruction ID: 3f5d23f0505a0c405a30723695d383d48bc8799a0a07943a114376d49cde1fe8
Opcode Fuzzy Hash: 695578334c0ee4be37e012e58be7f92549580ca5109cbc41cb3716ec475ee65c
Instruction Fuzzy Hash: B841B471900519BACF10BBB5CC46DAF76B9DF41368B20823BF522F11E1D67C8A419A6E

Function 00402003 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 73
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNELBASE(00000000,00000001,000000F0), ref: 0040202E

Part of subcall function 004050A4: lstrlenA.KERNEL32(0079ED20,00000000,00790EF8,759B23A0,?,?,?,?,?,?,?,?,?,004030D4,00000000,?), ref: 004050DD
Part of subcall function 004050A4: lstrlenA.KERNEL32(004030D4,0079ED20,00000000,00790EF8,759B23A0,?,?,?,?,?,?,?,?,?,004030D4,00000000), ref: 004050ED
Part of subcall function 004050A4: lstrcatA.KERNEL32(0079ED20,004030D4,004030D4,0079ED20,00000000,00790EF8,759B23A0), ref: 00405100
Part of subcall function 004050A4: SetWindowTextA.USER32(0079ED20,0079ED20), ref: 00405112
Part of subcall function 004050A4: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405138
Part of subcall function 004050A4: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00405152
Part of subcall function 004050A4: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405160

LoadLibraryExA.KERNELBASE(00000000,?,00000008,00000001,000000F0), ref: 0040203E
GetProcAddress.KERNEL32(00000000,?), ref: 0040204E
FreeLibrary.KERNELBASE(00000000,00000000,000000F7,?,?,00000008,00000001,000000F0), ref: 004020B8

Strings

user32::CallWindowProcW(ir1 ,i 0,i 0, i 0, i 0), xrefs: 00402082
/z, xrefs: 00402078

Memory Dump Source

Source File: 00000000.00000002.130223558263.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.130223504527.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223615136.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007B8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130224420782.00000000007BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Calyciform.jbxd

Similarity

API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
String ID: user32::CallWindowProcW(ir1 ,i 0,i 0, i 0, i 0)$/z
API String ID: 2987980305-1879690062
Opcode ID: 239d6c2453c16f58a6829d86e1aa364e9ad80bd048853c2d37ac0b8ed1dd3d16
Instruction ID: d65959635370e5528591cca9a5c3cbe7578547ab5d5b00e4bd8bf8e39d7723e8
Opcode Fuzzy Hash: 239d6c2453c16f58a6829d86e1aa364e9ad80bd048853c2d37ac0b8ed1dd3d16
Instruction Fuzzy Hash: 8121D871A00215BBCF207FA48E4DBAE76A0AF55318F20413BF611B21D0CBBD4A42D66E

Function 0040556A Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDirectoryA.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 004055AD
GetLastError.KERNEL32 ref: 004055C1
SetFileSecurityA.ADVAPI32(?,80000007,00000001), ref: 004055D6
GetLastError.KERNEL32 ref: 004055E0

Strings

C:\Users\user\Desktop, xrefs: 0040556A
C:\Users\user\AppData\Local\Temp\, xrefs: 00405590

Memory Dump Source

Source File: 00000000.00000002.130223558263.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.130223504527.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223615136.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007B8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130224420782.00000000007BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Calyciform.jbxd

Similarity

API ID: ErrorLast$CreateDirectoryFileSecurity
String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop
API String ID: 3449924974-26219170
Opcode ID: 5ed0d1f38f2075833211856a8ebf7d2689aced5b3dcb66e6179e3f4d9a7ce916
Instruction ID: d60ac603840848199a7fa56c8eddcf59aef149659cba7d951691f3973700b38f
Opcode Fuzzy Hash: 5ed0d1f38f2075833211856a8ebf7d2689aced5b3dcb66e6179e3f4d9a7ce916
Instruction Fuzzy Hash: 48010871C00219EAEF019BA1CD087EFBBB9EF14354F10813AD545B6290D7789648CFA9

Function 004062A7 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryA.KERNEL32(?,00000104), ref: 004062BE
wsprintfA.USER32 ref: 004062F7
LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 0040630B

Strings

UXTHEME, xrefs: 004062B0
\, xrefs: 004062CF
%s%s.dll, xrefs: 004062F1

Memory Dump Source

Source File: 00000000.00000002.130223558263.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.130223504527.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223615136.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007B8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130224420782.00000000007BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Calyciform.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%s.dll$UXTHEME$\
API String ID: 2200240437-4240819195
Opcode ID: 99878a05f639d6717cee7e73d8174e66263622090e4b33b6bcde024c159c7dc8
Instruction ID: 791f79d561c984125f31c7fb7d360261de965b4457e35f8f8c4567f5ddaa11b7
Opcode Fuzzy Hash: 99878a05f639d6717cee7e73d8174e66263622090e4b33b6bcde024c159c7dc8
Instruction Fuzzy Hash: F0F0F630500619ABEB14AB64DD0EFEB375CAB08305F1405BEA686E10C1EAB8D8358B6C

Function 00402F9C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 161
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00403003
GetTickCount.KERNEL32 ref: 00403087
MulDiv.KERNEL32(7FFFFFFF,00000064,00000020), ref: 004030B0
wsprintfA.USER32 ref: 004030C0

Strings

... %d%%, xrefs: 004030BA

Memory Dump Source

Source File: 00000000.00000002.130223558263.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.130223504527.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223615136.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007B8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130224420782.00000000007BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Calyciform.jbxd

Similarity

API ID: CountTick$wsprintf
String ID: ... %d%%
API String ID: 551687249-2449383134
Opcode ID: 13a642c4274617a414d88f58a4bd63043f719dcf11f9aa526733c2ab21188e3c
Instruction ID: a5b3666d5e6f2648317cea794876ab8fd5a8a7e10cba6e045702c7ef747b340d
Opcode Fuzzy Hash: 13a642c4274617a414d88f58a4bd63043f719dcf11f9aa526733c2ab21188e3c
Instruction Fuzzy Hash: A6518E72901219ABCF10DF65DA44A9F7BB8EF08756F14413BE900BB2D0C7789E51CBA9

Function 00405B45 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00405B59
GetTempFileNameA.KERNELBASE(?,?,00000000,?,?,00000006,00000008,0000000A), ref: 00405B73

Strings

nsa, xrefs: 00405B50
"C:\Users\user\Desktop\Calyciform.exe", xrefs: 00405B45
C:\Users\user\AppData\Local\Temp\, xrefs: 00405B48

Memory Dump Source

Source File: 00000000.00000002.130223558263.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.130223504527.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223615136.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007B8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130224420782.00000000007BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Calyciform.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: "C:\Users\user\Desktop\Calyciform.exe"$C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-1820811630
Opcode ID: 81a8a72dc23b4af90602e2553ee1124644ae594fa0167b908fb3a738e8e2aa10
Instruction ID: e9fbc8f02783c34a78cbc278a62deb557e4d22a3c76f63b2365399c79cbf5e20
Opcode Fuzzy Hash: 81a8a72dc23b4af90602e2553ee1124644ae594fa0167b908fb3a738e8e2aa10
Instruction Fuzzy Hash: A0F082363042086BDB109F56ED04BAB7BA9DFA1760F14803BFA489B280D6B4A9548B58

Function 6D6A16DF Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 120
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 6D6A1A9C: GlobalFree.KERNEL32(?), ref: 6D6A1CEB
Part of subcall function 6D6A1A9C: GlobalFree.KERNEL32(?), ref: 6D6A1CF0
Part of subcall function 6D6A1A9C: GlobalFree.KERNEL32(?), ref: 6D6A1CF5

GlobalFree.KERNEL32(00000000), ref: 6D6A178A
FreeLibrary.KERNEL32(?), ref: 6D6A180D
GlobalFree.KERNEL32(00000000), ref: 6D6A1832

Part of subcall function 6D6A2273: GlobalAlloc.KERNEL32(00000040,?), ref: 6D6A22A4

Part of subcall function 6D6A2676: GlobalAlloc.KERNEL32(00000040,00000000,?,?,00000000,?,?,?,6D6A175B,00000000), ref: 6D6A2746

Part of subcall function 6D6A156B: lstrcpyA.KERNEL32(?,?,00000000,6D6A1568,?,00000000,6D6A16B7,00000000), ref: 6D6A1581

Strings

, xrefs: 6D6A1813

Memory Dump Source

Source File: 00000000.00000002.130238628964.000000006D6A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6D6A0000, based on PE: true

Associated: 00000000.00000002.130238558041.000000006D6A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.130238696820.000000006D6A3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.130238759011.000000006D6A5000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d6a0000_Calyciform.jbxd

Similarity

API ID: Global$Free$Alloc$Librarylstrcpy
String ID:
API String ID: 1791698881-3916222277
Opcode ID: 30ce2b34f13363b85b1ce4e83d54112399f7ed2dc1f2bcde612701a9280c6b14
Instruction ID: df3d9b21aebb92067daf5f773105a3a819b12fa3a33b66ba1c86831472827bf5
Opcode Fuzzy Hash: 30ce2b34f13363b85b1ce4e83d54112399f7ed2dc1f2bcde612701a9280c6b14
Instruction Fuzzy Hash: 7841B1711442069BCB01DF65CDC4BAA37E8FF1E314F0C9424EAE99E082DB78E845C7A4

Function 004023D6 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64
registrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsf9BE0.tmp,00000023,?,00000000,00000002,00000011,00000002), ref: 00402421
RegSetValueExA.KERNELBASE(?,?,?,?,C:\Users\user\AppData\Local\Temp\nsf9BE0.tmp,00000000,?,00000000,00000002,00000011,00000002), ref: 0040245E
RegCloseKey.KERNELBASE(?,?,?,C:\Users\user\AppData\Local\Temp\nsf9BE0.tmp,00000000,?,00000000,00000002,00000011,00000002), ref: 00402542

Strings

C:\Users\user\AppData\Local\Temp\nsf9BE0.tmp, xrefs: 00402412, 00402434, 00402448, 00402453

Memory Dump Source

Source File: 00000000.00000002.130223558263.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.130223504527.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223615136.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007B8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130224420782.00000000007BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Calyciform.jbxd

Similarity

API ID: CloseValuelstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsf9BE0.tmp
API String ID: 2655323295-3793470382
Opcode ID: 5c5f997e17c276601e0a937601899c64a6f9f236e5cda533efe2a351a50a9f63
Instruction ID: b9f9fe5e010ce9562f7769f0650a0fc1c691aa098229d6fee64222e6c9067592
Opcode Fuzzy Hash: 5c5f997e17c276601e0a937601899c64a6f9f236e5cda533efe2a351a50a9f63
Instruction Fuzzy Hash: 29119371E00215BEDB10EFA5DE49EAEBA74EB54318F20843BF504F71D1C6B94D419B28

Function 00402BCD Relevance: 6.1, APIs: 4, Instructions: 63registryCOMMON

Download Yara Rule

APIs

RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402C32
RegCloseKey.ADVAPI32(?,?,?), ref: 00402C3B
RegCloseKey.ADVAPI32(?,?,?), ref: 00402C5C

Memory Dump Source

Source File: 00000000.00000002.130223558263.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.130223504527.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223615136.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007B8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130224420782.00000000007BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Calyciform.jbxd

Similarity

API ID: Close$Enum
String ID:
API String ID: 464197530-0
Opcode ID: e80e024fca40de8deb0b9c297206eede72932d1e756bb36d88eb62ad8731df9a
Instruction ID: c4db57b0a2e4c89af525aedefa8ad358439d5fabd543c2a0248dd752bef9be78
Opcode Fuzzy Hash: e80e024fca40de8deb0b9c297206eede72932d1e756bb36d88eb62ad8731df9a
Instruction Fuzzy Hash: 16115832504109FBEF129F90CF09F9E7B69AB48390F104032BD45B51E0EBB59E11AAA8

Function 004015BB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

Part of subcall function 004059AE: CharNextA.USER32(?,?,C:\Users\user\AppData\Local\Temp\nsf9BE0.tmp,?,00405A1A,C:\Users\user\AppData\Local\Temp\nsf9BE0.tmp,C:\Users\user\AppData\Local\Temp\nsf9BE0.tmp,759B3410,?,C:\Users\user\AppData\Local\Temp\,00405765,?,759B3410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004059BC
Part of subcall function 004059AE: CharNextA.USER32(00000000), ref: 004059C1
Part of subcall function 004059AE: CharNextA.USER32(00000000), ref: 004059D5

GetFileAttributesA.KERNELBASE(00000000,00000000,00000000,0000005C,00000000,000000F0), ref: 0040160D

Part of subcall function 0040556A: CreateDirectoryA.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 004055AD

SetCurrentDirectoryA.KERNELBASE(00000000,C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Puerperant,00000000,00000000,000000F0), ref: 0040163C

Strings

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Puerperant, xrefs: 00401631

Memory Dump Source

Source File: 00000000.00000002.130223558263.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.130223504527.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223615136.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007B8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130224420782.00000000007BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Calyciform.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentFile
String ID: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Puerperant
API String ID: 1892508949-1972144218
Opcode ID: f944addbffdc5359a2d4be80e18e3c112ce2152a72db2dd5999d42c8552c2502
Instruction ID: e2f0057a106d67730eaa6cdd0667b4b20a1f2aaf6f6dd3ced09863daba4193e1
Opcode Fuzzy Hash: f944addbffdc5359a2d4be80e18e3c112ce2152a72db2dd5999d42c8552c2502
Instruction Fuzzy Hash: 5C112B31104151EBCF217BB54D418BF66B09E92324B28053FE5D1B22E3D63D4D42963F

Function 00405018 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00405047
CallWindowProcA.USER32(?,?,?,?), ref: 00405098

Part of subcall function 00404068: SendMessageA.USER32(00000000,00000000,00000000,00000000), ref: 0040407A

Strings

, xrefs: 00405028

Memory Dump Source

Source File: 00000000.00000002.130223558263.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.130223504527.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223615136.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007B8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130224420782.00000000007BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Calyciform.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: d6227ddab35ba9883f4bf3de8d352398880cea24f9ab2b0966d31f7a69b3ea3c
Instruction ID: fa8f59a087aa50fe202e55d5174182462002e51d1c5a0d53021f2a5da998cc86
Opcode Fuzzy Hash: d6227ddab35ba9883f4bf3de8d352398880cea24f9ab2b0966d31f7a69b3ea3c
Instruction Fuzzy Hash: 99012171100608AFDF215F21DD85EAF3625EB84764F244137FA41B61D1C77A8C52DEAD

Function 004024E5 Relevance: 4.5, APIs: 3, Instructions: 47registryCOMMON

Download Yara Rule

APIs

RegEnumKeyA.ADVAPI32(00000000,00000000,?,000003FF), ref: 00402517
RegEnumValueA.ADVAPI32(00000000,00000000,?,?,?,?,?,?,00020019), ref: 0040252A
RegCloseKey.KERNELBASE(?,?,?,C:\Users\user\AppData\Local\Temp\nsf9BE0.tmp,00000000,?,00000000,00000002,00000011,00000002), ref: 00402542

Memory Dump Source

Source File: 00000000.00000002.130223558263.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.130223504527.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223615136.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007B8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130224420782.00000000007BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Calyciform.jbxd

Similarity

API ID: Enum$CloseValue
String ID:
API String ID: 397863658-0
Opcode ID: 4ce795806b6c34a08036df2528e62c51d3c7848a772003a22270b57cbfd3e389
Instruction ID: 518d0c9c0f1d18e9ba130a50ca70a4c0b748d884a109ef79be1f353746569a5a
Opcode Fuzzy Hash: 4ce795806b6c34a08036df2528e62c51d3c7848a772003a22270b57cbfd3e389
Instruction Fuzzy Hash: 000171B1A04205FFEB159FA99E9CEBF7A7CDF40348F10443EF145A61C0DAB84A459729

Function 00402473 Relevance: 3.1, APIs: 2, Instructions: 56registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.KERNELBASE(00000000,00000000,?,?,?,?), ref: 004024A3
RegCloseKey.KERNELBASE(?,?,?,C:\Users\user\AppData\Local\Temp\nsf9BE0.tmp,00000000,?,00000000,00000002,00000011,00000002), ref: 00402542

Memory Dump Source

Source File: 00000000.00000002.130223558263.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.130223504527.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223615136.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007B8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130224420782.00000000007BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Calyciform.jbxd

Similarity

API ID: CloseQueryValue
String ID:
API String ID: 3356406503-0
Opcode ID: 62a405257dbccccdf4459e09d2506fbeb6a6094d3e10b40de752ac69d2ee2f48
Instruction ID: 16843ebe9de4b10a0f02fc33a3446f9eb73abb2b3234f807e7777e2680f676dd
Opcode Fuzzy Hash: 62a405257dbccccdf4459e09d2506fbeb6a6094d3e10b40de752ac69d2ee2f48
Instruction Fuzzy Hash: BF11E371A01205FEDF15CF64DA989AEBBB49F00348F20843FE445B72C0D6B84A81DB69

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageA.USER32(?,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000000.00000002.130223558263.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.130223504527.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223615136.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007B8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130224420782.00000000007BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Calyciform.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: f1e14ae547b8f36b78d572cd64f3e527c113299c5085ae7931b2eb67e5d22d6e
Instruction ID: b093ac6dabfd3bf5cd98619b9c3e878c543c382afaa1261ab96434968757bf0e
Opcode Fuzzy Hash: f1e14ae547b8f36b78d572cd64f3e527c113299c5085ae7931b2eb67e5d22d6e
Instruction Fuzzy Hash: C601F4316202209FE7094B389D04B6A36A8E751354F10813FF955F65F2D678CC028B4C

Function 00402381 Relevance: 3.0, APIs: 2, Instructions: 39registryCOMMON

Download Yara Rule

APIs

RegDeleteValueA.ADVAPI32(00000000,00000000,00000033,00000002), ref: 004023A2
RegCloseKey.ADVAPI32(00000000), ref: 004023AB

Memory Dump Source

Source File: 00000000.00000002.130223558263.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.130223504527.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223615136.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007B8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130224420782.00000000007BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Calyciform.jbxd

Similarity

API ID: CloseDeleteValue
String ID:
API String ID: 2831762973-0
Opcode ID: ed07491808814ac3c7d265f21d5c8819d026f427cdbf96fc029232a67ca02252
Instruction ID: 8aec8fe7cd38f654026d76d8600474ef4a57e980fe65a380d0022aaa37355860
Opcode Fuzzy Hash: ed07491808814ac3c7d265f21d5c8819d026f427cdbf96fc029232a67ca02252
Instruction Fuzzy Hash: 27F09C32A00511ABD711BBE89B8EABE76A49B40314F25443FE602B71C1DAFC4D02876D

Function 00401A1E Relevance: 3.0, APIs: 2, Instructions: 30stringCOMMON

Download Yara Rule

APIs

ExpandEnvironmentStringsA.KERNELBASE(00000000,?,00000400,00000001), ref: 00401A31
lstrcmpA.KERNEL32(?,?,?,00000400,00000001), ref: 00401A44

Memory Dump Source

Source File: 00000000.00000002.130223558263.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.130223504527.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223615136.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007B8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130224420782.00000000007BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Calyciform.jbxd

Similarity

API ID: EnvironmentExpandStringslstrcmp
String ID:
API String ID: 1938659011-0
Opcode ID: 72ef6e96795b29577b9889454cd472796f3eff7e8774e8bc8714fe491a506ca6
Instruction ID: ebe663b7bc3ba7a189a06dab4aa1d5f3cbe4965007ea0afe01e1c09fb46068e6
Opcode Fuzzy Hash: 72ef6e96795b29577b9889454cd472796f3eff7e8774e8bc8714fe491a506ca6
Instruction Fuzzy Hash: 4EF08231705241EBCB21DF659D08A9BBEE8EF91354B10843BE185F61A0D6388512CA2C

Function 00401E2B Relevance: 3.0, APIs: 2, Instructions: 25COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,00000000), ref: 00401E49
EnableWindow.USER32(00000000,00000000), ref: 00401E54

Memory Dump Source

Source File: 00000000.00000002.130223558263.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.130223504527.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223615136.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007B8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130224420782.00000000007BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Calyciform.jbxd

Similarity

API ID: Window$EnableShow
String ID:
API String ID: 1136574915-0
Opcode ID: ce05e9415eb1c43b57a64d345dc0c3369d7b2077b414a09edc794f77630778db
Instruction ID: d2bea1c1c0aacda3dd255fed30ad1f680590af6f3d359f9745203f9ff1fc1010
Opcode Fuzzy Hash: ce05e9415eb1c43b57a64d345dc0c3369d7b2077b414a09edc794f77630778db
Instruction Fuzzy Hash: 02E01272B04212AFDB14EBE5EA499EEB7B4DF40319B10443FE411F11D1DA7849419F5D

Function 00406315 Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,?,?,0040325C,0000000A), ref: 00406327
GetProcAddress.KERNEL32(00000000,?), ref: 00406342

Part of subcall function 004062A7: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 004062BE
Part of subcall function 004062A7: wsprintfA.USER32 ref: 004062F7
Part of subcall function 004062A7: LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 0040630B

Memory Dump Source

Source File: 00000000.00000002.130223558263.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.130223504527.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223615136.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007B8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130224420782.00000000007BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Calyciform.jbxd

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID:
API String ID: 2547128583-0
Opcode ID: 8b993a8f6eb8e905ca30c67f896f6c6ad868427c201d07e664c6abec48b1d465
Instruction ID: cd2a927f582b596fa2e162cbd064daf7ca6e898847132114174d0915a8f4e586
Opcode Fuzzy Hash: 8b993a8f6eb8e905ca30c67f896f6c6ad868427c201d07e664c6abec48b1d465
Instruction Fuzzy Hash: BCE0863260421057D61066745E0493BA3A89F94700302083EFD47F2140D73C9C3196AD

Function 00405B16 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNELBASE(00000003,00402DA3,C:\Users\user\Desktop\Calyciform.exe,80000000,00000003), ref: 00405B1A
CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405B3C

Memory Dump Source

Source File: 00000000.00000002.130223558263.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.130223504527.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223615136.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007B8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130224420782.00000000007BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Calyciform.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: 80243517f436f95d2d00e5b5224d95f101b34955670c918b0becce4e09b30ec3
Instruction ID: 6905ba7dec075751c4c8bdaf1e97cd52a4ed4154a0977e2bcfee25d1bc4df630
Opcode Fuzzy Hash: 80243517f436f95d2d00e5b5224d95f101b34955670c918b0becce4e09b30ec3
Instruction Fuzzy Hash: F5D09E31254201EFEF098F20DE16F2EBBA2EB94B00F11952CB682944E1DA715819AB19

Function 00405AF1 Relevance: 3.0, APIs: 2, Instructions: 13COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNELBASE(?,?,00405709,?,?,00000000,004058EC,?,?,?,?), ref: 00405AF6
SetFileAttributesA.KERNEL32(?,00000000), ref: 00405B0A

Memory Dump Source

Source File: 00000000.00000002.130223558263.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.130223504527.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223615136.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007B8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130224420782.00000000007BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Calyciform.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: d21186c4df97c8b90cedd4d9d2ae0fe59d501b3437fd2b8c2b63dc03c6f7d79a
Instruction ID: 414a467aaabbe507cf471caeb43fbb4459db83339ab651609fa67d9973c7acb5
Opcode Fuzzy Hash: d21186c4df97c8b90cedd4d9d2ae0fe59d501b3437fd2b8c2b63dc03c6f7d79a
Instruction Fuzzy Hash: 60D0C972504125AFC2103728AE0C89BBB65DB54271702CE35F8A9A26B2DB304C969A98

Function 004055E7 Relevance: 3.0, APIs: 2, Instructions: 9COMMON

Download Yara Rule

APIs

CreateDirectoryA.KERNELBASE(?,00000000,004031DC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004033FB,?,00000006,00000008,0000000A), ref: 004055ED
GetLastError.KERNEL32(?,00000006,00000008,0000000A), ref: 004055FB

Memory Dump Source

Source File: 00000000.00000002.130223558263.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.130223504527.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223615136.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007B8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130224420782.00000000007BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Calyciform.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: f012ed4f2e447eb03a7c1a9074efbf4aa4d4dcf66ab1e3e2b7403bfb804529af
Instruction ID: 4c9d675ee46a87f1ce13dde1798736571a6da7ffae6fc201d3902fb2775d8c1a
Opcode Fuzzy Hash: f012ed4f2e447eb03a7c1a9074efbf4aa4d4dcf66ab1e3e2b7403bfb804529af
Instruction Fuzzy Hash: 2AC04C30204501EBD7515B31DE08B177A56AB91781F11883D618AE41B4DA358455DE2E

Function 6D6A29C0 Relevance: 2.7, APIs: 2, Instructions: 156memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000), ref: 6D6A2A7F
GetLastError.KERNEL32 ref: 6D6A2B86

Memory Dump Source

Source File: 00000000.00000002.130238628964.000000006D6A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6D6A0000, based on PE: true

Associated: 00000000.00000002.130238558041.000000006D6A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.130238696820.000000006D6A3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.130238759011.000000006D6A5000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d6a0000_Calyciform.jbxd

Similarity

API ID: AllocErrorLastVirtual
String ID:
API String ID: 497505419-0
Opcode ID: 3108a2b753b230abfe1fa6b54b29032b31683c2dec05dc748442997b5393bbb3
Instruction ID: d03fffc7f364959282952c14d148d3034d23cf52058cd17001157417100a590a
Opcode Fuzzy Hash: 3108a2b753b230abfe1fa6b54b29032b31683c2dec05dc748442997b5393bbb3
Instruction Fuzzy Hash: 4D51AE72888215EFCB309F67D850B5D77B4EB2E758F2DA42AD68CC6210DB34BC409B64

Function 004025CA Relevance: 1.6, APIs: 1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.130223558263.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.130223504527.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223615136.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007B8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130224420782.00000000007BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Calyciform.jbxd

Similarity

API ID: wsprintf
String ID:
API String ID: 2111968516-0
Opcode ID: 255e133b5fdcbc2f7a9ca64d0d55690020652cb371cb3a25a4775619f9253d8f
Instruction ID: c2a1b850aa9b93e4cbc4820df7219add1c6eba77a771e25ce3fc61ee94bd300f
Opcode Fuzzy Hash: 255e133b5fdcbc2f7a9ca64d0d55690020652cb371cb3a25a4775619f9253d8f
Instruction Fuzzy Hash: C121E770C04299BADF218BA99548AAEBF749F11314F1448BFE490B62D1C6BD8A81CF19

Function 00402688 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,?,00000000,?,?), ref: 004026A6

Part of subcall function 00405EDB: wsprintfA.USER32 ref: 00405EE8

Memory Dump Source

Source File: 00000000.00000002.130223558263.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.130223504527.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223615136.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007B8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130224420782.00000000007BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Calyciform.jbxd

Similarity

API ID: FilePointerwsprintf
String ID:
API String ID: 327478801-0
Opcode ID: 8303a16c8324cd1585bb4d8f8fd59fc2d4d610d9dc2ffc373cffb4fce9594ffb
Instruction ID: 110f2c4880f6573f93162833435315c6132d41cf51db6092c043686707d14882
Opcode Fuzzy Hash: 8303a16c8324cd1585bb4d8f8fd59fc2d4d610d9dc2ffc373cffb4fce9594ffb
Instruction Fuzzy Hash: 39E0EDB2B00116AADB01EBD5AA49CBFB768DF40318B10403BF141B50D1CA7D4A029B2D

Function 004022FC Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

WritePrivateProfileStringA.KERNEL32(00000000,00000000,?,00000000), ref: 00402335

Memory Dump Source

Source File: 00000000.00000002.130223558263.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.130223504527.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223615136.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007B8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130224420782.00000000007BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Calyciform.jbxd

Similarity

API ID: PrivateProfileStringWrite
String ID:
API String ID: 390214022-0
Opcode ID: a35f8e91713f0605e290066fe2cc807c403f3e4948e2e514c4de22b42c68f79f
Instruction ID: fc3d639ee2ba9d49225374e904560d05d066977e3d8f4235cfc91afb5433c7ac
Opcode Fuzzy Hash: a35f8e91713f0605e290066fe2cc807c403f3e4948e2e514c4de22b42c68f79f
Instruction Fuzzy Hash: 2FE012317005146BD72076B10FCE96F10989BC4308B284D3AF502761C6DDBD4D4245B9

Function 00405E31 Relevance: 1.5, APIs: 1, Instructions: 24registryCOMMON

Download Yara Rule

APIs

RegCreateKeyExA.KERNELBASE(00000000,?,00000000,00000000,00000000,?,00000000,?,00000000,?,?,?,00402B7C,00000000,?,?), ref: 00405E5A

Memory Dump Source

Source File: 00000000.00000002.130223558263.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.130223504527.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223615136.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007B8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130224420782.00000000007BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Calyciform.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: e8292e86e66d8bfc399a73dea3ede4946860b06fd3b50e0b30bb299c90100862
Instruction ID: 33ca04e46434342caff68362b3d2cda83283301915701ba1f7808c3e8cd8b3f6
Opcode Fuzzy Hash: e8292e86e66d8bfc399a73dea3ede4946860b06fd3b50e0b30bb299c90100862
Instruction Fuzzy Hash: F9E0ECB211050DBEEF195F90DD0ADBB3B1DEB04344F50492EFA46E4090E6B5EA20AE78

Function 00405B8E Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,0040319E,00000000,00000000,00402FEB,000000FF,00000004,00000000,00000000,00000000), ref: 00405BA2

Memory Dump Source

Source File: 00000000.00000002.130223558263.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.130223504527.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223615136.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007B8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130224420782.00000000007BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Calyciform.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: c828ac78080eafadef002e80ceae40fa9d69551b6ff84e56452d6cc727993955
Instruction ID: a6de1eac7d35dbb408d2fa80093daaad73b751b804ef2b379125a3e319db5d80
Opcode Fuzzy Hash: c828ac78080eafadef002e80ceae40fa9d69551b6ff84e56452d6cc727993955
Instruction Fuzzy Hash: 46E0EC3221565AABEF119E559C00AEB7B6CEB05360F004476FD15E3190D6B1FA219BA4

Function 00405BBD Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,00403154,00000000,0078A0F8,000000FF,0078A0F8,000000FF,000000FF,00000004,00000000), ref: 00405BD1

Memory Dump Source

Source File: 00000000.00000002.130223558263.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.130223504527.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223615136.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007B8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130224420782.00000000007BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Calyciform.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: d47d29d2c4ad98e9097244963089aa7711ad8f9da7a01510603535aa68a2578c
Instruction ID: b26364db078b9021274dcd752d930f9f8b31cc58193ee345d62fa94dbd0509c3
Opcode Fuzzy Hash: d47d29d2c4ad98e9097244963089aa7711ad8f9da7a01510603535aa68a2578c
Instruction Fuzzy Hash: 2EE0EC3221865AABDF609E559C00AEB7B7CEB05364F044437F925EA190D631F821DBA8

Function 6D6A28E5 Relevance: 1.5, APIs: 1, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(6D6A404C,00000004,00000040,6D6A403C), ref: 6D6A2903

Memory Dump Source

Source File: 00000000.00000002.130238628964.000000006D6A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6D6A0000, based on PE: true

Associated: 00000000.00000002.130238558041.000000006D6A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.130238696820.000000006D6A3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.130238759011.000000006D6A5000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d6a0000_Calyciform.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 3310208b1ce33fe530ac9b938639dfa83ed19459687793c96509a7afdfe553f4
Instruction ID: bd45d40a66963d104366350c1c07b23602351b684da38597e6de719f00b2fdc8
Opcode Fuzzy Hash: 3310208b1ce33fe530ac9b938639dfa83ed19459687793c96509a7afdfe553f4
Instruction Fuzzy Hash: C7F098B1504261DFCB60CF6ACC64B0A7EF0A32E394B1A452AE1DCD7241EBB47444AB11

Function 00405E03 Relevance: 1.5, APIs: 1, Instructions: 19registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNELBASE(00000000,?,00000000,?,?,0079ED20,?,?,00405E91,0079ED20,?,?,?,00000002,Call), ref: 00405E27

Memory Dump Source

Source File: 00000000.00000002.130223558263.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.130223504527.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223615136.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007B8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130224420782.00000000007BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Calyciform.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: a8e94fdf895113144ef30ac0413fc9f69bed743b5e5124c6f76e238eb3875bc5
Instruction ID: 2a8135548ed97db7cee66e6f72713ae5fed4585321cbc755a00175e49ece29d7
Opcode Fuzzy Hash: a8e94fdf895113144ef30ac0413fc9f69bed743b5e5124c6f76e238eb3875bc5
Instruction Fuzzy Hash: B7D0EC32000209BADF115F90ED05FAB371DEB08350F004C26BE45A4091D6759530AA58

Function 0040159D Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

SetFileAttributesA.KERNELBASE(00000000,?,000000F0), ref: 004015A8

Memory Dump Source

Source File: 00000000.00000002.130223558263.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.130223504527.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223615136.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007B8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130224420782.00000000007BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Calyciform.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: ae5eb4e70040e39fd4e8cee9a21dba8a6012123299c742fcadf8cd6264d7fe54
Instruction ID: 6c3c7c81edca22ef1082c61e7c8c2dbb2dad1037c78d96895750c72c7df92d73
Opcode Fuzzy Hash: ae5eb4e70040e39fd4e8cee9a21dba8a6012123299c742fcadf8cd6264d7fe54
Instruction Fuzzy Hash: 81D01272704111DBCB01EBE89B489DDB7A49B40328B308537D111F21D1D6B98A45A72D

Function 00404051 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(00000028,?,00000001,00403E81), ref: 0040405F

Memory Dump Source

Source File: 00000000.00000002.130223558263.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.130223504527.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223615136.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007B8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130224420782.00000000007BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Calyciform.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 346968a0720bb3734bf3dae4b81c014f7857494700bdb546aecc84c256ab8e1e
Instruction ID: f42b45c65ed6a3ee6e87ec929b41dfaaf359f69b17cd9f6c2b1881eba3545dd7
Opcode Fuzzy Hash: 346968a0720bb3734bf3dae4b81c014f7857494700bdb546aecc84c256ab8e1e
Instruction Fuzzy Hash: 64B09235180A00AAEA114B00DE09F457A62A7A4701F008068B250240F1CAB200A1DB08

Function 004031A1 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402F2A,000309E4), ref: 004031AF

Memory Dump Source

Source File: 00000000.00000002.130223558263.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.130223504527.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223615136.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007B8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130224420782.00000000007BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Calyciform.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 9851be0de28bb9513f6e500a0df6ea838ed72b99fd7baa621d8f85bec57c8f40
Instruction ID: 1f5c7ae16c2334422adcad36111bde95194575cbdac9b1f52e29a9f6e91cc98e
Opcode Fuzzy Hash: 9851be0de28bb9513f6e500a0df6ea838ed72b99fd7baa621d8f85bec57c8f40
Instruction Fuzzy Hash: 34B01271240300BFDA214F00DF09F057B21ABA0700F10C034B388380F086711035EB0D

Function 6D6A1215 Relevance: 1.3, APIs: 1, Instructions: 4memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNELBASE(00000040,6D6A1233,?,6D6A12CF,-6D6A404B,6D6A11AB,-000000A0), ref: 6D6A121D

Memory Dump Source

Source File: 00000000.00000002.130238628964.000000006D6A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6D6A0000, based on PE: true

Associated: 00000000.00000002.130238558041.000000006D6A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.130238696820.000000006D6A3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.130238759011.000000006D6A5000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d6a0000_Calyciform.jbxd

Similarity

API ID: AllocGlobal
String ID:
API String ID: 3761449716-0
Opcode ID: cacb47391f0058fb2ec7786e60204e82fdcd19f79bafb7d9837a3a5791711cd2
Instruction ID: e4ba902bdc1968fac0dcb4fd1b8bd9cbba5eb848a8650f6b02d60bfb381ea045
Opcode Fuzzy Hash: cacb47391f0058fb2ec7786e60204e82fdcd19f79bafb7d9837a3a5791711cd2
Instruction Fuzzy Hash: A4A00271944120DBDF419BE2CE2AF1C3B31E74E701F0AC080E39954194CBB57010EB36

Non-executed Functions

Function 004051E2 Relevance: 54.3, APIs: 36, Instructions: 282windowclipboardmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000403), ref: 00405241
GetDlgItem.USER32(?,000003EE), ref: 00405250
GetClientRect.USER32(?,?), ref: 0040528D
GetSystemMetrics.USER32(00000002), ref: 00405294
SendMessageA.USER32(?,0000101B,00000000,?), ref: 004052B5
SendMessageA.USER32(?,00001036,00004000,00004000), ref: 004052C6
SendMessageA.USER32(?,00001001,00000000,?), ref: 004052D9
SendMessageA.USER32(?,00001026,00000000,?), ref: 004052E7
SendMessageA.USER32(?,00001024,00000000,?), ref: 004052FA
ShowWindow.USER32(00000000,?,0000001B,?), ref: 0040531C
ShowWindow.USER32(?,00000008), ref: 00405330
GetDlgItem.USER32(?,000003EC), ref: 00405351
SendMessageA.USER32(00000000,00000401,00000000,75300000), ref: 00405361
SendMessageA.USER32(00000000,00000409,00000000,?), ref: 0040537A
SendMessageA.USER32(00000000,00002001,00000000,?), ref: 00405386
GetDlgItem.USER32(?,000003F8), ref: 0040525F

Part of subcall function 00404051: SendMessageA.USER32(00000028,?,00000001,00403E81), ref: 0040405F

GetDlgItem.USER32(?,000003EC), ref: 004053A2
CreateThread.KERNEL32(00000000,00000000,Function_00005176,00000000), ref: 004053B0
CloseHandle.KERNEL32(00000000), ref: 004053B7
ShowWindow.USER32(00000000), ref: 004053DA
ShowWindow.USER32(?,00000008), ref: 004053E1
ShowWindow.USER32(00000008), ref: 00405427
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040545B
CreatePopupMenu.USER32 ref: 0040546C
AppendMenuA.USER32(00000000,00000000,00000001,00000000), ref: 00405481
GetWindowRect.USER32(?,000000FF), ref: 004054A1
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004054BA
SendMessageA.USER32(?,0000102D,00000000,?), ref: 004054F6
OpenClipboard.USER32(00000000), ref: 00405506
EmptyClipboard.USER32 ref: 0040550C
GlobalAlloc.KERNEL32(00000042,?), ref: 00405515
GlobalLock.KERNEL32(00000000), ref: 0040551F
SendMessageA.USER32(?,0000102D,00000000,?), ref: 00405533
GlobalUnlock.KERNEL32(00000000), ref: 0040554C
SetClipboardData.USER32(00000001,00000000), ref: 00405557
CloseClipboard.USER32 ref: 0040555D

Memory Dump Source

Source File: 00000000.00000002.130223558263.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.130223504527.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223615136.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007B8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130224420782.00000000007BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Calyciform.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID:
API String ID: 590372296-0
Opcode ID: 50861b10ebe7a14382441023bc4f9bef1f96d390183c4be7e20a120c4e5e890c
Instruction ID: cba8cb344929e6fa6818a5c25344ad4bfa6cf128d012b59fb2cbbdf576d19343
Opcode Fuzzy Hash: 50861b10ebe7a14382441023bc4f9bef1f96d390183c4be7e20a120c4e5e890c
Instruction Fuzzy Hash: C2A16B70900608BFDF119F64DE89EAE7B79FF48354F00402AFA45B61A1C7794E529F68

Function 004044AE Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 274stringCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003FB), ref: 004044FD
SetWindowTextA.USER32(00000000,?), ref: 00404527
SHBrowseForFolderA.SHELL32(?,0079E918,?), ref: 004045D8
CoTaskMemFree.OLE32(00000000), ref: 004045E3
lstrcmpiA.KERNEL32(Call,0079F540), ref: 00404615
lstrcatA.KERNEL32(?,Call), ref: 00404621
SetDlgItemTextA.USER32(?,000003FB,?), ref: 00404633

Part of subcall function 0040567D: GetDlgItemTextA.USER32(?,?,00000400,0040466A), ref: 00405690

Part of subcall function 004061E7: CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\Calyciform.exe",759B3410,C:\Users\user\AppData\Local\Temp\,00000000,004031C4,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004033FB,?,00000006,00000008,0000000A), ref: 0040623F
Part of subcall function 004061E7: CharNextA.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 0040624C
Part of subcall function 004061E7: CharNextA.USER32(?,"C:\Users\user\Desktop\Calyciform.exe",759B3410,C:\Users\user\AppData\Local\Temp\,00000000,004031C4,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004033FB,?,00000006,00000008,0000000A), ref: 00406251
Part of subcall function 004061E7: CharPrevA.USER32(?,?,759B3410,C:\Users\user\AppData\Local\Temp\,00000000,004031C4,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004033FB,?,00000006,00000008,0000000A), ref: 00406261

GetDiskFreeSpaceA.KERNEL32(0079E510,?,?,0000040F,?,0079E510,0079E510,?,00000001,0079E510,?,?,000003FB,?), ref: 004046F1
MulDiv.KERNEL32(?,0000040F,00000400), ref: 0040470C

Part of subcall function 00404865: lstrlenA.KERNEL32(0079F540,0079F540,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404780,000000DF,00000000,00000400,?), ref: 00404903
Part of subcall function 00404865: wsprintfA.USER32 ref: 0040490B
Part of subcall function 00404865: SetDlgItemTextA.USER32(?,0079F540), ref: 0040491E

Strings

user32::CallWindowProcW(ir1 ,i 0,i 0, i 0, i 0), xrefs: 004044C7
Call, xrefs: 0040460F, 00404614, 0040461F
A, xrefs: 004045D1
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Puerperant, xrefs: 004045FE

Memory Dump Source

Source File: 00000000.00000002.130223558263.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.130223504527.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223615136.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007B8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130224420782.00000000007BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Calyciform.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: A$C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Puerperant$Call$user32::CallWindowProcW(ir1 ,i 0,i 0, i 0, i 0)
API String ID: 2624150263-1265869078
Opcode ID: 835ebef96d9a185249aca47752db4aea3ea54f97fa15e05f5d6c04df71dbffb3
Instruction ID: c3220bc8085252b6637529823acfaab3e79984cbb1e105c0cbc22f2c5a0eab13
Opcode Fuzzy Hash: 835ebef96d9a185249aca47752db4aea3ea54f97fa15e05f5d6c04df71dbffb3
Instruction Fuzzy Hash: 61A171B1900209ABDB11EFA6CD45AAFB7B8EF85314F10443BF601B72D1D77C8A418B69

Function 004020D1 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 139comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(00408408,?,00000001,004083F8,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402153
MultiByteToWideChar.KERNEL32(?,?,?,000000FF,?,00000400,?,00000001,004083F8,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402202

Strings

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Puerperant, xrefs: 00402193

Memory Dump Source

Source File: 00000000.00000002.130223558263.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.130223504527.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223615136.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007B8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130224420782.00000000007BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Calyciform.jbxd

Similarity

API ID: ByteCharCreateInstanceMultiWide
String ID: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Puerperant
API String ID: 123533781-1972144218
Opcode ID: de3331bcb14db5fb4a40cac8f259df6afe6a407762841a132ab945fc632ec83d
Instruction ID: 4e8ff9b20089176bdb9f75031619ec66fd88291c4b8ac445023bd740ba84d334
Opcode Fuzzy Hash: de3331bcb14db5fb4a40cac8f259df6afe6a407762841a132ab945fc632ec83d
Instruction Fuzzy Hash: 4B511871A00208BFCB10DFE4C989A9D7BB5EF48318F2085AAF515EB2D1DA799941CF54

Function 004026FE Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,00000002), ref: 0040270D

Memory Dump Source

Source File: 00000000.00000002.130223558263.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.130223504527.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223615136.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007B8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130224420782.00000000007BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Calyciform.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 44ebcace5f7d2fa9e21198272cfdc3a284c030ee536b71b2141a6cefce344cf4
Instruction ID: d02168588d0434b50479f8c5d7bfa648a046adbf5aa12c789179644532e0cc19
Opcode Fuzzy Hash: 44ebcace5f7d2fa9e21198272cfdc3a284c030ee536b71b2141a6cefce344cf4
Instruction Fuzzy Hash: 19F0A072604111EBD701E7A49949DEEB7688F15328FA0457BE281F20C1D6B88A459B3A

Function 0040643A Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.130223558263.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.130223504527.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223615136.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007B8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130224420782.00000000007BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Calyciform.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4eb106f398ba1a0e21959c13ec1d6d11c240689beb3471cc1bcfdbe3de21b473
Instruction ID: e60838e0b176701c88e9c062d98c60c8667d50fbcac6fb941192698cb1fad19d
Opcode Fuzzy Hash: 4eb106f398ba1a0e21959c13ec1d6d11c240689beb3471cc1bcfdbe3de21b473
Instruction Fuzzy Hash: F7F054208047505DD7319A38441476B7AE05B11318F160F3FE5EBB22D1C77C99AAC69F

Function 00404187 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 202windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(00000000,-0000040A,00000001), ref: 00404212
GetDlgItem.USER32(00000000,000003E8), ref: 00404226
SendMessageA.USER32(00000000,0000045B,00000001,00000000), ref: 00404244
GetSysColor.USER32(?), ref: 00404255
SendMessageA.USER32(00000000,00000443,00000000,?), ref: 00404264
SendMessageA.USER32(00000000,00000445,00000000,04010000), ref: 00404273
lstrlenA.KERNEL32(?), ref: 00404276
SendMessageA.USER32(00000000,00000435,00000000,00000000), ref: 00404285
SendMessageA.USER32(00000000,00000449,?,00000110), ref: 0040429A
GetDlgItem.USER32(?,0000040A), ref: 004042FC
SendMessageA.USER32(00000000), ref: 004042FF
GetDlgItem.USER32(?,000003E8), ref: 0040432A
SendMessageA.USER32(00000000,0000044B,00000000,00000201), ref: 0040436A
LoadCursorA.USER32(00000000,00007F02), ref: 00404379
SetCursor.USER32(00000000), ref: 00404382
LoadCursorA.USER32(00000000,00007F00), ref: 00404398
SetCursor.USER32(00000000), ref: 0040439B
SendMessageA.USER32(00000111,00000001,00000000), ref: 004043C7
SendMessageA.USER32(00000010,00000000,00000000), ref: 004043DB

Strings

Call, xrefs: 00404355
RA@, xrefs: 00404386
N, xrefs: 00404318

Memory Dump Source

Source File: 00000000.00000002.130223558263.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.130223504527.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223615136.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007B8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130224420782.00000000007BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Calyciform.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
String ID: Call$N$RA@
API String ID: 3103080414-2992999996
Opcode ID: 937b42b3135c4e1aa36ae5a1725e39aac0471f252f69529ff53d1d3c1c1a1b80
Instruction ID: 9d4f5b614004455fa0fc48963a53335b2d61895e96ab3f79d0888a2017683c32
Opcode Fuzzy Hash: 937b42b3135c4e1aa36ae5a1725e39aac0471f252f69529ff53d1d3c1c1a1b80
Instruction Fuzzy Hash: E761C5B1A40205BFEB109F61DD45F6A3B69FB84704F10802AFB05BA2D1C7BCA951CF98

Function 00401000 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 125COMMON

Download Yara Rule

APIs

DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectA.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,?), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextA.USER32(00000000,Burseraceae Setup,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

Burseraceae Setup, xrefs: 00401150
F, xrefs: 0040100C

Memory Dump Source

Source File: 00000000.00000002.130223558263.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.130223504527.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223615136.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007B8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130224420782.00000000007BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Calyciform.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: Burseraceae Setup$F
API String ID: 941294808-2921618269
Opcode ID: 5d259313e85fbaf708a0b03883ff4ad94c3fd8dcebbcebd210a7d21844077b3d
Instruction ID: 38fadef1db352f82975619da7fddedca022a80716c75150ab5a709db8b4f24fa
Opcode Fuzzy Hash: 5d259313e85fbaf708a0b03883ff4ad94c3fd8dcebbcebd210a7d21844077b3d
Instruction Fuzzy Hash: CB416C71800249AFCB058F95DE459AFBBB9FF45314F00802EF9A1AA1A0C778DA55DFA4

Function 00405BEC Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 129memorystringCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,00000000,00405D7D,?,?), ref: 00405C1D
GetShortPathNameA.KERNEL32(?,007A12D0,00000400), ref: 00405C26

Part of subcall function 00405A7B: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405CD6,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405A8B
Part of subcall function 00405A7B: lstrlenA.KERNEL32(00000000,?,00000000,00405CD6,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405ABD

GetShortPathNameA.KERNEL32(?,007A16D0,00000400), ref: 00405C43
wsprintfA.USER32 ref: 00405C61
GetFileSize.KERNEL32(00000000,00000000,007A16D0,C0000000,00000004,007A16D0,?,?,?,?,?), ref: 00405C9C
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00405CAB
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405CE3
SetFilePointer.KERNEL32(0040A3B8,00000000,00000000,00000000,00000000,007A0ED0,00000000,-0000000A,0040A3B8,00000000,[Rename],00000000,00000000,00000000), ref: 00405D39
GlobalFree.KERNEL32(00000000), ref: 00405D4A
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00405D51

Part of subcall function 00405B16: GetFileAttributesA.KERNELBASE(00000003,00402DA3,C:\Users\user\Desktop\Calyciform.exe,80000000,00000003), ref: 00405B1A
Part of subcall function 00405B16: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405B3C

Strings

%s=%s, xrefs: 00405C57
[Rename], xrefs: 00405CCB, 00405CDD

Memory Dump Source

Source File: 00000000.00000002.130223558263.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.130223504527.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223615136.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007B8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130224420782.00000000007BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Calyciform.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
String ID: %s=%s$[Rename]
API String ID: 2171350718-1727408572
Opcode ID: 45160d7d980c9177ced87b727a44c84efcd25dff5150337c1955e55c924b3a17
Instruction ID: 022478914a54526cde4d083c9269fc90008e130feab77c5089d91aa4570e4fa5
Opcode Fuzzy Hash: 45160d7d980c9177ced87b727a44c84efcd25dff5150337c1955e55c924b3a17
Instruction Fuzzy Hash: 6131DF31201B196BD2207B659D4CF6B3A5CDF85794F24053BBA01F62D2EA7CA8058EAD

Function 004050A4 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73stringwindowCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(0079ED20,00000000,00790EF8,759B23A0,?,?,?,?,?,?,?,?,?,004030D4,00000000,?), ref: 004050DD
lstrlenA.KERNEL32(004030D4,0079ED20,00000000,00790EF8,759B23A0,?,?,?,?,?,?,?,?,?,004030D4,00000000), ref: 004050ED
lstrcatA.KERNEL32(0079ED20,004030D4,004030D4,0079ED20,00000000,00790EF8,759B23A0), ref: 00405100
SetWindowTextA.USER32(0079ED20,0079ED20), ref: 00405112
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405138
SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00405152
SendMessageA.USER32(?,00001013,?,00000000), ref: 00405160

Strings

y, xrefs: 004050C4

Memory Dump Source

Source File: 00000000.00000002.130223558263.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.130223504527.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223615136.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007B8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130224420782.00000000007BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Calyciform.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID: y
API String ID: 2531174081-1062152503
Opcode ID: 0e5bc111e7764b859d703c7cd38c1a52b54818a96c636b509d6d72182c6d6877
Instruction ID: 0aa0aab3041eb49126eaccb75638caacaba84434fae24d46564a95eb40ba5f91
Opcode Fuzzy Hash: 0e5bc111e7764b859d703c7cd38c1a52b54818a96c636b509d6d72182c6d6877
Instruction Fuzzy Hash: 85219D71D00518BEDF119FA5DD81ADFBFA9EB45354F14807AF504BA291C7388E418FA8

Function 004061E7 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON

Download Yara Rule

APIs

CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\Calyciform.exe",759B3410,C:\Users\user\AppData\Local\Temp\,00000000,004031C4,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004033FB,?,00000006,00000008,0000000A), ref: 0040623F
CharNextA.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 0040624C
CharNextA.USER32(?,"C:\Users\user\Desktop\Calyciform.exe",759B3410,C:\Users\user\AppData\Local\Temp\,00000000,004031C4,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004033FB,?,00000006,00000008,0000000A), ref: 00406251
CharPrevA.USER32(?,?,759B3410,C:\Users\user\AppData\Local\Temp\,00000000,004031C4,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004033FB,?,00000006,00000008,0000000A), ref: 00406261

Strings

"C:\Users\user\Desktop\Calyciform.exe", xrefs: 00406223
*?|<>/":, xrefs: 0040622F
C:\Users\user\AppData\Local\Temp\, xrefs: 004061E8

Memory Dump Source

Source File: 00000000.00000002.130223558263.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.130223504527.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223615136.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007B8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130224420782.00000000007BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Calyciform.jbxd

Similarity

API ID: Char$Next$Prev
String ID: "C:\Users\user\Desktop\Calyciform.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-275678242
Opcode ID: baaf8be525beb263cd2d66daa4244c7e43047c81ac15102dd5c23876bc89bcef
Instruction ID: 21773b32b681db819c24220f05ced2ff1897e85ed8b94fc5b560f7e9dc9cebfa
Opcode Fuzzy Hash: baaf8be525beb263cd2d66daa4244c7e43047c81ac15102dd5c23876bc89bcef
Instruction Fuzzy Hash: D511BF6180479129FB3236240C44BB7AF998F977A0F1A00BFE5D6722C2D67C5CA2966D

Function 00404083 Relevance: 12.1, APIs: 8, Instructions: 68COMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(?,000000EB), ref: 004040A0
GetSysColor.USER32(00000000), ref: 004040DE
SetTextColor.GDI32(?,00000000), ref: 004040EA
SetBkMode.GDI32(?,?), ref: 004040F6
GetSysColor.USER32(?), ref: 00404109
SetBkColor.GDI32(?,?), ref: 00404119
DeleteObject.GDI32(?), ref: 00404133
CreateBrushIndirect.GDI32(?), ref: 0040413D

Memory Dump Source

Source File: 00000000.00000002.130223558263.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.130223504527.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223615136.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007B8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130224420782.00000000007BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Calyciform.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: 49e3bf83d30a7d96e63afb16dabbed360c02e673e0f4069f8acd1b63125549d3
Instruction ID: 14bb72118498863180d434f19a0418890adeb1616dfc149a02695bee4dee3a88
Opcode Fuzzy Hash: 49e3bf83d30a7d96e63afb16dabbed360c02e673e0f4069f8acd1b63125549d3
Instruction Fuzzy Hash: 422162715007049BCB309F68DD4CB5BBBF8AF91714B04893EEA96A62E0D734E984CB54

Function 6D6A249C Relevance: 10.6, APIs: 7, Instructions: 124COMMON

Download Yara Rule

APIs

Part of subcall function 6D6A1215: GlobalAlloc.KERNELBASE(00000040,6D6A1233,?,6D6A12CF,-6D6A404B,6D6A11AB,-000000A0), ref: 6D6A121D

GlobalFree.KERNEL32(?), ref: 6D6A25A2
GlobalFree.KERNEL32(00000000), ref: 6D6A25DC

Memory Dump Source

Source File: 00000000.00000002.130238628964.000000006D6A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6D6A0000, based on PE: true

Associated: 00000000.00000002.130238558041.000000006D6A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.130238696820.000000006D6A3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.130238759011.000000006D6A5000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d6a0000_Calyciform.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: 954ac476da94ab9b2f3d0ffb3aebb4d8cb530d5cec387bc993150d7e1e9d8f23
Instruction ID: 7bf97345dd375339e31dcb47c73984a66e616741da3122e8041fb16322dd4f04
Opcode Fuzzy Hash: 954ac476da94ab9b2f3d0ffb3aebb4d8cb530d5cec387bc993150d7e1e9d8f23
Instruction Fuzzy Hash: 1C41AE72588212EFC7258F96CCA4D6E7BB9FB8F749B098529F5C583100CB71AC04DB62

Function 0040496F Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 0040498A
GetMessagePos.USER32 ref: 00404992
ScreenToClient.USER32(?,?), ref: 004049AC
SendMessageA.USER32(?,00001111,00000000,?), ref: 004049BE
SendMessageA.USER32(?,0000110C,00000000,?), ref: 004049E4

Strings

f, xrefs: 004049C0

Memory Dump Source

Source File: 00000000.00000002.130223558263.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.130223504527.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223615136.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007B8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130224420782.00000000007BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Calyciform.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: 33c806690141bddee9d4868c528a06b643bfd418e36cfd9cd505f5ef0f9636f7
Instruction ID: a28b31c987ffe71ebed06cd45d35d2090213a5ff436324a44693cf4fbc71b07e
Opcode Fuzzy Hash: 33c806690141bddee9d4868c528a06b643bfd418e36cfd9cd505f5ef0f9636f7
Instruction Fuzzy Hash: F7015EB5900219BAEB00DBA5DD85BFFBBBCAF55711F10412BBB51B61C0C7B49901CBA4

Function 00401D9B Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00401D9E
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401DB8
MulDiv.KERNEL32(00000000,00000000), ref: 00401DC0
ReleaseDC.USER32(?,00000000), ref: 00401DD1
CreateFontIndirectA.GDI32(0040B7E8), ref: 00401E20

Strings

Times New Roman, xrefs: 00401E06

Memory Dump Source

Source File: 00000000.00000002.130223558263.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.130223504527.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223615136.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007B8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130224420782.00000000007BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Calyciform.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectRelease
String ID: Times New Roman
API String ID: 3808545654-927190056
Opcode ID: 91bb750de4b5d44c6d39cdf1c1eabfd736e9a6544dc134e4c91b233d15554033
Instruction ID: 2ad56a654efc6cf1735b667c3c7d9d5e2d080a44a70240ddf1560951203afcdd
Opcode Fuzzy Hash: 91bb750de4b5d44c6d39cdf1c1eabfd736e9a6544dc134e4c91b233d15554033
Instruction Fuzzy Hash: BE01B171944242AFE7015BB1AE4AB9A7FB4DB95305F10443AF251BB2E2CB7800459F6D

Function 00402C7C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402C97
MulDiv.KERNEL32(0006670E,00000064,000689B0), ref: 00402CC2
wsprintfA.USER32 ref: 00402CD2
SetWindowTextA.USER32(?,?), ref: 00402CE2
SetDlgItemTextA.USER32(?,00000406,?), ref: 00402CF4

Strings

verifying installer: %d%%, xrefs: 00402CCC

Memory Dump Source

Source File: 00000000.00000002.130223558263.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.130223504527.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223615136.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007B8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130224420782.00000000007BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Calyciform.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: 5bc376e969e12caa47fa3f233e97b7e9205a4f9680dc87fa7bda5c810414eec7
Instruction ID: de2615d2472e4fc16c898f89e06f4c65c316d83b10e4b0077f24645c8aa4783b
Opcode Fuzzy Hash: 5bc376e969e12caa47fa3f233e97b7e9205a4f9680dc87fa7bda5c810414eec7
Instruction Fuzzy Hash: E8014F70540209FBEF249F61DE4AEEE3769EB04304F00803AFA16B92D0DBB989518F59

Function 6D6A22B5 Relevance: 9.1, APIs: 6, Instructions: 140memoryCOMMON

Download Yara Rule

APIs

GlobalFree.KERNEL32(00000000), ref: 6D6A240B

Part of subcall function 6D6A1224: lstrcpynA.KERNEL32(00000000,?,6D6A12CF,-6D6A404B,6D6A11AB,-000000A0), ref: 6D6A1234

GlobalAlloc.KERNEL32(00000040,?), ref: 6D6A2386
MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 6D6A239B
GlobalAlloc.KERNEL32(00000040,00000010), ref: 6D6A23AC
CLSIDFromString.OLE32(00000000,00000000), ref: 6D6A23BA
GlobalFree.KERNEL32(00000000), ref: 6D6A23C1

Memory Dump Source

Source File: 00000000.00000002.130238628964.000000006D6A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6D6A0000, based on PE: true

Associated: 00000000.00000002.130238558041.000000006D6A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.130238696820.000000006D6A3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.130238759011.000000006D6A5000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d6a0000_Calyciform.jbxd

Similarity

API ID: Global$AllocFree$ByteCharFromMultiStringWidelstrcpyn
String ID:
API String ID: 3730416702-0
Opcode ID: 9f7f4ea8c0ddf2caaeb460024657992f0588c9f480d96571657e75d29c284b90
Instruction ID: 205435b77d6fc1df19d3a9fa947501bbc212af34ee6d5fcacbb606b4485d25ac
Opcode Fuzzy Hash: 9f7f4ea8c0ddf2caaeb460024657992f0588c9f480d96571657e75d29c284b90
Instruction Fuzzy Hash: 45419F71588312DFD724CF66C840B6AB7F8FB4E311F089819E6DACA140D774AC858B61

Function 0040273C Relevance: 9.1, APIs: 6, Instructions: 86memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,00030A00,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 00402790
GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,000000F0), ref: 004027AC
GlobalFree.KERNEL32(?), ref: 004027EB
GlobalFree.KERNEL32(00000000), ref: 004027FE
CloseHandle.KERNEL32(?,?,?,?,000000F0), ref: 00402816
DeleteFileA.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 0040282A

Memory Dump Source

Source File: 00000000.00000002.130223558263.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.130223504527.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223615136.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007B8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130224420782.00000000007BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Calyciform.jbxd

Similarity

API ID: Global$AllocFree$CloseDeleteFileHandle
String ID:
API String ID: 2667972263-0
Opcode ID: b6e2ce3a99fffcf8e0e79c283e33d87fe4325d14b43d938f50b183fbca7180bc
Instruction ID: a3aa65fdc26674a25697bbf1b98d1dc7df5c11bc78c453e7b8258ed70cc26f26
Opcode Fuzzy Hash: b6e2ce3a99fffcf8e0e79c283e33d87fe4325d14b43d938f50b183fbca7180bc
Instruction Fuzzy Hash: 41219F71800124BBDF207FA5CE89DAE7B79AF49364F14823AF510762E0CB794D419F68

Function 00401D41 Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?), ref: 00401D45
GetClientRect.USER32(00000000,?), ref: 00401D52
LoadImageA.USER32(?,00000000,?,?,?,?), ref: 00401D73
SendMessageA.USER32(00000000,00000172,?,00000000), ref: 00401D81
DeleteObject.GDI32(00000000), ref: 00401D90

Memory Dump Source

Source File: 00000000.00000002.130223558263.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.130223504527.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223615136.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007B8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130224420782.00000000007BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Calyciform.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: a4e1bb267f21d13dce46d980b0e60fea8a676a260fcdc139885163ed62c0b7c3
Instruction ID: 86ae4d2b40e720423d53cfa3fe8a52c583987269cec1c9f3ad3a23d9d9d7ea30
Opcode Fuzzy Hash: a4e1bb267f21d13dce46d980b0e60fea8a676a260fcdc139885163ed62c0b7c3
Instruction Fuzzy Hash: F6F0AFB2600515BFDB01EBE4DE89DEFB7BCEB44345B14446AF641F6191CA749D018B38

Function 00404865 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(0079F540,0079F540,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404780,000000DF,00000000,00000400,?), ref: 00404903
wsprintfA.USER32 ref: 0040490B
SetDlgItemTextA.USER32(?,0079F540), ref: 0040491E

Strings

%u.%u%s%s, xrefs: 004048ED

Memory Dump Source

Source File: 00000000.00000002.130223558263.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.130223504527.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223615136.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007B8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130224420782.00000000007BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Calyciform.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s
API String ID: 3540041739-3551169577
Opcode ID: 5f074f6faf701013ce45bc378f4b03b5d4ee46098f1275575472d42f1ef86f4b
Instruction ID: 24807b9fc88fe5fbc2e72c1c6e729af153b5b07cedbd852725a961613b6e70ef
Opcode Fuzzy Hash: 5f074f6faf701013ce45bc378f4b03b5d4ee46098f1275575472d42f1ef86f4b
Instruction Fuzzy Hash: 99110A776045282BEB01657D9C41EAF3288DB81378F254637FA26F72D1E978CC1246E8

Function 00401C0A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C7A
SendMessageA.USER32(00000000,00000000,?,?), ref: 00401C92

Strings

!, xrefs: 00401C46

Memory Dump Source

Source File: 00000000.00000002.130223558263.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.130223504527.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223615136.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007B8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130224420782.00000000007BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Calyciform.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 923bedeed5d7b8d7984d68c2ba9ede72919c9759eaf6e2c39352329f0efb5f52
Instruction ID: 435bc4df3b74c2d8df546d11ce2c7183e26475550abba04b2436001ae32cf151
Opcode Fuzzy Hash: 923bedeed5d7b8d7984d68c2ba9ede72919c9759eaf6e2c39352329f0efb5f52
Instruction Fuzzy Hash: 4B21A271E44209BEEF15DFA5D986AAD7BB4EF84304F24843EF501B61E0CB7885418F28

Function 00405A03 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00405F7D: lstrcpynA.KERNEL32(?,?,00000400,004032BB,Burseraceae Setup,NSIS Error,?,00000006,00000008,0000000A), ref: 00405F8A

Part of subcall function 004059AE: CharNextA.USER32(?,?,C:\Users\user\AppData\Local\Temp\nsf9BE0.tmp,?,00405A1A,C:\Users\user\AppData\Local\Temp\nsf9BE0.tmp,C:\Users\user\AppData\Local\Temp\nsf9BE0.tmp,759B3410,?,C:\Users\user\AppData\Local\Temp\,00405765,?,759B3410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004059BC
Part of subcall function 004059AE: CharNextA.USER32(00000000), ref: 004059C1
Part of subcall function 004059AE: CharNextA.USER32(00000000), ref: 004059D5

lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsf9BE0.tmp,00000000,C:\Users\user\AppData\Local\Temp\nsf9BE0.tmp,C:\Users\user\AppData\Local\Temp\nsf9BE0.tmp,759B3410,?,C:\Users\user\AppData\Local\Temp\,00405765,?,759B3410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405A56
GetFileAttributesA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsf9BE0.tmp,C:\Users\user\AppData\Local\Temp\nsf9BE0.tmp,C:\Users\user\AppData\Local\Temp\nsf9BE0.tmp,C:\Users\user\AppData\Local\Temp\nsf9BE0.tmp,C:\Users\user\AppData\Local\Temp\nsf9BE0.tmp,C:\Users\user\AppData\Local\Temp\nsf9BE0.tmp,00000000,C:\Users\user\AppData\Local\Temp\nsf9BE0.tmp,C:\Users\user\AppData\Local\Temp\nsf9BE0.tmp,759B3410,?,C:\Users\user\AppData\Local\Temp\,00405765,?,759B3410,C:\Users\user\AppData\Local\Temp\), ref: 00405A66

Strings

C:\Users\user\AppData\Local\Temp\nsf9BE0.tmp, xrefs: 00405A09, 00405A0E, 00405A14, 00405A4F, 00405A55, 00405A5D, 00405A65
C:\Users\user\AppData\Local\Temp\, xrefs: 00405A03

Memory Dump Source

Source File: 00000000.00000002.130223558263.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.130223504527.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223615136.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007B8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130224420782.00000000007BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Calyciform.jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\nsf9BE0.tmp
API String ID: 3248276644-3650254894
Opcode ID: 59c4d439f8e780665a95aab8c0f078ab1494ed1c34d0f7562e7ab92a144acefd
Instruction ID: 99d34a1d2256cfbc911754f26576654ac704e19cee30922b90174233901e1ae6
Opcode Fuzzy Hash: 59c4d439f8e780665a95aab8c0f078ab1494ed1c34d0f7562e7ab92a144acefd
Instruction Fuzzy Hash: 48F0A431315D5156C622323A1C4AAAF0A48CEC7364749463BF861B12D3DA3C89439D6E

Function 00405915 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,004031D6,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004033FB,?,00000006,00000008,0000000A), ref: 0040591B
CharPrevA.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,004031D6,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004033FB,?,00000006,00000008,0000000A), ref: 00405924
lstrcatA.KERNEL32(?,0040A014,?,00000006,00000008,0000000A), ref: 00405935

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405915

Memory Dump Source

Source File: 00000000.00000002.130223558263.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.130223504527.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223615136.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007B8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130224420782.00000000007BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Calyciform.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-3355392842
Opcode ID: 00f54151576635bf1518ba316310c1363eddf8ffcac7d82473bc198909657139
Instruction ID: da490e60620d11e3c07f2fcccd6c796fdaa9f48d202f5171465a07f32f6e55b9
Opcode Fuzzy Hash: 00f54151576635bf1518ba316310c1363eddf8ffcac7d82473bc198909657139
Instruction Fuzzy Hash: B5D0A9A2201E30BED20227169C09ECB2A08CF2231AB05043BF240B61A1CA7C4D428BFE

Function 004059AE Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

CharNextA.USER32(?,?,C:\Users\user\AppData\Local\Temp\nsf9BE0.tmp,?,00405A1A,C:\Users\user\AppData\Local\Temp\nsf9BE0.tmp,C:\Users\user\AppData\Local\Temp\nsf9BE0.tmp,759B3410,?,C:\Users\user\AppData\Local\Temp\,00405765,?,759B3410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004059BC
CharNextA.USER32(00000000), ref: 004059C1
CharNextA.USER32(00000000), ref: 004059D5

Strings

C:\Users\user\AppData\Local\Temp\nsf9BE0.tmp, xrefs: 004059AF

Memory Dump Source

Source File: 00000000.00000002.130223558263.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.130223504527.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223615136.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007B8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130224420782.00000000007BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Calyciform.jbxd

Similarity

API ID: CharNext
String ID: C:\Users\user\AppData\Local\Temp\nsf9BE0.tmp
API String ID: 3213498283-3793470382
Opcode ID: 6ae5a98c75981dc822015e60cfe3a73e92d8e62117e7577616a1c134a98ac786
Instruction ID: 53b5fd27e09cdb27f7d5e0d280f650891fab3cf45ffc187ddecf7516587659fd
Opcode Fuzzy Hash: 6ae5a98c75981dc822015e60cfe3a73e92d8e62117e7577616a1c134a98ac786
Instruction Fuzzy Hash: D4F0F6D1908F50EAFB32A6244C54B776B89CB55370F14457BD680772C1C27C4C409FAA

Function 00402CFF Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,00000000,00402EDF,00000001), ref: 00402D12
GetTickCount.KERNEL32 ref: 00402D30
CreateDialogParamA.USER32(0000006F,00000000,00402C7C,00000000), ref: 00402D4D
ShowWindow.USER32(00000000,00000005), ref: 00402D5B

Memory Dump Source

Source File: 00000000.00000002.130223558263.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.130223504527.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223615136.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007B8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130224420782.00000000007BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Calyciform.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: 87f9a02f322897d0e4f948bf7da259dfca77796329a29cb391b18909f99ca198
Instruction ID: b66414e99a5f690dcfe7c27c209bc19b2a06c79591cef1c7d36985daa8eb92e7
Opcode Fuzzy Hash: 87f9a02f322897d0e4f948bf7da259dfca77796329a29cb391b18909f99ca198
Instruction Fuzzy Hash: D6F05E30401621EBC6116B68FFCEE8F7B74AB45B02712457BF158B11E4DA7C48868B9C

Function 00405E64 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,00000400,Call,0079ED20,?,?,?,00000002,Call,?,004060A8,80000002), ref: 00405EAA
RegCloseKey.ADVAPI32(?,?,004060A8,80000002,Software\Microsoft\Windows\CurrentVersion,Call,Call,Call,?,0079ED20), ref: 00405EB5

Strings

Call, xrefs: 00405E67, 00405E9B

Memory Dump Source

Source File: 00000000.00000002.130223558263.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.130223504527.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223615136.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007B8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130224420782.00000000007BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Calyciform.jbxd

Similarity

API ID: CloseQueryValue
String ID: Call
API String ID: 3356406503-1824292864
Opcode ID: 2ae01f244120d487d9f351ea12627f7621f1ac4d10347c017b688b21594c6fc7
Instruction ID: be592471178a3b34147732ee01c8456e78db25e2de640fde20402d2d05791b9a
Opcode Fuzzy Hash: 2ae01f244120d487d9f351ea12627f7621f1ac4d10347c017b688b21594c6fc7
Instruction Fuzzy Hash: 88015A76500609AADF228F61CD09FDB3BA8EF59364F10442AF955A2190D378DA54CBA4

Function 0040561C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,007A0D48,Error launching installer), ref: 00405645
CloseHandle.KERNEL32(?), ref: 00405652

Strings

Error launching installer, xrefs: 0040562F

Memory Dump Source

Source File: 00000000.00000002.130223558263.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.130223504527.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223615136.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007B8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130224420782.00000000007BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Calyciform.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: 70af5941f3bc690bdcd9881a93690d3303993229d12fc254cd5844f1ea8daab6
Instruction ID: bdfa79d73584ee4add39219e15a001359f74b35d93969b7cce68af7ca5274bde
Opcode Fuzzy Hash: 70af5941f3bc690bdcd9881a93690d3303993229d12fc254cd5844f1ea8daab6
Instruction Fuzzy Hash: 7AE04FF1600209BFEB009FA0DD05F7F77ACEB50744F004821BD14F6150D675A8008A78

Function 00403716 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,759B3410,00000000,C:\Users\user\AppData\Local\Temp\,004036EE,00403508,?,?,00000006,00000008,0000000A), ref: 00403730
GlobalFree.KERNEL32(00A71F10), ref: 00403737

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00403716

Memory Dump Source

Source File: 00000000.00000002.130223558263.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.130223504527.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223615136.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007B8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130224420782.00000000007BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Calyciform.jbxd

Similarity

API ID: Free$GlobalLibrary
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 1100898210-3355392842
Opcode ID: 4d9750b91f9c818690002108793fa6d5ed1a6d42b958517d28de6e516f48fa46
Instruction ID: e3cd8cf2938ee13ec1fefa9c4a9681649e8a36576cb89bbd23f75385d37883fe
Opcode Fuzzy Hash: 4d9750b91f9c818690002108793fa6d5ed1a6d42b958517d28de6e516f48fa46
Instruction Fuzzy Hash: AEE0C2334011209FC6219F04FE0872A7778AF49B23F06842BF8807B36087781C534BC8

Function 0040595C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(80000000,C:\Users\user\Desktop,00402DCF,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Calyciform.exe,C:\Users\user\Desktop\Calyciform.exe,80000000,00000003), ref: 00405962
CharPrevA.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402DCF,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Calyciform.exe,C:\Users\user\Desktop\Calyciform.exe,80000000,00000003), ref: 00405970

Strings

C:\Users\user\Desktop, xrefs: 0040595C

Memory Dump Source

Source File: 00000000.00000002.130223558263.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.130223504527.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223615136.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007B8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130224420782.00000000007BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Calyciform.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-3370423016
Opcode ID: a2cb5c10c54eab45be364f275a3e0fd7f40b7dc80b72c69925d8ec85e0f8a492
Instruction ID: 1bd18926039b2b13e1a5e2b6749e0a20dca9854900914240940d95a6582504e3
Opcode Fuzzy Hash: a2cb5c10c54eab45be364f275a3e0fd7f40b7dc80b72c69925d8ec85e0f8a492
Instruction Fuzzy Hash: BAD0C9A2409DB0AEE71363249C04B9F6A88DF26715F0904B7E181F61A1C6BC4D828BAD

Function 6D6A10E0 Relevance: 5.1, APIs: 4, Instructions: 102memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?), ref: 6D6A115B
GlobalFree.KERNEL32(00000000), ref: 6D6A11B4
GlobalFree.KERNEL32(?), ref: 6D6A11C7
GlobalFree.KERNEL32(?), ref: 6D6A11F5

Memory Dump Source

Source File: 00000000.00000002.130238628964.000000006D6A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6D6A0000, based on PE: true

Associated: 00000000.00000002.130238558041.000000006D6A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.130238696820.000000006D6A3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.130238759011.000000006D6A5000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6d6a0000_Calyciform.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: c3e0d6fadc0aab94dddcdbe9728cce5ab3b235d488689e587340bc607802f3b7
Instruction ID: 5b09798495110811b98628e4d7798bd8a65257c98f0a48e595088580c820077d
Opcode Fuzzy Hash: c3e0d6fadc0aab94dddcdbe9728cce5ab3b235d488689e587340bc607802f3b7
Instruction Fuzzy Hash: B0318DB1508255AFEB018FAAD959B2ABFF8EB0E254B1D4515E9D8C2250DB78FC40CB24

Function 00405A7B Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405CD6,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405A8B
lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405AA3
CharNextA.USER32(00000000,?,00000000,00405CD6,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405AB4
lstrlenA.KERNEL32(00000000,?,00000000,00405CD6,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405ABD

Memory Dump Source

Source File: 00000000.00000002.130223558263.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.130223504527.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223615136.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.000000000077B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000780000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000785000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.0000000000787000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130223671522.00000000007B8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.130224420782.00000000007BA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Calyciform.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 63752835767028d7570d3bd2c367202728d3e51619cdcd0ff30af86384407b43
Instruction ID: bbf0fe82adfec40a5435aad4fbaff8462ffeb4f6e62521b4b159965ff53dba99
Opcode Fuzzy Hash: 63752835767028d7570d3bd2c367202728d3e51619cdcd0ff30af86384407b43
Instruction Fuzzy Hash: 9BF0C232215914BFC702DBA8CD40D9EBBA8EF46350B2540B9E840F7211D634DE019FA9

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Calyciform.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\nsf9BE0.tmp\System.dll

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Puerperant\Bluetooth Suite help_HUN.chm

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Puerperant\Grundkoncept.Feh

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Puerperant\Scrivano.Sek

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Puerperant\anycollseq.c

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Puerperant\list-drag-handle-symbolic.svg

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Puerperant\user-idle.png

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Puerperant\vmmouse.cat

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Rich Headers

Data Directories

Sections

Windows Analysis Report
Calyciform.exe

Function 004031E9 Relevance: 91.4, APIs: 32, Strings: 20, Instructions: 366
stringcomfileCOMMON

Function 00404A21 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481
windowmemoryCOMMON

Function 00405745 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 159
filestringCOMMON

Function 00403B48 Relevance: 48.3, APIs: 32, Instructions: 346
windowstringCOMMON

Function 004037AB Relevance: 47.5, APIs: 13, Strings: 14, Instructions: 215
stringregistryCOMMON

Function 00402D63 Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 182
COMMON

Function 00405F9F Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 199
stringCOMMON

Function 00401759 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 147
stringtimeCOMMON

Function 00402003 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 73
libraryloaderCOMMON

Function 0040556A Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39
COMMON

Function 004062A7 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Function 00402F9C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 161
COMMON

Function 00405B45 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33
COMMON

Function 6D6A16DF Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 120
COMMON

Function 004023D6 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64
registrystringCOMMON